Though the WWW has come a long way since when it was monikered the World Wide Wait, it is still not reliable during heavy workload conditions. Overloads due to flash arrival of users or diurnal workload patterns are known to exponentially increase download times. More recently, online banks and portals have been the target of Distributed Denial-of-Service (DDoS) attacks, which send a deluge of requests and drive away the legitimate users. This dissertation proposes a web hosting architecture consisting of a grid of clusters, to provide high-performance in the presence of standard overload conditions as well as resilience during attacks.The architecture's high-performance component is provided by a server selection framework, W&barbelow;ide-A&barbelow;rea R&barbelow;eD&barbelow;irection (WARD), which efficiently multiplexes resources across the cluster grid. Traditional approaches assume that minimizing network hop count minimizes client latency. In contrast, WARD's server selection algorithm forwards requests to the server that minimizes the total of estimated network and server delays. WARD is better-suited to handling overload conditions in dynamic web content, which are known to stress compute resources more than the network. Using a combination of analytical modeling and testbed experiments, it's shown that delay savings by redirecting requests to an under-loaded cluster can far outweigh the overhead in inter-cluster network latency. For instance, for an e-commerce site with 300 concurrent clients, redirection reduces download times from 5 to 2.3 seconds.The architecture's DDoS-resilience is provided by DDoS-Shield, consisting of a suspicion assignment mechanism and a scheduler. Assuming sophisticated attackers, the possible attacks are characterized as either request flooding, asymmetric or repeated one-shot, on the basis of the application workload parameters exploited. In contrast to prior work, the suspicion mechanism assigns a continuous valued vs. binary suspicion measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Testbed-driven experiments demonstrate the potency of these resource attacks as well as evaluate the efficacy of the counter-mechanism. For instance, an asymmetric attack effected to overwhelm the database CPU, increases download times from 0.15 to 10 seconds, while DDoS-Shield is shown to improve performance to 0.8 seconds.
展开▼
机译:尽管WWW自从被称为“ World Wide Wait”以来已经走了很长一段路,但在繁重的工作量条件下仍然不可靠。众所周知,由于用户的闪存到达或每日工作量模式而导致的过载会成倍增加下载时间。最近,在线银行和门户网站已成为分布式拒绝服务(DDoS)攻击的目标,该攻击会发送大量请求并驱赶合法用户。本文提出了一种由集群网格组成的虚拟主机架构,可以在标准过载情况下提供高性能,并在攻击过程中提供弹性。该架构的高性能组件由服务器选择框架W&barbelow; ide提供。 -A Rrea R&R eD&Rection(WARD),可有效地在整个群集网格中多路复用资源。传统方法假定最小化网络跳数会最小化客户端延迟。相反,WARD的服务器选择算法将请求转发到服务器,从而最大程度地减少了估计的网络和服务器延迟。 WARD更适合于处理动态Web内容中的过载情况,众所周知,这种过载情况比网络更注重计算资源。结合分析模型和测试平台实验,结果表明,通过将请求重定向到负载不足的群集而节省的延迟远远超过了群集间网络延迟的开销。例如,对于具有300个并发客户端的电子商务站点,重定向将下载时间从5秒减少到2.3秒。该体系结构的DDoS复原能力由DDoS-Shield提供,该系统由可疑分配机制和调度程序组成。假定攻击者是老练的攻击者,根据所利用的应用程序工作负载参数,可能的攻击特征为请求泛洪,不对称或重复一次。与先前的工作相反,可疑机制将连续值与二进制可疑度量分配给每个客户端会话,并且调度程序利用这些值来确定是否以及何时调度会话的请求。测试平台驱动的实验证明了这些资源攻击的效力,并评估了反机制的功效。例如,非对称攻击导致数据库CPU瘫痪,下载时间从0.15秒增加到10秒,而DDoS-Shield被证明可以将性能提高到0.8秒。
展开▼
