ieee transactions on parallel and distributed …web.mst.edu/~chellaps/papers/06_effec_wang.pdf ·...

On the Effectiveness of Secure OverlayForwarding Systems under Intelligent

Distributed DoS AttacksXun Wang, Sriram Chellappan, Phillip Boyer, and Dong Xuan, Member, IEEE

Abstract—In the framework of a set of clients communicating with a critical server over the Internet, a recent approach to protectcommunication from Distributed Denial of Service (DDoS) attacks involves the usage of overlay systems. SOS, MAYDAY, and I3 aresuch systems. The architecture of these systems consists of a set of overlay nodes that serve as intermediate forwarders between theclients and the server, thereby controlling access to the server. Although such systems perform well under random DDoS attacks, it isquestionable whether they are resilient to intelligent DDoS attacks which aim to infer architectures of the systems to launch more efficientattacks. In this paper, we define several intelligent DDoS attack models and develop analytical/simulation approaches to study theimpacts of architectural design features of such overlay systems on the system performance in terms of path availability between clientsand the server under attacks. Our data clearly demonstrate that the system performance is indeed sensitive to the architectural featuresand the different features interact with each other to impact overall system performance under intelligent DDoS attacks. Ourobservations provide important guidelines in the design of such secure overlay forwarding systems.

Index Terms—Secure overlay forwarding system, DDoS attacks.

�

1 INTRODUCTION

DISTRIBUTED Denial of Service (DDoS) attacks are cur-rently major threats to communications in the Internet

[1]. Current level of sophistication in Internet systemresilience to DDoS attacks is far from definite. Tremendousamount of research is being done in order to improve thesystem security under DDoS attacks [2], [3], [4], [5], [6], [7],[8]. For many applications, reliability of communicationover the Internet is not only important but mandatory.Typical examples of such applications are emergency,medical, and other related services. The system needs tobe resilient to attacks from malicious users within andoutside of the system that aim to disrupt communications.

A recent body of work in the realm of protectingcommunications between a set of clients and a serveragainst DDoS attacks employs proactive defense mechan-isms using overlay-based architectures [6], [7], [8]. Typi-cally, in such overlay-based architectures, a set of systemdeployed nodes on the Internet serve as intermediateforwarders of communication from clients to the server,and are arranged so as to provide attack-resistant featuresto the overall communication. For example, the architecturein the SOS system [6] is a set of overlay nodes arranged inthree layers between clients and the server through whichtraffic is authenticated and then routed. These layers areSOAP (Secure Overlay Access Point), Beacons, and SecretServlets. A client that wishes to communicate with a serverfirst contacts a node in the SOAP layer. The node in the

SOAP layer forwards the message to a node in the beaconlayer, which then forwards the message to a node in thesecret servlet layer, which routes the message to the server.In the Mayday system [7], the authors extend work on SOS[6] by primarily releasing the restrictions on the number oflayers (unlike in SOS, where it is fixed at three). In theInternet Indirection Infrastructure (I3) [8], one or moreIndirection points are introduced as intermediaries forcommunication between senders and receivers.

The design rationale in all these systems is to ensure,using proactive architectures, 1) that the server andintermediate communication mechanisms are hidden fromoutsiders, 2) the presence of multiple/alternate paths toimprove reliability, and 3) access control to preventillegitimate users from being serviced, and 4) droppingattack traffic far away from the server. The overall objectivethough is to ensure that there are high degrees of pathavailabilities from clients to the server even when attackerstry to compromise communication using random conges-tion-based DDoS attacks, by bombarding randomly chosennodes in the system with huge amounts of traffic.

While the above systems provide high degrees of pathavailabilities under random congestion-based DDoS at-tacks, they can be targeted by intelligent attackers that canbreak-into the system structure apart from congestingnodes. By break-in attacks, we mean attacks that canbreak-into a node and disclose its neighbors in thecommunication chain. By combining break-in attacks withcongestion attacks, attackers can significantly worsendamages, as opposed to pure random congestion. In fact,attackers can employ results of break-in attacks (disclosednodes) to guide subsequent congestion attacks on thedisclosed nodes. Under intense break-in attacks, theattacker can traverse the communication chain betweenthe forwarder nodes and can even disclose the server toeventually congest it and completely annul services.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 17, NO. 7, JULY 2006 619

. The authors are with the Department of Computer Science andEngineering, The Ohio State University, 395 Dreese Hall, 2015 NeilAve., Columbus, OH 43210-1277.E-mail: {wangxu, chellapp, boyerp, xuan}@cse.ohio-state.edu.

Manuscript received 7 June 2004; revised 26 Mar. 2005; accepted 20 June2005; published online 25 May 2006.Recommended for acceptance by G. Lee.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TPDS-0140-0604.

1045-9219/06/$20.00 � 2006 IEEE Published by the IEEE Computer Society

We believe that such intelligent DDoS attacks that cancombine break-in attacks with congestion attacks arerepresentative and potent threats to overlay-based systems,such as, [6], [7], [8] that protect communications betweenclients and the servers. However, existing work does notstudy system performance under these intelligent attacks.In this paper, we extensively study performance of suchoverlay-based systems when targeted by intelligent DDoSattacks that combine break-in and congestion attacks. Wealso subsequently study how the design features of suchsystems impact performance under intelligent attacks. As afirst step, we generalize such systems as Secure OverlayForwarding Systems (SOFS). There are certain standardarchitectural features of such systems.1 These are layering(the number of layers between the client and server),mapping degree (number of next layer neighbors a nodecan communicate with), and node distribution (number ofnodes per layer).

Our objective is to study the impacts of the designfeatures of SOFS systems on their performance underintelligent DDoS attacks and to provide guidelines todesign SOFS systems highly resilient to intelligent DDoSattacks. Toward this extent, we develop formal mathema-tical models of intelligent attacks and use analyticalapproaches and simulations to study the system perfor-mance and sensitivity of design features on performanceunder our attack models. Our performance metric is theprobability that a client can find a path to communicatewith the server under ongoing attacks. Our analysis resultsclearly demonstrate that 1) The SOFS system performance issensitive to intelligent DDoS attacks and it degradessignificantly as the attack intensity increases. 2) The designfeatures of SOFS systems (layering, mapping degree, andnode distributions) have critical impacts on system perfor-mance under intelligent DDoS attacks. In fact, they interactamong each other to impact system performance, furtherhighlighting the sensitivity of system performance to them.3) We find that the above trends hold even when the systemis equipped with recovery mechanisms, although attackimpacts are reduced with recovery. We observe that underextremely intensive attacks, with system recovery, thesystem can always maintain a certain level of systemperformance especially with large mapping degrees. Ourfinal contribution is presenting important and generaldesign guidelines for building resilient overlay architecturethat can sustain performance even when intelligent DDoSattacks are intense.

The rest of the paper is organized as follows: In Section 2,we discuss the SOFS architecture and intelligent DDoSattacks. In Sections 3 and 4, we analyze the resilience ofSOFS architecture to discrete round-based attacks andcontinuous attacks, respectively. Section 5 discusses relatedwork, and Section 6 concludes our paper by giving out a setof SOFS design guidelines and our future work.

2 THE SOFS ARCHITECTURE AND INTELLIGENT

DDOS ATTACKS

2.1 The SOFS Architecture

In its most basic version, the SOFS architecture consists of aset of overlay nodes arranged in layers of a hierarchy asshown in Fig. 1. The nodes in these layers serve as

intermediaries between the clients and the critical target.2

Such a system has three distinguishable design features.They are Layering, Mapping (Connectivity) Degree, andNode Distribution across layers. A clearer description foreach feature is given below.

. Number of Layers (Layering): The number of layersin the architecture quantifies the depth of controlduring access to the target. If the number of layers isL, then clients must pass through these L layersbefore communicating with the target. The impor-tance of layering is that if the number of layers islarger, implicitly it means that the target is betterhidden against external clients.

. Mapping (Connectivity) Degree: Each node in Layer iroutes to node(s) in Layer iþ 1 toward the target tocomplete the communication chain. The mappingdegree in the SOFS architecture is a measure of thenumber of neighbors a node in Layer i has in Layeriþ 1. Typically, the larger the mapping degree is, themore reliable is the communication due to theavailability of more paths. The largest is actually 1 toall, where each node in Layer i has all nodes in Layeriþ 1 as its neighbors.

. Node Distribution: Node distribution is a measure ofthe number of nodes in each layer. Intuitively, it mayseem that the uniform node distribution acrosslayers is preferred to ensure a degree of loadbalancing in the system. However, for a fixedamount of nodes to be distributed across a fixednumber of layers, it may be advisable to deploymore nodes at layers closer to the target to increasedefenses in sensitive layers nearer the target.

A client that wishes to communicate with the target firstcontacts node(s) in the first layer, which contact node(s) inthe second layer, and so on, until the traffic reaches thetarget. In this architecture, each node is only aware ofneighbors in its neighboring layer. A set of filters acts as afirewall surrounding the target through which only legit-imate traffic is allowed.

2.2 Intelligent DDoS Attack Models

We now discuss how intelligent attackers can compromisethe SOFS system. It has the ability to break-into nodes todisclose the victim nodes’ next-layer neighbors. Theattacker also has the ability to congest nodes to preventthem from servicing legitimate clients. We formally definethese two attacks below.

620 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 17, NO. 7, JULY 2006

1. We use the terms architectural features and design features interchange-ably in this paper. 2. We use the terms target and server interchangeably in this paper.

Fig. 1. The generalized SOFS architecture.

. Break-in Attacks: The attacker has the ability toattempt to break-into nodes in the SOFS system. Asuccessful break-in results in dysfunction of thevictim node and disclosure of the neighbors of thevictim node.

. Congestion Attacks: The attacker has the ability tocongest nodes in the SOFS system. By congest,congestion-based DDoS attacks, or simply congestionattacks, we mean any of the distributed attackmethods that prevent a victim machine fromproviding services.

Our work focuses on the theoretical analysis of theimpacts of intelligent DDoS attacks on the SOFS system,rather than the actual attack methods. However, we believethat both the break-in attacks and congestion attacks modelswe present are practical. The execution of break-in attackscan be through some intrusion attacks, or through maliciouscode hidden in the message sent by malicious clients asthose in Trojan horse or active worm attacks [1]. Whenreceived by the victim node, the malicious code can executeon the victim node to make it unfunctional and retrieve thevictim node’s neighbor list. The malicious code can eventhen self propagate to the disclosed neighbors. Theexecution of congestion attacks on a victim machine willresult in, the victim being prevented from servicingrequests or, disconnecting the victim from the system. Thiscan be due to exhausting its key resource, overloading themachine to disable communication, crashing its service,blocking its network link. Typical examples are TCP SYNattack, TCP and UDP flood attack, ICMP echo attack, andSmurf attack [1]. The above two attacks can be conducted inseveral possible ways. However, keeping in mind the aboveattack types and with the intention of maximizing attackimpacts, the attacker will usually first conduct break-inattacks to disclose the identities of many nodes. Congestionattacks on the disclosed nodes then follow after the break-inattacks. In this realm, we define two attack models below.

. A discrete round-based attack model: In our attackmodels, the attacker can launch break-in attacks onlimited number of nodes only. In a round-basedattack model, the attacker launches the break-inattacks in a round by round fashion with part ofattempts made in each round. The rationale is that,by successively breaking into nodes and locatingtheir neighbors, the attacker can disclose morenodes. We call this model as discrete because herethe attacker starts a fresh round only after the resultsof all attempted break-ins in the current round areavailable to it. Congestion attacks follow next, andare conducted in one round.

. A continuous attack model: In this model, theattacker attempts to disclose some nodes first, usingpart of its break-in attack resources. However, in thismodel, the attacker continuously keeps breaking-into disclosed nodes as and when they are identified.Congestion attacks follow next in a similar fashion.

The attack models are described in more detail inSections 3 and 4. We wish to emphasize here that the SOFSsystem also has the recovery ability to defend against

attacks. However, any meaningful execution of the recoverymechanism is contingent on the attacks. In some cases, thesystem may not be able to conduct any effective recovery ifthe attacker can speedily conduct its attack, disruptingsystem performance for some short duration of time.However, if the attack is slow, the system can attempt totake effective recovery action to restore performance. Moredetails on system recovery are given in Section 4.

In this paper, we study the SOFS system performanceunder discrete round-based attacks and continues attacks.We demonstrate that system performance is sensitive todesign features and attacks, and the architecture needs to beflexible in order to achieve better performance underdifferent attacks.

3 ANALYSIS OF THE SOFS ARCHITECTURE UNDER

ROUND-BASED ATTACKS

In this section, we conduct an extensive mathematicalanalysis on the SOFS architecture under the discrete round-based intelligent DDoS attack model with no systemrecovery. The system we study consists of a total ofN overlaynodes that can be active or dormant. By active, we mean that thenodes are currently in the SOFS architecture and ready toserve legitimate requests.3 A dormant overlay node is one thatis a part of the system but currently is not in the SOFSarchitecture and is not serving requests. In this paper, whenwe use the term overlay node, it could mean either an active or adormant node. We denote the number of active nodes in theSOFS architecture (also called as SOFS nodes) by n (n � N)which are distributed acrossL layers. Layer ihasni nodes andPL

i¼1 ni ¼ n. Each node in Layer i has one or more neighborsin its next higher layer to complete the communication chain.We define the number of next layer (Layer i) neighbors that aLayer i� 1 node has as mi.

In this paper, we assume that the attack resources arelimited. By attack resources, we mean the attack capacity,which depends on the amount of attack facilities. Forinstance, this can be the number of slave machines recruitedby the attacker to launch DDoS attacks [1]. We denote thatthe break-in attack and congestion attack resource as NT

and NC , respectively. Thus, NT and NC are the maximumnumber of nodes the attacker can launch break-in andcongestion attacks on. Here, NT þNC � N . With a prob-ability PB, the attacker can successfully break-into a nodeand disclose its neighbors in a break-in attempt.

In the SOFS system we study in this section, the systemdoes not do any recovery to counter attacks. The signifi-cance of our analysis and the results therein we observehere is in obtaining a fundamental understanding of attackimpacts to the system (and its features). Nevertheless, ouranalysis here is still practical as in some cases, the speed ofattacks may be quite high, preventing the system fromperforming recoveries. In such cases, our analysis hereprovides insights into damages that are caused under suchrapid/burst attacks. With the SOFS system and attackspecifics in place, we now formally define our performancemetric, PS , as the probability that a client can find a path to

WANG ET AL.: ON THE EFFECTIVENESS OF SECURE OVERLAY FORWARDING SYSTEMS UNDER INTELLIGENT DISTRIBUTED DOS... 621

3. In the remainder of the paper, if the context is clear, we will just usenode or SOFS node to represent an active node.

communicate with the target under on-going attacks. Someimportant notations used in the paper are given in Table 1.

3.1 Under a One-Burst Round-Based Attack Model

3.1.1 Attack Model

The model we define here is an instance of the discreteround-based attack model where the number of rounds is 1.The attacker will spend all the break-in attack resourcesrandomly and instantly in one round and then launch thecongestion attack. Even though this model may appearsimple, in reality such a type of attack is possible when say,the system is in a high state of alert anticipating imminentattacks, which the attacker is aware of and still wishes toproceed with the attack. Here, we assume the attacker hasno prior knowledge about the identities of the SOFS nodes,i.e., which overlay nodes are currently SOFS nodes.

3.1.2 Analysis

Our goal is to determine PS , the probability that a client canfind a path to communicate with the target under attacks.This is directly related to the number of nodes compro-mised due to attacks (both break-in and congestion attacks).Thus, the key defining feature of our analysis is indetermining the set 4 of attacked SOFS nodes in each layer.An intuitive way to analyze the system is to list all possiblecombinations of attacked nodes in each layer. Thencalculate and summarize PS over all combinations. It iseasy to see that there could be many such possiblecombinations. For a system with L layers and n nodesevenly distributed, such combinations will be in �ðnLÞ

2L. Fora system with three layers and 100 SOFS nodes evenlydistributed, we have about 1:0 � 1010 combinations. This is avery large number, it is not practical to analyze the systemin this fashion. To circumvent the salability problem, wetake an alternate approach. Based on the weak law of largenumbers, we use average case analysis. We calculate theaverage number of attacked SOFS nodes in each layer toobtain PS . In the following, we first derive PS , whichdepends on the SOFS architecture and number of attackedSOFS nodes in each layer. We will then discuss how to

calculate the number of attacked SOFS nodes in each layer(including nodes broken-into and congested).

Derivation of PS . Recall that PS is the probability that aclient can successfully communicate with the target underattacks, which depends on the SOFS architecture andnumber of attacked SOFS nodes. In the SOFS architecture,a SOFS node maintains a neighbor/routing table thatconsists of a number of (decided by the mapping degree)SOFS nodes in its next higher layer that it can communicatewith. Upon receiving a message, a node in Layer i willcontact a node in Layer iþ 1 from its neighbor table andforward the received message to that node. This processrepeats till the target is reached via the nodes in successivehigher layers. The routing thus takes place through activeSOFS nodes in a distributed fashion. We call a bad orcompromised node as one that has either been broken-into oris congested and thus cannot route a message. The otheroverlay nodes are good or alive nodes. The neighbor tablewill contain entries pointing to bad neighbors during break-in or congestion attacks that can cause failure of a messagebeing delivered. A snapshot of the system under an on-going attack is shown in Fig. 2.

To compute PS , we should first know the probability Pithat a message can be successfully forwarded from Layer i�1 to Layer i (1 � i � Lþ 1). Here, LayerLþ 1 refers to the setof filters that surround the target, which are also intermediateforwarders. In our analysis, we consider this layer alsobecause it is possible that filter identities can be disclosedduring a successful break-in at Layer L. With the property ofdistributed routing algorithm, we can obtain PS by direct


4. We use the terms set and number of nodes in a set interchangeably.

TABLE 1The Main Notations Used in This Paper

Fig. 2. A Snapshot of the generalized SOFS architecture under the

intelligent DDoS attacks.

product of allPis, i.e.,PS ¼ �Lþ1i¼1 Pi. Obviously,Pi depends on

the availability of good nodes in Layer i that are in the routingtable of nodes in Layer i� 1. Toward this extent, we defineP ðx; y; zÞ as the probability that a set of y nodes selected atrandom from x > y nodes contains a specific subset of znodes. Then,P ðx; y; zÞ ¼ y

z

� �= x

z

� �if y � z, and 0 otherwise. We

denote si as the number of bad SOFS nodes in Layer i. Recallthat each SOFS node in Layer i� 1 hasmi neighbors in Layeri. Then, on averageP ðni; si;miÞ is the probability that all next-hop neighbors in Layer i of a node in Layer i� 1 are badnodes. Hence, Pi ¼ 1� P ðni; si;miÞ. Thus, the probability PSthat a message will be successfully received by the target canbe expressed as

PS ¼ �Lþ1i¼1 Pi ¼ �Lþ1

i¼1 ð1� P ðni; si;miÞÞ: ð1Þ

In (1), only si (number of bad nodes) is undetermined. If wedefine bi and ci as the number of nodes that have beenbroken-into and the number of congested nodes, respec-tively, in Layer i, we have si ¼ bi þ ci. In the following, wewill derive bi and ci.

Derivation of bi. In the one-burst round-based attackmodel, bi depends on break-in resource NT , and theprobability of break-in PB. Since the attacker launches itsbreak-in attacks randomly, the NT break-in attempts areuniformly distributed on the overlay nodes in the SOFSsystem. Thus, the average number of broken-in SOFS nodes,NB ¼ PB n

N NT and, hence,

bi ¼ PBniN

� �ðNT Þ; i ¼ 1; . . . ; L: ð2Þ

We assume here that the filters are well-protected andcannot be broken-into. Filters are special and they are notamong the N overlay nodes and, thus, not the targets ofrandom attacks. Hence, bLþ1 ¼ 0.

Derivation of ci. We now discuss the derivation of ci(number of congested nodes in Layer i). Unlike bi, cidepends on the result of break-in attacks and congestioncapacity NC . Thus, we first need to know the set of SOFSnodes which are disclosed in the break-in attack phase onLayer i. We divide the disclosed nodes on Layer i into threesets; 1) set of nodes on which break-in attempts have notbeen made (denoted as dNi ), 2) set of nodes that have beenunsuccessfully broken-into (denoted as dAi ), and 3) set ofnodes that were successfully broken-into (which we do notneed to consider here). The nodes in sets dNi and dAi will betargeted now by congestion attacks. We calculate dNi and dAias follows: Let Yi;j be a random variable whose value is 1when the jth node in Layer i is either a disclosed node orone on which a break-in attempt has been made. Let zidenote the average number of nodes that have beendisclosed or have been tried to be broken-into. Thus,

zi ¼ EXnij¼1

Yi;j

!¼Xnij¼1

EðYi;jÞ ¼Xnij¼1

PrfYi;j ¼ 1g;

i ¼ 1; . . . ; Lþ 1:

ð3Þ

Denoting hi as the number of nodes on which break-inattempts have been made in Layer i, we have hi ¼ NT ðniNÞfor i ¼ 1; ::; L, and hLþ1 ¼ 0 because filters are not targets ofbreak-in attacks as discussed above. Thus, the probability

that the jth node in Layer i is neither a disclosed node nor

one on which a break-in attempt has been made, is given by

ð1� mi

niÞbi�1ð1� hi

niÞ. The same node can be disclosed by more

than one node in the previous layer. The part ð1� mi

niÞbi�1

excludes such overlaps. We now have,

PrfYi;j ¼ 1g ¼ 1� 1�mi

ni

� �bi�1

1� hini

� �; i ¼ 1; . . . ; Lþ 1;

j ¼ 1; . . . ; ni: ð4Þ

zi ¼Xnij¼1

1� 1�mi

ni

� �bi�1

1� hini

� � !

¼ ni 1� 1�mi

ni

� �bi�1

1� hini

� � !; i ¼ 1; . . . ; Lþ 1: ð5Þ

We hence have,

dNi ¼ zi � hi ¼ ni 1� 1�mi

ni

� �bi�1

1� hini

� � !� hi;

i ¼ 2; . . . ; Lþ 1: ð6Þ

dAi ¼Xhi�bij¼1

1� 1�mi

ni

� �bi�1

!¼ðhi � biÞ 1� 1�mi

ni

� �bi�1

!;

i ¼ 2; . . . ; Lþ 1: ð7Þ

Note that nodes in the first layer cannot be disclosed due to

a break-in attack and, so, dN1 ¼ dA1 ¼ 0.The attacker will now congest the SOFS nodes in the

set dNi and dAi as their identities have been disclosed and

they have not been successfully broken-into. We denote

ND to be the average number of SOFS nodes that are

disclosed but not broken-into successfully. It is given by,

ND ¼PLþ1

i¼1 ðdNi þ dAi Þ. Now, we proceed to derive ci, the

number of congested nodes in Layer i. Recall that NC is

the overall number of overlay nodes that the adversary

can congest, and the congestion attacks follow after

break-in attacks. There are two cases here:

. NC � ND: In this case, all ND disclosed SOFSnodes will be congested. Since the attacker still hascapacity to congest NC �ND overlay nodes, it willexpend its spare resources randomly. The extracongested nodes will be uniformly randomlychosen from the remaining N �NB � ðND � dNLþ1 �dALþ1Þ good overlay nodes, among which only apart are SOFS nodes. Here, dNLþ1 and dALþ1 are partsof the filers which cannot be broken-into and,hence, are excluded from ND to determine theremaining overlay nodes that are targets forrandom congestion attacks.5 Therefore,

ci ¼dNi þ dAi þ ðNC �NDÞ� ni�bAi �dNi �dAiN�NB�ðND�dNLþ1

�dALþ1Þ ; i ¼ 1; . . . ; L;

dNi ; i ¼ Lþ 1:

8><>: ð8Þ


5. In our model, the filters’ identities are hidden from attackers and theycan be congested only upon disclosure by break-in attacks.

. NC < ND: The attacker randomly congests NC nodesamong ND disclosed nodes. In this case,

ci ¼NC

NDðdNi þ dAi Þ; i ¼ 1; 2; . . . ; Lþ 1: ð9Þ

Recall that si ¼ bi þ ci is the set of bad nodes in Layer i.Having thus computed bi and ci, we obtain PS from (1).

3.1.3 Numerical Results and Discussion

We now present here numerical results based on ouranalysis above. We specifically highlight the overallsensitivity of system performance to attacks and the impactsof specific SOFS design features (layering and mappingdegree) on performance under attacks. Impacts of nodedistribution per layer are discussed in the successive round-based attack model in Section 3.2.

Fig. 3 shows the relationship between PS and thelayering and mapping degree under different attackintensities. The mapping degrees (referred as m in thefigures) used here are: 1 to 1 mapping which means eachSOFS node has only one neighbor in the next layer, 1 to halfmapping which means each node has half of all the nodes inthe next layer as its neighbors, and 1 to all mapping whichmeans each node has all the nodes in next layer as itsneighbors. Other system and attack configuration para-meters are; N ¼ 10; 000, n ¼ 100, PB ¼ 0:5, SOFS nodesevenly distributed among the layers, and number of filtersis 10. In Fig. 3a, NT is set as 0 and we evaluate performanceunder two congestion intensities; NC ¼ 2; 000 and NC ¼6; 000 representing moderate and heavy congestion attacks.In Fig. 3b, we fix NC ¼ 2; 000 and analyze two intensities ofbreak-in; NT ¼ 200 and NT ¼ 2; 000. We make the followingobservations.

Fig. 3a shows that under the same attack intensities,different layer numbers result in different PS . When NT ¼ 0(pure random congestion attack), as L increases, PS goesdown. This is because there are less nodes per layer, whichmeans under random congestion, few nodes per layer areleft uncompromised. This behavior is more pronouncedwhen the mapping degree is small. We wish to remind thereader about the SOS architecture [6], where, for defendingagainst random congestion-based DDoS attacks (sameattack model as in this instance), the number of layers isfixed as three and the mapping degree is 1 to all. FromFig. 3a, we can see that fixing the number of layers as three

is not always the best solution to defend against suchattacks. Instead, one layer is the best configuration todefend against pure congestion-based attacks.

For any L, a larger mapping degree (more neighbors foreach node) means more paths from nodes in one layer tonodes in the next layer, thus increasing PS as seen in Fig. 3aunder the absence of break-in attacks. Under break-inattacks, a high mapping degree is not always good as morenodes are disclosed due to break-ins. For instance, when themapping is 1 to all, PS ¼ 0 in Fig. 3b. Thus, the effect ofmapping typically depends on the attack intensities in thebreak-in and congestion phase. Finally, we see that anincrease in NC and NT (attack intensities) leads to adecrease in PS as more nodes could be congested orbroken-into, leading to a reduction in path availabilities.

3.2 Under a Successive Round-Based Attack

3.2.1 Attack Model

In the following, we extend our one-burst attack modelsignificantly in order to study performance under a highlysophisticated attack model called successive round-basedattack model (successive attack in short). The successiveattack model is representative of sophisticated attackstargeting the SOFS system and extends from the one-burstattack model in two ways: 1) the attacker exploits priorknowledge about the first layer SOFS nodes. Let PErepresent the percentage of nodes in the first layer knownto the attacker prior to attack (typically, these are first layernodes advertized to clients), and 2) the break-in attackphase is conducted in R rounds (R > 1), i.e., the attackerwill launch its break-in attacks successively rather than inone burst. In this attack model, more SOFS nodes aredisclosed in a round by round fashion thus accentuating theeffect of break-in attacks.

Procedure 1 Pseudocode of the successive attack strategy

System parameters: N , n, L, PB;

Attack parameters: NT , NC , R, X1, �, �

Phase 1 Break-in attack:

1: � ¼ NT , � ¼ NT

R ;

2: for j ¼ 1 to R do

3: if Xj < � < � then

4: launch break-in attack on all Xj nodes and randomly

launch break-in attack on ��Xj nodes and calculate

the set Xjþ1 disclosed nodes; update � ¼ � � �;

5: end if


Fig. 3. Sensitivity of PS to L and mi under different attack intensities.

6: if Xj < � � � then

7: launch break-in attack on all Xj nodes and randomly

launch break-in attack on � �Xj nodes and calculate

the set Xjþ1 disclosed nodes; break;

8: end if

9: if � � Xj < � then

10: launch break-in attack on all Xj nodes and calculate

the set Xjþ1 disclosed nodes; update � ¼ � �Xj;

11: end if

12: if Xj � � then

13: launch break-in attack on � nodes among Xj nodes

and calculate the set Xjþ1 disclosed nodes; break;

14: end if

15: end for

16: calculate ND;

Phase 2 Congestion attack:

1: if NC > ND then

2: congest the ND nodes and randomly congest

(NC �ND) nodes;

3: else

4: congestion NC nodes among ND nodes randomly;

5: end if

The strategy of the successive attack is shown inProcedure 1. We denote � to be the available break-inattack resources at the start of each round, and � ¼ NT atthe start of round 1. For each round, the attacker will try tobreak-into a minimum of � nodes and is fixed as NT

R . If thenumber of disclosed nodes is more than �, the attackerborrows resources from � to attack all disclosed nodes.Otherwise, it attacks the nodes disclosed and some otherrandomly chosen nodes to expend � resources for thatround. The break-in attack capacity available (�) keepsdecreasing till the attacker has exhausted all of itsNT resources. At any round, if the attacker has discoveredmore nodes than its available capacity (�), it tries to break-into a subset (�) of the disclosed nodes then starts thecongestion phase. The attacker will congest all disclosednodes and more, or only a subset of the disclosed nodesdepending on its congestion capacity NC . Here, we assumethe attacker will not attempt to break-into a node twice anda node broken-into will not be targeted by congestionattack. Although there can be other variations of suchsuccessive attacks, we believe that ours is a representativeenough model of sophisticated attacks.

3.2.2 Analysis

We again use average case analysis approach and use asimilar method to derivePS as in (1). In calculating bi and ci inthe one-burst attack model we analyzed before, we had totake care of two possible overlap scenarios 1) a disclosed nodecould have been already broken-into, and 2) the same nodebeing disclosed by multiple lower layer nodes. The complex-ity in overlap is accentuated here due to the nature ofsuccessive attacks. This is because there are multiple roundsof break-in attacks before congestion. We thus have toconsider the above overlaps in the case of multiple roundsas well. In the following, we will first introduce a concept ofSOFS node demarcation in order to deal with above overlaps,and follow that with deriving bi and ci in each round.

Node demarcation. In order to preserve the informationabout a node per round and across layers, we introduce

subscript j for round information, and subscript i for layerinformation. We define Xj as the number of nodes whoseidentities are known to the attacker at the start of round j. Inorder to deal with overlaps within and between rounds, weneed to separate the SOFS nodes into multiple sets asfollows: At the beginning of each round j, the attacker willbase its break-in attack on the set of nodes disclosed at thecompletion of round j� 1. We denote the set of nodeswhich are disclosed at round j� 1 and on which break-inattempts are made in round j, as hDi;j. Depending on itsspare capacity for that round, the attacker can also selectmore nodes to randomly break-into. We denote this set ashAi;j. We define hi;j ¼ hDi;j þ hAi;j, which is the number ofnodes on which break-in attempts (successfully/unsuccess-fully) have been made at Layer i in round j. Once theattacker has launched its break-in attacks on these hi;j nodes,it will successfully break-into a set of nodes. We denote bDi;jand bAi;j as the set of nodes successfully broken-into, anddenote uDi;j and uAi;j as the set of nodes unsuccessfullybroken-into, after the attacker launches its break-in attackson the hDi;j and hAi;j set of nodes, respectively. We have,

bDi;j ¼ PB � hDi;j and bAi;j ¼ PB � hAi;j; i ¼ 1; . . . ; L; ð10ÞuDi;j ¼ ð1� PBÞ � hDi;j anduAi;j ¼ ð1� PBÞ � hAi;j; i ¼ 1; . . . ; L: ð11Þ

Breaking-into nodes in sets bDi;j and bAi;j will disclose a setof nodes denoted by dWi;j. This set, dWi;j will overlap with

1. the nodes attacked in all previous rounds given byPj�1k¼1 hi;k,

2. the nodes in set bAi;j,3. the nodes in set bDi;j and uDi;j, and4. the nodes in set uAi;j, where we denote the set of

nodes in dWi;j overlapping with uAi;j as dAi;j.

Fig. 4 shows such overlaps at the end of round j. Afterdiscounting all the above overlaps from dWi;j , we can get theset of disclosed nodes which have not been attacked till theend of round j denoted as dNi;j. Based on the definitions forhDi;j and dNi;j, and that the filters are not targets of break-inattacks, we have

hDi;j ¼ dNi;j�1; i ¼ 1; . . . ; L: ð12Þ

Note that dNi;j�1 and dAi;j�1 are 0 for i ¼ 1. This is because thenodes at the first layer cannot be disclosed by means of abreak-in attack in any round j. Recall that Xj is the set of


Fig. 4. Node demarcation in our successive attack at the end of Round j.

disclosed nodes whose identities are known to the attacker

before round j and on which break-in attacks will be made

at round j. Thus, it can be calculated as Xj ¼PL

i dNi;j�1. In

the following, we proceed to derive the number of broken-

in nodes (bi) and then compute the number of congested

nodes (ci) for each round.Derivation of bi. To derive bi, we need to first calculate

the sets defined above. For ease of elucidation, we take a

representative case Xj < � < � in Procedure 1 as an

example to explain our analysis. Recall that � is the amount

of available break-in attack resource at current round. This

is the most representative case among the ones possible. We

also discuss other possible cases briefly after analyzing this

case. In this case, the attacker at the beginning of round j of

its break-in attack phase has resources to break-into more

nodes than those disclosed already prior to that round

(dNi;j�1), and has attack resources left (��Xj) to randomly

conduct break-in on other overlay nodes. Now, there are

N �Xj �PL

q¼1

Pj�1k¼1 hq;k unattacked overlay nodes and

among them ni � dNi;j�1 �Pj�1

k¼1 hi;k are at Layer i. Thus,

we can get the number of nodes (hAi;j) on which random

break-in attempts have been made on Layer i in round j as

hAi;j ¼ni � dNi;j�1 �

Pj�1k¼1 hi;k

N �Xj �PL

q¼1

Pj�1k¼1 hq;k

ð��XjÞ; i ¼ 1; 2; . . . ; L:

ð13Þ

We define bi;j as the number of nodes broken-into on

Layer i in round j, which is the summation of bAi;j and bDi;j.

Based on (10), (12), and (13), we have,6

bi;j ¼ PB �ni � dNi;j�1 �

Pj�1k¼1 hi;k

N �Xj �PL

q¼1

Pj�1k¼1 hq;k

� ð��XjÞ þ PB � dNi;j�1;

i ¼ 1; 2; . . . ; L:

ð14Þ

We can now obtain bi as

bi ¼XJk¼1

bi;k; i ¼ 1; 2; . . . ; L; ð15Þ

where J is the number of rounds attacker takes to exhaust

all break-in resources (NT ). Note that J � R.To obtain bi, we need to compute the set of nodes dNi;j,

which is used in (14). As discussed above, we have to

extract the set dNi;j from dWi;j . Similar to the discussion in the

one-burst attack model, we can derive dNi;j and dAi;j as

follows: We first calculate the set of nodes that have been

either disclosed or attacked. This is given by,

zi;j ¼ ni 1� 1�mi

ni

� �bi�1;j

1�Pj

k¼1 hi;kni

! !;

for bi�1;j > 0 and i ¼ 2; . . . ; Lþ 1:

ð16Þ

Note that in our attack model, the attacker will not try to

break-into a node twice. Hence, to calculate dNi;j, from zi;j, we

subtract the nodes on which break-in attempts have beenmade (

Pjk¼1 hi;k). Thus, we have

dNi;j ¼ zi;j �Xjk¼1

hi;k; for bi�1;j > 0 and i ¼ 2; . . . ; Lþ 1: ð17Þ

Having computed dNi;j, we can use (14) and (15) to obtain bi.Now, dAi;j (which will be used to compute ci) is given by

dAi;j ¼ hAi;j � bAi;j� �

1� 1�mi

ni

� �bi�1;j

!; for bi�1;j > 0

and i ¼ 2; . . . ; Lþ 1:

ð18Þ

Having discussed the necessary derivations for therepresentative case above in detail, we now clarify thereaders about the situations involving particular cases forthe successive attack. Apart from the representative case wehave just discussed, there are three other cases: 1)Xj < � � �,2) � � Xj < �, and 3) � � Xj. For case 1, all the formulas wederived for the above case can be directly applied, except that� has to be replaced by �. For case 2, all the formulas in theabove case can be applied except that hAi;j ¼ 0. For case 3, wehave hAi;j ¼ 0, and the formulas derived in the representativecase have to be suitably modified. In this case, there are somedisclosed nodes that the attacker does not try to break-intodue to consumption of all break-in resources. Such nodes willbe attacked during the congestion phase. We denote this set ofnodes in Layer i after round j as fi;j. We wish to state here thatfi;j has relevance (fi;j > 0) only when the attacker completesits break-in attack phase at round j. Thus, in this case, there isno left resource for random break-in attacks. Only� disclosednodes will be attempted to be broken-into on all the layers andthey are uniformly randomly distributed on each layer. Then,we have,

fi;j ¼ dNi;j�1 � dNi;j�1 ��

Xj

� �; hAi;j ¼ 0; hDi;j ¼ dNi;j�1 � fi;j;

for i ¼ 1; 2; . . . ; L; and ð19Þ

dNi;j ¼ ni 1� 1�mi

ni

� �bi�1;j

1�Pj

k¼1 hi;k þPj

k¼1 fi;kni

! !

�Xjk¼1

hi;k �Xjk¼1

fi;k; i ¼ 2; . . . ; Lþ 1; ð20Þ

where bi�1;j > 0. Here, dAi;j is the same as (18) and fLþ1;j ¼ 0because filters are not targets of break-in attacks. With theabove derivations in this case, we can now use (14) and (15)to calculate bi.

Derivation of ci. Recall that in the congestion attackphase, the attacker will first congest the disclosed SOFSnodes disclosed in break-in attack phase. Let the final roundof the break-in attack be J(J � R). Denoting ND as thenumber of disclosed nodes but not broken-into, based onthe definitions of uDi;j, d

Ni;j, d

Ai;j, and fi;j, we have

ND ¼XLi¼1

XJk¼1

uDi;k þXJk¼1

dNLþ1;k þXLi¼2

dNi;J þXLi¼1

fi;J

þXLi¼1

XJk¼1

dAi;k:

ð21Þ


6. Recall that hDLþ1;j, hALþ1;j, and bLþ1;j are all 0 because filters are not

targets of break-in attacks.

We have the total number of broken-in nodes, NB ¼PL

i¼1PJk¼1 bi;k. If NC � ND, similar to (8), we have the number of

congested nodes per layer, ci as

ci ¼

PJk¼1 u

Di;k þ dNi;J þ

PJk¼1 d

Ai;k

þfi;J þ ðNC �NDÞðni �

PJk¼1 bi;k �

PJk¼1 u

Di;k � dNi;J

�PJ

k¼1 dAi;k � fi;JÞ=

ðN �NB � ðND �Pj

k¼1 dNLþ1;kÞÞ; i ¼ 1; . . . ; L;Pj

k¼1 dNLþ1;k; i ¼ Lþ 1:

8>>>>>>>><>>>>>>>>:

ð22Þ

If NC < ND, similar to (9), we have

ci ¼NC

ND� ðPJ

k¼1 uDi;k þ dNi;J þ fi;J þ

PJk¼1 d

Ai;kÞ; i ¼ 1; . . . ; L;

NC

NDðPJ

k¼1 dNLþ1;kÞ; i ¼ Lþ 1:

(

ð23Þ

Recall that si ¼ bi þ ci is the set of bad nodes in Layer i.We can now obtain PS from (1).

Note that prior knowledge about identities of the firstlayer SOFS nodes (PE) determines X1, i.e., X1 ¼ n1 � PE . Infact, we can consider this information as that obtained froma break-in attack at Round 0. The number of nodes“disclosed” at Round 0 is thus n1 � PE , all of which aredistributed at the first layer. At round 1, the attacker willlaunch its break-in attack based on this information. Thus,bi;j, d

Ni;j, ci, etc., can be calculated by application of Formulas

(10) to (23). We wish to point out that if we set PE ¼ 0 andR ¼ 1, the successive attack model degenerates into the one-burst attack model. Thus, the formulas to compute bi;j, d

Ni;j,

ci, etc., will be simplified to the corresponding ones derivedin the previous section.

3.2.3 Numerical Results

In the following, we discuss the system performance (PS)under successive attacks. Unless otherwise specified, thedefault system and attack parameters are N ¼ 10; 000,n ¼ 100, L ¼ 4, NC ¼ 2; 000, NT ¼ 200, R ¼ 3, PB ¼ 0:5,PE ¼ 0:2, and the SOFS nodes are evenly distributed amongthe layers. We introduce two new mapping degrees here,namely, 1 to 2 mapping, meaning each SOFS node has twoneighbors in the next layer; and 1 to 5 mapping, meaningeach node has five neighbors in the next layer.

In Fig. 5, we show how system performance, PS , changeswith NT as the other SOFS system parameters change. Fig. 5

a shows how the mapping degree and total number ofoverlay nodes influence the relation between NT and PS . Inthis configuration, we set NC ¼ 2; 000 and even SOFS nodedistribution. Fig. 5b shows the sensitivity of PS to NT underdifferent number of layers, L, and different mappingdegree. We make the following observations: First, PS issensitive to NT . A larger NT results in a smaller PS . Forhigher mapping degrees, PS is more sensitive to changingNT . The reason follows from previous discussions that ahigher mapping degree discloses more nodes under break-in attacks. Second, in Fig. 5, there is portion of the curve,where PS almost remains unchanged for increasing NT .This stable part is due to advantages offered by means ofthe layering in SOFS architecture against break-in attacksguided by prior disclosure of SOFS nodes. The fall in PSbeyond this stable part is due to the effect of random break-in attacks apart from break-in attacks guided by priordisclosure of SOFS nodes.

Fig. 6a shows the impact of layer number, L, on systemperformance, PS , under different mapping degrees. Similarto Fig. 3a and Fig. 3b, PS is sensitive to L and the mappingdegree, even under multiple rounds of break-in attacks, i.e.,when NT > 0 and R > 1. An increase in the number oflayers can always slow down penetration of the break-inattacks toward the target. However, if the system deploystoo many layers, it decreases the number of nodes on eachlayer and the number of paths between layers decreasescorrespondingly, which will cause a decrease in PS (recallthat in our evaluation, the total number of SOFS nodes isfixed). Among the configurations we tested, the one withL ¼ 4 and mapping degree 1 to 2 provides better overallperformance than others.

Fig. 6b shows the impact of node distribution on PSwhen L and the mapping degree change. Other parametersremaining unchanged, here we show the sensitivity ofperformance to three different node distributions per layer.The first is even node distribution wherein the nodes ineach layer are the same (given by n

L ). The second isincreasing node distribution, wherein the number of nodesin the first layer is fixed (nL ). This is to maintain a degree ofload balancing with the clients. The other layers have nodesin an increasing distribution of 1 : 2 : . . . : L� 1. The third isdecreasing node distribution where the number of nodes inthe first layer is fixed (nL ) and those in the other layers are indecreasing order of L� 1 : L� 2 : . . . : 1. However, there


Fig. 5. Sensitivity of PS to NT under different L, mi, and N.

can be other node distributions. We believe the above onesare representative to study the impact of node distributions.

We make the following observations: The node distribu-tion does impact system performance. The sensitivity of PSto the node distribution seems more pronounced for highermapping degrees (more neighbors per node). A veryinteresting observation we make is that increasing nodedistributions performs best among the tested node distribu-tions. This is because when the mapping degree is largerthan 1 to 1, breaking-into one node will lead to multiplenodes being disclosed at the next layer, hence the layerscloser to the target will have more nodes disclosed and aremore vulnerable. More nodes at these layers can compen-sate the damage of disclosure. Also, we observe that as thenumber of layers increases, the sensitivity to node distribu-tion gradually reduces. This is because as L increases, thedifference in the number of nodes per layer turns to be lessfor the different node distributions.

Fig. 7a shows the impact of R (the number of rounds) onPS under different L with mapping degree 1 to 5. The nodesare evenly distributed among the layers in this case.Overall, PS is sensitive and decreases when R increases.For larger values of L, PS is less sensitive to R because morelayers can provide more protection from break-in attackseven for large round numbers. We also observe that PS issensitive to PE in Fig. 7b. For higher mapping degrees, PS ismore sensitive to changing PE . The reason follows fromprevious discussions that a higher mapping degree dis-closes more nodes. For smaller L, PS is more sensitive to

changing PE because a smaller L increases the attacker’schance to penetrate the system, layer by layer.

3.2.4 Discussions

In the above, we have made important observations onsystem performance, and the impacts of the design featureson system performance under intelligent DDoS attacks,using extensive analytical derivations. A natural questionhere is the following: Using our analytical results, can weobtain optimal configurations for the design features tooptimize system performance? In the following, we addressthis issue. Due to space restrictions, we answer the abovequestion by explaining how to obtain optimal mappingdegree and node distribution as examples. Optimal config-urations for other design features can be obtained similarly.

The performance of the SOFS system, i.e., PS , is afunction of system design features and attack parameters,as seen in (24) below, where m½� and n½� are the mappingdegree and the number of nodes on each layer. Function Fcontains all parameters that are used to calculate PS andsummarizes the above formulas to calculate PS .

PS ¼ F ðN;n;NC;NT ; L;m½�; n½�; PB; PE;RÞ: ð24Þ

If all other system and attack parameters are fixed and wekeep m½� as variables, then we can use existing mathematictools such as MATLAB to get the optimal mapping degreeunder given system and attack parameters. Table 2 showsoptimal mapping degrees under default system and attackparameters that were used in Section 3.2.3. We can see that


Fig. 6. Sensitivity of PS to L, mi, and node distribution.

Fig. 7. Sensitivity of PS to (a) R and (b) PE .

the optimal mapping degree7 changes from 1 to all to 1 to 2,when NT changes from 0 to 2,000. This matches ourprevious observation that smaller mapping degrees im-prove the resilience of the system to break-in attacks. InTable 3, we get the optimal node distributions under twodifferent NT values when L ¼ 4, n1 is fixed as n

L , i.e., 25,mapping degree is 1 to 2, and all other parameters are set asthe default configuration values. The results match ourprevious observation that increasing node distributionperforms better than other node distributions.

While the above approach is useful in some cases, thereal problem is how to optimize multiple structureparameters simultaneously to achieve optimum perfor-mance. To complicate this further, some of the parametersespecially attack related (such as NC;NT ) may be unknownto the system designer at design time. In some cases, someparameters can be estimated to be within ranges. Also, thesystem may have other constraints like latency, workloadper node, etc., that impact choices in number of layers,mapping degree, etc. The optimization of design featuresneeds to take these issues into consideration too. It can beeasily seen that solving the overall optimization problem isthus not easy. Nevertheless, we do provide some discus-sions on how to obtain optimal configurations underreasonable assumptions on system and attack generalities.

Consider an instance, where intensities can be predictedwithin some interval. i.e., we know the ranges and thedistributions of NC and NT values. Then, a reasonableapproach to address this problem is to obtain configurationsto optimize the expected value of the path availabilitiesdenoted as EðPSÞ. It is formally defined in (25), wherePrðN 0C;N 0T Þ is the probability that the NC and NT havevalues of N 0C and N 0T , respectively.

EðPSÞ ¼XN 0C;N 0

T

PrðN 0C;N 0T Þ � F ðN;n;N 0C;N 0T ; L;m½�; n½�;

PB; PE;RÞ:ð25Þ

Based on (25), we can use optimization tools such asthose in MATLAB to get the optimal mapping degree (m½�)and node distribution (n½�) to achieve overall optimalperformance under certain ranges of NC and NT . In reality,the range and distribution of NC and NT , and even otherattack parameters can be obtained from historical experi-ence and run-time measurement. Other attack parametersthat can be estimated within ranges can be handled in thesame way we deal with NC and NT .

To summarize here, the attack strategies, intensities,prior knowledge about the system significantly impact

system performance. However, the impacts are deeplyinfluenced by the system design features. Larger values of Land smaller mapping degrees improve system resilience tobreak-in attacks, while the reverse is true for congestion-based attacks. Increasing node distribution performs betterthan other node distributions. These design features interactamong each other to impact system performance underintelligent DDoS attacks.

4 ANALYSIS OF THE SOFS SYSTEM UNDER

CONTINUOUS ATTACKS

In this section, we study the performance of the SOFSsystem in the presence of another type of intelligent DDoSattacks called continuous attacks. We also study the impactsof recovery mechanisms the SOFS can incorporate in thissection. The performance metric here is still PS .

4.1 Attack Model and System Recovery

The continuous attack model is different from the discreteround-based attack model proposed above in the sense thatthe attacker continuously breaks into SOFS nodes as andwhen their identities are revealed to the attacker (and not inrounds). We defineNT andNC to be the maximum number ofoverlay nodes that can be simultaneously under break-in orcongestion attacks. Furthermore, here the attacker reuses itsresources (NT and NC) in a more sophisticated way asfollows: During system recovery (discussed next), theattacker will know that a compromised node is recovered (itis replaced with a good node). If the attacker attacks a non-SOFS node,8 it will also know that it is a non-SOFS node. Ineither case, the attacker will redirect the attack to a new nodein time Tred, which is referred as attack redirection delay.

Under on-going congestion attack, the attacker will keepattacking a victim node as long as it is an SOFS node. Duringbreak-in attacks, once a break-in attempt is completed on anode (irrespective of the result), the attacker will redirect thebreak-in attack to another node also in time Tred. When theattacker redirects the attack, it will use the disclosed node listif there is any node in that list; otherwise, it will randomly picka node from all the overlay nodes except ones currently underattack. Obviously, the disclosed nodes are all SOFS nodes, sothey will be targeted first by break-in attacks if there areenough resources. Otherwise, the nodes are attacked bycongestion attacks.

In our analysis here, the SOFS system employs recoveryto defend against attacks. While there can be many potentialrecovery mechanisms, the one we employ is proactiverecovery, where a proactive reset mechanism periodicallyresets every SOFS node. When a proactive reset eventhappens on a SOFS node, the SOFS system immediatelyreplaces that node with a new SOFS node chosen from the


7. While obtaining optimal mapping degrees, we constrain the mappingdegrees to be equal across layers for consistency in workload across nodesin the system. However, this constraint can be relaxed if need be.

8. Recall that a SOFS node is one that currently is active in the SOFSstructure, while a non-SOFS node is one that is a part of the overlay system,but is not a part of the SOFS structure currently.

TABLE 2Optimal Mapping Degree with Different NT

set of non-SOFS nodes. We denote the interval between twosuccessive proactive resets on a SOFS node as Tp, which iscalled system recovery delay. In this study, we mainly focusour discussion on proactive recovery. Interested readers canrefer to [9] for our discussion and analysis on other recoverymechanisms.

4.2 Analysis

The goal of our analysis here is to study the impacts ofsystem design features on system performance undercontinous attacks with system recovery. An analyticalapproach for this case, similar to the one conducted underdiscrete round-based attacks, is too complicated. We usesimulations here to study system performance undercontinuous attacks in the presence of system recovery.

In order to analyze the system, we implement a discrete

event driven simulation tool to simulate the attack model

and system recovery. The simulated system consists of

5,000 overlay nodes among which there are 40 SOFS node,

and 10 filters. Each client is connected to five first layer

SOFS nodes. In our simulations below, the attack redirection

delay (Tred) and the system recovery delay (Tp) follow

exponential distributions. The system recovery is sensitive

tomean value of Tpmean value of Tred

, denoted as r, instead of the individual

value Tred or Tp. Thus, r measures the competition between

attacks and system recovery in terms of speed. A smaller

value of r, implies faster recovery, which is beneficial for the

system. In the simulations below, we only use r to discuss

the impacts of continous attacks and system recovery.

4.3 Numerical Results and Discussions

In following simulations, the default system and attackparameters are L ¼ 4, PB ¼ 0:5, PE ¼ 0:2, NT ¼ 200, andNC ¼ 200. Fig. 8a shows the impact of layer number, L, onPS under different mapping degrees when both NT and NC

are fixed as 200, and r ¼ 5. Similar to Fig. 6a, PS is sensitiveto L and the mapping degree. The sensitivity of PS to L and

mapping degree is less than that in the discrete round-based attack model. The reason is due to the presence ofsystem recovery, where the system replaces the compro-mised and disclosed SOFS nodes, attack impacts arereduced. Fig. 8b shows how L and r influence PS whenNT ¼ 200, mapping degree is 1 to 2, and NC changes. Here,L ¼ 4 is always better than L ¼ 7. This is because, when NT

is fixed and NC increases, random congestion attacksdominate and, hence, less layers will improve performanceas discussed in the round-based attack model.

Fig. 9a shows how PS changes with NT under different Land r. The mapping degree is fixed as 1 to 2. In most of thecases, L ¼ 4 performs better than L ¼ 7. This is because, inour simulations the total number of SOFS nodes is fixed.Under this situation, deploying more layers decreases thenumber of nodes on each layer and, so, decreases thenumber of paths from clients to the target. However, thereis one exception to this claim. When r ¼ 20 and NT ¼ 50,L ¼ 7 performs better than L ¼ 4, which shows that morelayers can be beneficial. The reason is, when NT is verysmall, there are few nodes disclosed and compromised ateach layer. In this situation, decrease in PS is mainly due todisclosure and compromise of filters which are at the lastlayer. Here, slow recovery (large r) cannot recover thecompromised filters effectively. In this case, more layers canslow down the penetration of break-in attacks toward thefilters and helps achieve better performance. The data alsodemonstrate that faster system recovery (smaller r) im-proves system performance more effectively.

Fig. 9b shows how PS changes with NT under differentmapping degrees and r, when L ¼ 4. When NT is small,smaller mapping is better, especially when r is large. But,when NT is large, larger mapping performs better. This isbecause, when NT is not large and mapping degree is small,fewer nodes are disclosed. Hence, fewer nodes are attacked,resulting in high PS . However, when NT is very large, manySOFS nodes are disclosed and compromised and it is thesystem recovery that maintains a certain (possibly small)number of nodes alive, which guarantees PS > 0. Thenumber of alive nodes here is mainly determined by r,which is not related to mapping degree. But, mappingdegree decides the number of available paths. Given anumber of alive nodes, a larger mapping degree meansmore paths. Hence, PS increases with larger mappingdegree, especially when r is small (fast system recovery).

From the above, we see that attack intensities andsystem design features have significant impacts on system


TABLE 3Optimal Node Distribution under 1 to 2 Mapping

with Different NT

Fig. 8. Sensitivity of PS to (a) L under different m, and to (b) NC under different L and r.

performance under continuous attacks with system

recovery. We also find that recovery plays a significant

role in reducing impacts caused by even intense attacks,

by still sustaining a certain level of system performance.

Large mapping degrees help achieve better system

performance in this circumstance.

5 RELATED WORK

The main scope of this work is in the realm of overlay

systems (organized into definite structures) for defending

against Distributed DoS attacks. The surveys in [1], [2], [3]

on DDoS attacks and defense are exhaustive, and interested

readers can refer to those papers. We have also provided

some background related to this in Section 1 in this paper.

In the following, we focus on work using overlay systems in

general to defend against DDoS attacks.Recently, several works have proposed solutions based

on overlay networks to enhance security of communication

systems like [6], [7], [8], [10], [11], [12], [13], [14]. An overlay

solution to track DDoS floods has been proposed in [10].

Anderson et al. [11] proposes a overlay routing infrastruc-

ture to enhance the resilience of the Internet. Chen and

Chow designed a random Peer-to-Peer network that

connects the registered client networks with the registered

servers to defend against DDoS attacks in [12]. Badishi et al.

present a systematic study of the vulnerabilities of gossip-

based multicast protocols to DoS attacks and propose a

simple gossip-based multicast protocol that eliminates such

vulnerabilities in [13]. The effectiveness of location-hiding

of proxy-network based overlays is discussed in [14].Anonymity systems share some features with our SOFS

system. Anonymity systems usually use intermediate

forwarding to achieve anonymity. However, there are some

significant differences between SOFS and anonymity

systems. The goal of SOFS is to ensure paths from clients

to the server by putting multiple connections between

nodes in successive layers. Many anonymity systems

depend on one or more third party nodes to generate an

anonymous path [15], [16], which is not good for SOFS.

SOFS cannot rely on a centralized node to achieve receiver

anonymity since the centralized node can itself be the target

of a DDoS attack.

6 FINAL REMARKS

In this paper, we have studied the impacts of architecturaldesign features on SOFS, a generalized overlay intermediateforwarding system under intelligent DDoS attacks. Weanalyzed our SOFS system under discrete round-basedattacks using a general analytical approach and analyzedthe system under continuous attacks using simulations. Weobserved that the system design features, attack strategies,intensities, prior knowledge about the system, and systemrecovery significantly impacts system performance. Evenunder sophisticated attack strategies and intensities, weshowed that with smart designing of system features andrecoveries, attack impacts can be significantly reduced. Aswe discussed in Section 3, we showed how to obtainoptimal system configurations under expected attackstrategies and intensities. Based on our findings in thepaper, we further propose a set of design guidelines toenhance performance under all general scenarios.

1. The design feature configurations should be flexibleand adaptive to achieve high performance underdifferent intensities of attacks.

2. When attack information is unknown, moderatenumber of layers and mapping degree, and increas-ing node distribution are recommended to sustain amore than acceptable level of performance.

3. When break-in attacks dominate, more layers andsmaller mapping degrees are recommended. Whencongestion-based attacks dominate, less layers andlarger mapping degrees are better.

4. System recovery is always helpful to improvesystem performance under attacks. Under intensebreak-in attack, system recovery with large mappingcan always help sustain a more than acceptable levelof performance.

As part of future work, we propose to design SOFS systemthat is resilient to attacks while maintaining QoS. Also, theimpacts of our work extend beyond DDoS attack defense.There are several other applications where a structurepresent, enables better service delivery. These include multi-casting, real-time delivery, file sharing systems, etc. Asmodeled in this paper, attackers can cause significantdamages to performance by exploiting knowledge of thestructure already present in these systems. We believe thatour work is a first step toward designing the features ofresilient overlay architectures under intelligent attacks.


Fig. 9. Sensitivity of PS to NT under (a) different r and L and (b) different r and m.

Analyzing the resilience of such systems under intelligentattacks will also be a part of our future work.

ACKNOWLEDGMENTS

An earlier version of this work was published in theProceedings of IEEE International Conference on DistributedComputing Systems (ICDCS), Tokyo, Japan, March 2004. Thiswork was partially supported by the US National ScienceFoundation (NSF) under grant no. ACI-0329155 andCAREER Award CCF-0546668. Any opinions, findings,and conclusions or recommendations expressed in thismaterial are those of the authors and do not necessarilyreflect the views of the NSF.

REFERENCES

[1] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attacks andDefense Mechanisms,” ACM SIGCOMM Computer Comm. Rev.,vol. 34, no. 2, pp. 39-54, Apr. 2004.

[2] S. Savage, D. Wetherall, A.R. Karlin, and T. Anderson, “PracticalNetwork Support for IP Traceback,” Proc. ACM SIGCOMM Conf.,Aug. 2000.

[3] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S.Shenker, “Controlling High Bandwidth Aggregates in the Net-work,” Proc. ACM SIGCOMM Computer Comm. Rev. (CCR), July2002.

[4] K. Park and H. Lee, “On the Eeffectiveness of Route-Based PacketFiltering for Distributed DoS Attack Prevention in Power-LawInternets,” Proc. ACM SIGCOMM Conf., Aug. 2001.

[5] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-TargetedDenial of Service Attacks (the Shrew vs. the Mice and Elephants),”Proc. ACM SIGCOMM Conf., Aug. 2003.

[6] A. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure OverlayServices,” Proc. ACM SIGCOMM, Aug. 2002.

[7] D. Andersen, “Mayday: Distributed Filtering for Internet Ser-vices,” Proc. USENIX Symp. Internet Technologies and Systems, Mar.2003.

[8] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana,“Internet Indirection Infrastructure,” Proc. ACM SIGCOMM Conf.,Aug. 2002.

[9] X. Wang, S. Chellappan, P. Boyer, and D. Xuan, “AnalyzingSecure Overlay Forwarding Systems Under Intelligent DDoSAttacks,” Technical Report OSU-CISRC-12/04-TR71, Dept. ofComputer Science and Eng., The Ohio State Univ., June 2004.

[10] R. Stone, “Centertrack: An IP Overlay Network for Tracking DoSFloods,” Proc. Ninth USENIX Security Symp., Aug. 2000.

[11] D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris,“Resilient Overlay Networks,” Proc. 18th ACM Symp. OperatingSystems Principles (SOSP), Oct. 2001.

[12] S. Chen and R. Chow, “A New Perspective in Defending againstDDoS,” Proc. 10th IEEE Workshop Future Trends of DistributedComputing Systems (FTDCS), May 2004.

[13] G. Badishi, I. Keidar, and A. Sasson, “Exposing and EliminatingVulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast,” Proc. Int’l Conf. Dependable Systems and Networks(DSN), June 2004.

[14] J. Wang, L. Lu, and A.A. Chien, “Tolerating Denial-of-ServiceAttacks Using Overlay Networks—Impact of Overlay NetworkTopology,” Proc. ACM Workshop Survivable and Self-RegenerativeSystems, Oct. 2003.

[15] M. Reiter and A. Rubin, “Crowds: Anonymity for Web Transac-tions,” ACM Trans. Information and System Security, vol. 1, no. 1,pp. 66-92, Nov. 1998.

[16] L. Xiao, Z. Xu, and X. Zhang, “Mutual Anonymity Protocols ForHybrid Peer-To-Peer Systems,” Proc. IEEE Int’l Conf. DistributedComputing Systems, May 2003.

Xun Wang received the bachelors degree andmasters degree in computer engineering fromThe East China Normal University, Shanghai,China, in 1999 and 2002, respectively. He is aPhD student in the Department of ComputerScience and Engineering at The Ohio StateUniversity. His research interests include net-work security, overlay networks, and wirelesssensor networks.

Sriram Chellappan received the masters de-gree in electrical engineering from The OhioState University and the bachelors degree ininstrumentation and control engineering from theUniversity of Madras. He is a graduate student inthe Department of Computer Science andEngineering at The Ohio State University. Hiscurrent research interests are in network secur-ity, distributed systems, and wireless networks.

Phillip Boyer received the BA degree (2003) incomputer science from Hiram College, and hasbeen a research student in the Department ofComputer Science and Engineering at The OhioState University. Currently, he is working forNationwide Insurance. His research interestsinclude network security.

Dong Xuan received the BS and MS degrees inelectronic engineering from Shanghai Jiao TongUniversity (SJTU), China, in 1990 and 1993, andthe PhD degree in computer engineering fromTexas A&M University in 2001. Currently, he isan assistant professor in the Department ofComputer Science and Engineering, The OhioState University. He was on the faculty ofElectronic Engineering at SJTU from 1993 to1997. In 1997, he worked as a visiting research

scholar in the Department of Computer Science, City University of HongKong. From 1998 to 2001, he was a research assistant/associate inReal-Time Systems Group of the Department of Computer Science,Texas A&M University. He is a recipient of the US National ScienceFoundation (NSF) CAREER award. His research interests include real-time computing and communications, network security, sensor net-works, and distributed systems. He is a member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


ieee transactions on parallel and distributed …web.mst.edu/~chellaps/papers/06_effec_wang.pdf ·...

Documents