In the framework of a set of clients communicating with a critical server over the Internet, a recent approach to protect communication from Distributed Denial of Service (DDoS) attacks involves the usage of overlay systems. SOS, MAYDAY and I3 are such systems. The overlay system serves as an intermediate forwarding system between the clients and the server, where the systems typically have fixed architectures that employ a set of overlay nodes controlling access to the server. Although such

more »

... tems perform well under random DDoS attacks, it is questionable whether they are resilient to intelligent DDoS attacks which aim to infer architectures of the systems to launch more efficient attacks. In this paper, we define several intelligent DDoS attack models and develop analytical/simulation approaches to study the impacts of architectural design features of such overlay systems on the system performance in terms of path availability between clients and the server. Our data clearly demonstrate that the system performance is indeed sensitive to the architectural features and the different features interact with each other to impact overall system performance under intelligent DDoS attacks. Our observations provide important guidelines in the design of such secure overlay forwarding systems. and the server through which traffic is authenticated and then routed. These layers are SOAP (Secure Overlay Access Point), Beacons and Secret Servlets. A client that wishes to communicate with a server first contacts a node in the SOAP layer. The node in the SOAP layer forwards the message to a node in the beacon layer, which then forwards the message to a node in the secret servlet layer, which routes the message to the server. In the Mayday system [7], the authors extend work on SOS [6] by primarily releasing the restrictions on the number of layers (unlike in SOS, where it is fixed at three). In the Internet Indirection Infrastructure (I3) [8], one or more Indirection points are introduced as intermediaries for communication between senders and receivers. The design rationale in all these systems is to ensure, using proactive architectures, (i) that the server and intermediate communication mechanisms are hidden from outsiders, (ii) the presence of multiple/alternate 3 paths to improve reliability and (iii) access control to prevent illegitimate users from being serviced, and dropping attack traffic far away from the server. The overall objective though is to ensure that there are high degrees of path availabilities from clients to the server even when attackers try to compromise communication using random congestion-based DDoS attacks, by bombarding randomly chosen nodes in the system with huge amounts of traffic. While the above systems provide high degrees of path availabilities under random congestion-based DDoS attacks, such systems can be targeted by intelligent attackers that can break-into the system structure apart from congesting nodes. By break-in attacks, we mean attacks that can break-into a node and disclose its neighbors in the communication chain. By combining break-in attacks with congestion attacks, attackers can significantly worsen damages, as opposed to pure random congestion. In fact attackers can employ results of break-in attacks (disclosed nodes) to guide subsequent congestion attacks on the disclosed nodes. Under intense break-in attacks, the attacker can traverse the communication chain between the forwarder nodes, and can even disclose the server to eventually congest it and completely annul services. We believe that such intelligent DDoS attacks that can combine break-in attacks with congestion attacks are representative and potent threats to overlay-based systems, such as [6], [7], [8] that protect communications between clients and the servers. However, existing work does not study system performance under these intelligent attacks. In this paper, we extensively study performance of such overlay-based systems when targeted by intelligent DDoS attacks that combine break-in and congestion attacks. We also subsequently study how design features of such systems impact performance under intelligent attacks. As a first step, we generalize such systems as Secure Overlay Forwarding Systems (SOFS). There are certain standard architectural features of such systems 1 . These are; layering (the number of layers between the client and server), mapping degree (number of next layer neighbors a node can communicate with), node distribution (number of nodes per layer). Our objective is to study the impacts of the design features of SOFS system on its performance under intelligent DDoS attacks, and to provide guidelines to design SOFS systems highly resilient to intelligent 1 We use the terms architectural features and design features interchangeably in this paper. ¥ ¤ § ¦ © ¦ © ¦ as the probability that a set of¨nodes selected at random from ¤ nodes contains a specific subset of nodes. Then c ¢ ¥ ¤ § ¦ © ¦ © ¦ Q ¨ £ ¤ if¨! a) Node demarcation: In order to preserve the information about a node per round and across layers, we introduce subscript © for round information, and subscript ¢ for layer information. We define ¨ a s the number of nodes whose identities are known to the attacker at the start of round © . In order to deal with overlaps within and between rounds, we need to separate the SOFS nodes into multiple sets as follows. At the beginning of each round © , the attacker will base its break-in attack on the set of nodes disclosed at the completion of round © T ¥ . We denote the set of nodes which are disclosed at round © T ¥ and on which break-in attempts are made in round © , as ¡