UNIVERSITY OF CALIFORNIA, SAN DIEGO

Tolerating Denial-of-Service Attacks

A System Approach

A dissertation submitted in partial satisfaction of the
requirements for the degree Doctor of Philosophy
in
Computer Science

by
JU WANG


Committee in charge:
Andrew A. Chien, Chair
Kimberly C. Claffy
Rene L. Cruz
Keith Marzullo
Stefan Savage
Giovanni Vigna


2005
ii

iii



The dissertation of Ju Wang is approved, and it is
acceptable in quality and form for publication on
microfilm:

_____________________________________

_____________________________________

_____________________________________

_____________________________________

_____________________________________

_____________________________________
Chair

University of California, San Diego
2005

iv
TABLE OF CONTENTS
Signature Page .................................................................................................................... iii
Table of Contents ................................................................................................................ iv
List of Figures................................................................................................................... viii
List of Tables ....................................................................................................................... xi
Acknowledgements ............................................................................................................ xii
Vita .................................................................................................................................... xiv
Publications ....................................................................................................................... xiv
Abstract of The Dissertation .............................................................................................. xv
Chapter 1 Introduction ......................................................................................................... 1
1.1 Denial-of-Service Attacks on Internet Service Applications ................................. 1
1.2 Proxy Network-based DoS Defense ........................................................................ 6
1.3 Challenges ................................................................................................................ 8
1.4 Thesis and Approach ............................................................................................. 10
1.5 Contributions .......................................................................................................... 14
1.6 Organization ........................................................................................................... 17
Chapter 2 Background ....................................................................................................... 18
2.1 DoS Problem for Internet Service Applications ................................................... 18
2.1.1 Internet Service Applications ....................................................................... 19
2.1.2 Denial-of-Service Attacks ............................................................................ 20
2.1.3 Defense of Denial-of-Service Attacks ......................................................... 24
2.1.4 Summary ....................................................................................................... 26
2.2 Proxy Network-Based DoS Defense ..................................................................... 26
v
2.2.1 Basics of Overlay Networks ......................................................................... 27
2.2.2 Definition of Proxy Network-based DoS Defense ...................................... 29
2.2.3 Attacks on Proxy Network-based DoS Defense .......................................... 31
2.2.4 Mechanisms Used to Protect Proxy Network-based DoS Defense ............ 33
2.2.5 Understanding of Proxy Network-based DoS Defense ............................... 35
2.3 Summary ................................................................................................................ 38
Chapter 3 Thesis Statement ............................................................................................... 40
3.1 Context ................................................................................................................... 40
3.2 Problem Definition ................................................................................................ 41
3.3 Thesis Statement .................................................................................................... 44
Chapter 4 Approach ........................................................................................................... 48
4.1 Overview ................................................................................................................ 48
4.2 A Generic Framework for Proxy Network-based DoS Defense .......................... 52
4.2.1 Definition of the Generic Framework .......................................................... 53
4.2.2 Generality of the Generic Framework ......................................................... 61
4.3 Resisting Penetration Attacks ................................................................................ 65
4.4 Resisting Proxy Depletion Attacks........................................................................ 67
4.5 Resilience to DoS Attacks on Proxy Network ...................................................... 68
4.6 Summary ................................................................................................................ 72
Chapter 5 Resisting Penetration Attacks ........................................................................... 74
5.1 Introduction ............................................................................................................ 74
5.2 Stochastic Model for System Component Dynamics ........................................... 76
5.3 System Dynamics Under Penetration Attacks ...................................................... 81
vi
5.4 Analytical Results: Uncorrelated Vulnerabilities ................................................. 83
5.4.1 Theorems for Penetration Resistance ........................................................... 83
5.4.2 Can Proxy Networks Resist Penetration Attacks? ....................................... 87
5.4.3 What System Parameters Enable Effective Resistance? ............................. 88
5.5 Simulation Results: Correlated Vulnerabilities ..................................................... 92
5.5.1 How Does Adding Correlated Host Vulnerabilities Affect Previous
Results? .................................................................................................................. 93
5.5.2 How to Mitigate the Impact of Correlated Host Vulnerabilities? ............... 94
5.5.3 Can Proxy Networks Resist Penetration Attacks with Correlated
Vulnerabilities? ...................................................................................................... 97
5.6 Summary .............................................................................................................. 101
Chapter 6 Resisting Proxy Depletion Attacks ................................................................. 103
6.1 Introduction .......................................................................................................... 103
6.2 Stochastic Model .................................................................................................. 104
6.3 Graph-Theoretic analysis ..................................................................................... 106
6.3.1 Analysis and Results ................................................................................... 107
6.3.2 Design Principles ........................................................................................ 116
6.4 Case Study ............................................................................................................ 117
6.4.1 Topologies .................................................................................................. 118
6.4.2 Comparison using Theory .......................................................................... 121
6.5 Summary .............................................................................................................. 124
Chapter 7 Resisting Denial-of-Service Attacks ............................................................... 126
7.1 Introduction .......................................................................................................... 126
vii
7.2 Methodology ........................................................................................................ 127
7.2.1 High-level Design of Experiments ............................................................. 128
7.2.2 System Components ................................................................................... 129
7.2.3 Simulation Framework ............................................................................... 134
7.2.4 Veracity of the Experiments ....................................................................... 136
7.3 Experiments and Results...................................................................................... 139
7.3.1 Impact of DoS Attacks on Application Performance ................................ 140
7.3.2 Resisting Large-Scale DoS Attacks ........................................................... 141
7.3.3 Scalability of Proxy Networks Resilience to DoS attacks ....................... 148
7.4 Summary .............................................................................................................. 149
Chapter 8 Conclusion ....................................................................................................... 151
8.1 Dissertation Summary ......................................................................................... 151
8.2 Implications and Impacts ..................................................................................... 155
8.3 Deployment Issues ............................................................................................... 157
8.4 Future Work ......................................................................................................... 160
8.4.1 Further Studies ............................................................................................ 160
8.4.2 Covering a Wider Range of Attacks .......................................................... 161
8.4.3 Exploring Multiple Dimensions of the Design Space ............................... 162
8.4.4 Supporting a Wider Range of Applications ............................................... 162
8.4.5 Resisting Application-level DoS Attacks .................................................. 163
Appendix: Basic facts on the spectra of graphs .............................................................. 164
References ........................................................................................................................ 166
viii

LIST OF FIGURES
Figure 1-1 Number of Attack Incidents on the Internet (Reported to CERT) ................... 2
Figure 1-2 Denial-of-Service Attack ................................................................................... 3
Figure 1-3 Proxy Network-based DoS Defense .................................................................. 6
Figure 2-1 Internet Service Application (Left: Deployment, Right: Model) ................... 19
Figure 2-2 A Typical DDoS Zombie Network .................................................................. 23
Figure 2-3 Illustration of an Overlay Network .................................................................. 28
Figure 2-4 Proxy Network-based DoS Defense ................................................................ 30
Figure 2-5 Secure Overlay Services (SOS) ....................................................................... 36
Figure 2-6 Internet Indirection Infrastructure (i3) ............................................................. 37
Figure 3-1 Direct Access vs. Mediation ............................................................................ 40
Figure 3-2 Proxy Network as Mediator ............................................................................. 41
Figure 4-1 Three Classes of Attacks on Proxy Networks ................................................. 49
Figure 4-2 Generic Framework for Proxy Networks ........................................................ 53
Figure 4-3 Penetration Attacks .......................................................................................... 58
Figure 4-4 Proxy Depletion Attacks .................................................................................. 58
Figure 4-5 System Component State Transitions .............................................................. 59
Figure 4-6 Secure Overlay Services (SOS) ....................................................................... 62
Figure 4-7 Internet Indirection Infrastructure (i3) ............................................................. 63
Figure 4-8 Penetration Attacks .......................................................................................... 66
ix
Figure 4-9 Proxy Depletion Attacks .................................................................................. 67
Figure 4-10 Denial of Service attacks ............................................................................... 69
Figure 5-1 Host State Transitions ...................................................................................... 77
Figure 5-2 Domain-Based Correlated Host Vulnerability Model .................................... 78
Figure 5-3 Proxy State Transition ...................................................................................... 79
Figure 5-4 System Dynamics under Penetration Attacks ................................................. 82
Figure 5-5 Markov State Transition (without reconfiguration) ...................................... 84
Figure 5-6 Markov State Transition (with proxy migration) ............................................ 85
Figure 5-7 Impact of Proxy Network Depth ..................................................................... 89
Figure 5-8 Impact of Proxy Migration .............................................................................. 91
Figure 5-9 Impact of Proxy Network Depth with Correlated Host Vulnerabilities ......... 93
Figure 5-10 Penetration Probability under Varied Proactive Reset Rates........................ 94
Figure 5-11 Penetration Probability under Varied Host Diversity ................................... 96
Figure 5-12 Host Diversity in a Proxy Chain .................................................................... 96
Figure 5-13 Interleaved Design for A Proxy Chain .......................................................... 98
Figure 5-14 Effectiveness of Interleaved Design .............................................................. 99
Figure 5-15 Effectiveness of Interleaved Design (data points observed from 10
7
and 10
8

time steps) ............................................................................................................ 100
Figure 6-1 Proxy State Transition .................................................................................... 105
Figure 6-2 System Dynamics under Proxy Depletion Attacks ....................................... 106
Figure 6-3 Illustration of Theorem 3 ............................................................................... 108
Figure 6-4 Illustration of Theorem 4 ............................................................................... 112
Figure 6-5 Chord Network Topology (N=8) ................................................................... 119
x
Figure 6-6 Two-dimensional CAN Network (N=9) ....................................................... 119
Figure 6-7 Undirected Binary de Bruijn Graph (N=8) ................................................... 120
Figure 6-8 3-dimensional Hypercube (N=8) ................................................................... 121
Figure 6-9 Eigenvalues of the Topologies Studied ......................................................... 122
Figure 6-10 1
2

t Values of the Topologies Studied (t is Laplacian Spectrum) .... 123

Figure 7-1 Experiment Configuration ............................................................................. 128
Figure 7-2 Proxy Network Implementation .................................................................... 131
Figure 7-3 Direct Access vs. Proxy Network Mediation ................................................ 137
Figure 7-4 Application Performance (Direct Application Access vs. Proxy Network
Mediation) ............................................................................................................ 139
Figure 7-5 Impact of DoS attacks on Application Performance ..................................... 140
Figure 7-6 Spread DoS Attacks ....................................................................................... 141
Figure 7-7 Concentrated DoS Attacks ............................................................................. 142
Figure 7-8 Application Performance under Spread DoS Attack .................................... 143
Figure 7-9 Correlation among Proxies and Users ........................................................... 144
Figure 7-10 Application Performance under Concentrated DoS Attacks (Static Edge
Proxy Selection) ................................................................................................... 145
Figure 7-11 Application Performance under Concentrated DoS Attacks (Dynamic Edge
Proxy Selection) ................................................................................................... 146
Figure 7-12 Analysis of Dynamic Edge Proxy Selection ............................................... 147
Figure 7-13 Resilience and Proxy Network Size ........................................................... 149
xi
LIST OF TABLES
Table 5-1 Parameters of the Stochastic Model .................................................................. 76
Table 5-2 Windows Vulnerability Statistics...................................................................... 80
Table 6-1 Topological Properties of Selected Graphs .................................................... 118

xii
ACKNOWLEDGEMENTS
I would like to thank everyone who supported me intellectually, socially,
emotionally, and academically during my many years of graduate school at University
of California, San Diego. I am greatly indebted to all of them.
First of all, I would like to thank my advisor Professor Andrew A. Chien. Without
his invaluable advices, guidance, and support on my research, I could not have achieved
what I have done. It has been a great honor to have the opportunity to learn from him
and work with him. I am also deeply indebted to Professor Bradley Calder for his help
and guidance in Entropia, UCSD, and during my job hunting process. It is my real
pleasure to have a chance to work with him. Furthermore, I would like to thank
Professor Keith Marzullo, Professor Stefan Savage, Professor Professor Rene I. Cruz,
Professor Giovanni Vigna, and Dr. Kimberly Claffy for serving on my committee, and
helping me with my dissertation.
I would also like to acknowledge my fellow graduate students and colleagues. I
thank all the CSAG members, who worked with me and gave me tremendous help in
many aspects of my life. In particular, I would like to thank Xinran Wu, Xin Liu,
Huaxia Xia, Eric Weigle, Justin Burke, Nut Taesombut, Luis Rivera, Richard Huang,
Alex Olugbile, Kenjiro Taura, Adam Brust, Troy Chuang, Kay Connelly, and Scott
Pakin. Many of the key research findings in my thesis work came from the discussion
and collaboration with them. They also gave me invaluable help on my thesis writing. I
cannot thank them enough for their support. Furthermore, I would like to thank Linyuan
xiii
Lu, Hongyu Chen, Alvin AuYoung, Congchun He, Lexing Ying, Professor Vijay
Karamcheti, Eric Freudnthal, and Bao Liu for their enlightening discussions and
valuable advices on my research. Also, I want to express my thankfulness to Patricia
Bladh and Jenine Combs for helping me with my thesis and defense preparation.
Finally, I would like to thank my family and great friends for their unconditional
support. They helped me get through many difficult times, and shared joy and bitterness
with me during my seven years here in San Diego. Without them, I could not have
completed this dissertation.

xiv
VITA
1998 B.S. Tsinghua University
1998 2005
2000
2000 2001
2005
Research Assistant, University of California, San Diego
M.S, University of California, San Diego
Software Engineer, Entropia Inc., San Diego
Ph.D., University of California, San Diego

PUBLICATIONS
1. Understanding When Location-Hiding Using Overlay Networks is Feasible, Ju
Wang and Andrew A. Chien, in Special Issue of Computer Networks (Elsevier) on
Overlay Distribution Structures and Their Applications, 2005.
2. Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network, Ju
Wang, Xin Liu and Andrew A. Chien, in proceeding of the 14
th
ACM/USENIX Security
Symposium, August 2005.
3. The Entropia Virtual Machine for Desktop Grids, Brad Calder, Andrew A. Chien,
Ju Wang, and Don Yang, in proceedings of ACM/USENIX Virtual Execution
Environments 2005 (VEE'05), June 2005.
4. Tolerating Denial-of-Service Attacks Using Overlay Networks Impact of Overlay
Network Topology, Ju Wang, Linyuan Lu, Andrew A. Chien, in 2003 ACM Workshop
on Survivable and Self-Regenerative Systems, October 2003.
5. "A New Fast Message Passing Communication System for Multiprocessor
Workstation Clusters", Jun Shen, Weimin Zheng, and Ju Wang, Parallel and Distributed
Computing Practices, Volume 1, No. 4, December 1998.
xv
ABSTRACT OF THE DISSERTATION
Tolerating Denial-of-Service Attacks A System Approach
by
Ju Wang
Doctor of Philosophy in Computer Science
University of California, San Diego, 2005
Professor Andrew A. Chien, Chair

Proxy network-based defense has recently emerged to address an open research
challenge protecting Internet service applications from Denial-of-Service (DoS)
attacks. Such schemes use a proxy network as a mediator for a hidden application to
prevent direct attacks on the applications physical infrastructure, while maintaining
communication between users and the application. The proxy network provides a
distributed front-end to disperse DoS attack traffic, thereby shielding the application.
However, the basic feasibility and fundamental properties of such schemes remain
unclear, posing critical challenges for their use.
This dissertation addresses these challenges by exploring proxy networks ability to
resist important attacks: penetration, proxy depletion, and DoS attacks. We develop a
generic analytic framework for proxy network-based systems, and use it to analyze
proxy networks resilience to penetration and proxy depletion attacks, characterizing
how attacks, defenses, proxy network structure, and correlation in host vulnerabilities
affect feasibility. Furthermore, using online simulation, we quantify the resistance to
DoS attacks at an unprecedented scale and realism, by running real application, proxy
xvi
network, and attack programs in a simulated network with a size comparable to tier-1
ISP networks.
We show that proxy network-based DoS defense can effectively resist these attacks,
and protect applications successfully. Specific results are the following. First, proactive
defenses, such as proxy migration, are required for penetration resistance proxy
networks can be effectively impenetrable with proxy migration, but will be penetrated
easily without proactive defenses. Second, correlation in host vulnerabilities makes
proxy networks vulnerable to penetration. By exploiting host diversity and intelligent
proxy network construction, effective resistance can be achieved. Third, topology is
crucial for resisting proxy depletion attacks: when a topologys eigenvalue is smaller
than the speed ratio between defense and attack, all compromised proxies will always be
recovered; when a topologys Laplacian spectrum is larger than this ratio, compromised
proxies will linger, making the proxy network unrecoverable. Last, proxy networks
provide effective and scalable DoS defense. They can resist large-scale DoS attacks,
while preserving performance for the majority (>90%) of users. Furthermore,
increasing the proxy network size linearly improves the level of resistance to DoS
attacks.


1
Chapter 1 INTRODUCTION
1.1 DENIAL-OF-SERVICE ATTACKS ON INTERNET SERVICE
APPLICATIONS
The past two decades have seen a tremendous growth of the Internet. During this
time, a wide variety of Internet service applications, such as search engines (e.g. Yahoo!
and Google), online banking (e.g. Bank of America Online Banking and PayPal), online
trading (e.g. E*Trade and ScotTrade), online travel agencies (e.g. Expedia and
Hotels.com), and e-Commerce (e.g. Amazon and Buy.com) applications, have emerged
to become critical parts of todays society and economy. Studies [1-5] show that the
majority of Internet users use Internet service applications in their daily life; for
example, 84% of Internet users use search engines, nearly 50% use online banking, and
74% shop online; these numbers are growing quickly. Furthermore, Internet service
applications are an important factor in todays economy and their importance is
increasing quickly. Studies [3, 4, 6] show that, in 2004, e-Commerce retail sales and
online travel sales in the U.S. combined over $120 billion in revenue; by the year 2007,
their revenue is projected to grow to more than $287 billion.
The importance of these Internet service applications makes their resilience to
attacks and failures critical. However, studies show that the security and availability of
Internet service applications are increasingly threatened by a variety of attacks.
According to CERT (Computer Emergency Response Team), the number of attack
incidents has grown from only 6 in 1988, to 137,529 in 2003 [7] (see Figure 1-1).
2


Among these incidents, Denial-of-Service (DoS) attacks pose one of the most serious
threats to Internet service applications.
0
20000
40000
60000
80000
100000
120000
140000
N
u
m
b
e
r

o
f

I
n
c
i
d
e
n
t
s
s
1988 1991 1994 1997 2000 2003
Year

Figure 1-1 Number of Attack Incidents on the Internet (Reported to CERT)
DoS attacks are malicious attempts aiming to limit or deny service availability to
legitimate users. A DoS attack on an Internet service application can be achieved by
consuming critical resources (such as network bandwidth, server memory, disk space, or
CPU time) on which the application or access to the application depends. Depletion of
these resources can prevent the application from functioning, or disconnect the
application from the Internet, and thus make the application unavailable to its users. A
DoS attack occurs either at the infrastructure-level by attacking the resources directly
(e.g. by flooding the applications sub-network with IP packets), or at the application-
level by attacking through the application interface (e.g. by overloading the application
with abusive workload). In a typical DoS attack, an attacker first compromises a
number of hosts (chosen from the hundreds of millions of vulnerable hosts) in the
Internet, and then instructs these compromised hosts to attack an application by sending
Growth
3


either infrastructure-level or application-level attack traffic to it (Figure 1-2). The recent
emergence of sophisticated attacks tools, such as Trinoo [8], mstream [9], and TFN2K
[10], and of Internet worms, such as CodeRed [11, 12], slammer [13], and MyDoom
[14] which automate the process of compromising hosts makes it possible for
attackers to control a large number (tens of thousands or even millions) of Internet hosts.
These hosts can then be used to generate attack traffic, and to construct massive
distributed DoS attacks, which can generate sufficient traffic to saturate even the largest
Internet service applications. Therefore, such DoS attacks are a great threat to the
availability of all Internet service applications.

Figure 1-2 Denial-of-Service Attack
The real-world impact of these DoS attacks is severe. For example, in 1999, a
series of large-scale DoS attacks targeted popular Internet service applications, such as
Yahoo!, Amazon, eBay, and Buy.com [15, 16]. These attacks kept the target sites
offline for several hours, causing millions of dollars in lost revenue. In 2001, the Code
Red and Code Red II worms spread widely in the Internet as part of a distributed
DoS attack on the White House web site, forcing it to relocate [11]. In 2003, a series of
large-scale DoS attacks using Internet worms caused outages at Microsofts website [13]

Internet

DoS Attackers
Internet Service
Application
4


and SCO Groups website [14]. According to a survey [17] of 251 organizations
conducted by Computer Security Institute and the FBI, DoS attacks were the second-
most costly computer crime, with a damage exceeding 65 million dollars in 2003.
These incidents and statistics show that DoS attacks have a serious economic and social
impact.
Furthermore, DoS attacks are widespread in the Internet. In an attempt to
characterize the frequency of DoS activities on the Internet, researchers at UCSD and
CAIDA (the Cooperative Association for Internet Data Analysis) used backscatter
detection techniques to infer DoS activities [18]. Their results reported more than
12,000 DoS attacks on more than 5000 targets during a span of three weeks, in February
2001. The victims of these attacks span the entire spectrum of commercial business
sites, such as Yahoo!, CNN, as well as many small businesses. These numbers indicate
that DoS attacks are common in the Internet, and that any Internet service application
can become a victim of such attacks.
Since DoS attacks pose a critical threat to Internet service applications, researchers
are exploring a wide range of defenses. As system researchers, our focus is
infrastructure-level attacks, since these attacks target service infrastructures, and should
be addressed at the system level. Application-level attacks are specific to the detailed
structure of application interfaces, properties, and configurations, and thus can only be
addressed by application designers. Existing system-level defense mechanisms [19-21]
aim at blunting infrastructure-level DoS attacks
1
by filtering the attack traffic. These

1
In the rest of the dissertation, when the context is clear, the term DoS attack refers to infrastructure-
level DoS attack, specifically.
5


schemes use routers to filter all the incoming network packets, and discard packets
suspected to be part of an attack.
However, accurately distinguishing attack and normal packets is difficult, and
increasingly so, as attack sophistication increases. As a result, these filter-based
defenses are typically based on specific attack details, and do not apply generally to DoS
attacks. For example, common methods use details of network packets, such as
protocols (e.g. UDP or ICMP packets), the destination port, and source IP addresses [19-
24], to identify attack packets. This lack of generality poses a fundamental limitation on
their effectiveness.
Furthermore, in order for filter-based defenses to be effective, they must be
deployed globally and in the basic Internet infrastructure of routers, since the attack
traffic can come from millions of hosts dispersed across the Internet. Partial deployment
leaves vast resources that can be used by attackers to generate devastating attack traffic
which will saturate Internet service applications.
In summary, protecting Internet service applications from DoS attacks is a critical
issue for Internet service applications. The current defense mechanisms are primarily
based on filtering. They cannot protect applications from DoS attacks in general
because they rely on specific attack details. Furthermore, they require global
deployment with the basic Internet infrastructure. Due to these limitations, the filter-
based defense mechanisms do not provide a general solution to the problem of
protecting Internet service applications from DoS attacks. In the following section, we
consider an alternative approach.
6


1.2 PROXY NETWORK-BASED DOS DEFENSE
Recently, researchers have proposed the use of proxy networks as a system-level
defense that protects Internet service applications from infrastructure-level DoS attacks
[25-29] [30-35]. This new scheme does not suffer from the limitations of existing DoS
defense mechanisms, and has shown promise in protecting applications availability
from DoS attacks. It is an attractive approach for DoS defense.

Figure 1-3 Proxy Network-based DoS Defense
A proxy network (Figure 1-3) is an overlay network composed of interconnected
proxies which run on hosts dispersed across the Internet. In a proxy network-based DoS
defense, a proxy network is used as an application mediator, delivering application
messages between the application and its users. As shown in Figure 1-3, on one side of
the proxy network, a set of proxies (known as application proxies) are connected to the
application; on the other side of the proxy network, a select set of nodes (known as edge
proxies) publish their IP addresses, providing application access to users.
Proxy network-based DoS defense is based on two key ideas. First, a proxy
network mediates application messages between users and the application, providing the
only public interface for application access. Since the proxy network delivers only
application messages, this prevents direct infrastructure-level DoS attacks on the
User
Application

Proxy Network
edge proxy
proxy
application proxy
7


application. Second, the proxy network presents a broad public access by using a large
number of edge proxies. This broad front disperses the attack traffic, and dilutes the
impact of even distributed DoS attacks.
Proxy network-based DoS defense has shown promise in accomplishing these key
ideas, for the following reasons. First, an application is protected by a series of proxy
indirections, all of which must be compromised by attackers to expose the application to
direct attacks. Because the number of indirections can be adjusted by reconfiguring the
proxy network, it provides a flexible structure for resisting an attackers penetration and
protecting the application from direct attacks. Second, the edge proxies can be widely
dispersed, making it difficult for attackers to saturate all of them, and thereby, interrupt
application service. This allows proxy networks to tolerate DoS attacks by dispersing
attack traffic. By mediating application access to prevent direct attacks, and by
providing a DoS-resilient front-end for the application to dilute the impact of attacks, a
proxy network has the potential to protect the application from DoS attacks.
Furthermore, besides its potential to protect an applications availability, a proxy
network-based DoS defense has shown promise for large-scale deployment. Since
proxy networks are application-level overlay networks built on top of the Internet, they
do not require any modification to the existing Internet infrastructure. This greatly
facilitates large-scale deployment of proxy networks. Success of large-scale proxy
networks, such as Content Delivery Networks (e.g. Akamai [36] proxy network which
has over 15,000 proxies deployed in over 1,200 networks across 65 countries),
demonstrates the practical feasibility of large-scale deployment of proxy networks.
8


In short, proxy network-based DoS defense is an attractive scheme for protecting
Internet service applications from DoS attacks. It does not have the limitations of the
existing DoS defense mechanisms. By mediating application access to avoid direct DoS
attacks, and by providing a distributed front-end to shield the application from DoS
attacks, a proxy network-based DoS defense shows promise in protecting an
applications availability from DoS attacks. Furthermore, it is feasible to deploy a proxy
network-based DoS defense scheme at the Internet-scale, providing a global DoS
defense for Internet service applications in practice. Thus, this scheme has the potential
to provide a feasible solution to protect Internet service applications from DoS attacks.
1.3 CHALLENGES
Although a proxy network-based DoS defense shows promise as an effective
solution to DoS attacks, little is understood about the basic properties of this scheme,
and how it should be designed. Fundamental questions remain: can a proxy network-
based DoS defense resist possible attacks, and protect an applications availability? In
particular, can a proxy network prevent attackers penetration, thereby preventing direct
DoS attacks on the application? Can a proxy network protect an applications
performance from DoS attacks, thereby shielding the application from DoS attacks?
The answers to these questions address the basic feasibility of proxy network-based DoS
defense. A thorough study of these problems will also provide insight on how to design
such defense systems.
To answer these questions, we need to understand a proxy networks resistance to
possible attacks. Specifically, we exclude non-technical attacks (e.g. social engineering)
9


and broad attacks on the resource pool (e.g. Internet worms crippling the whole Internet
infrastructure), since such attacks operate in a space separate from proxy networks. We
can classify the technical attacks on proxy networks into three types: penetration attacks,
proxy depletion attacks, and DoS attacks.
First, penetration attacks compromise proxies along a path in a proxy network
towards the application, in order to penetrate the proxy network and to expose the
application to direct attacks. Therefore, a basic feasibility question for the proxy
network-based DoS defense is whether a proxy network is capable of resisting
penetration attacks. Specifically, how much time is required to penetrate a proxy
network? What defensive mechanisms are required to enable effective defense?
Second, proxy depletion attacks compromise proxies along the proxy network
topology, in order to control all the proxies, thereby disabling the proxy network. To be
a stable defense system, a proxy network must be recoverable under proxy depletion
attacks; that is, the proxy network must be able to recover all the compromised proxies,
regardless of how many proxies are compromised initially. In short, a recoverable
proxy network can remove the effect of any attack progress. Therefore, a basic question
is under what circumstances a proxy network can be recoverable under proxy depletion
attacks.
Third, DoS attacks flood the infrastructure around edge proxies with network traffic
in order to saturate them, thereby denying user access to the proxy network. A proxy
network must be able to support continued user access under such attacks. Specifically,
we ask critical questions about the effectiveness and scalability of a proxy networks
10


resilience to DoS attacks. How well can a proxy network protect an applications
performance from DoS attacks? Can a proxy networks resistance to DoS attacks be
increased by increasing its size? Can this resistance be used to resist stronger DoS
attacks?
So far, the research communitys understanding of these problems has been limited.
Existing studies [25-32] on proxy network-based DoS defense are limited to specific
instances of proxy networks. There has been no systematic exploration of the
fundamental properties of a general class of proxy network-based DoS defense schemes.
Furthermore, existing studies do not address important attack scenarios, including
penetration attacks and proxy depletion attacks; their analysis of DoS attacks is based on
simple models, which do not capture network dynamics critical to application
performance, and therefore provide only limited insight. As a result, whether or not a
proxy network can resist attacks and protect an applications availability remains an
open research problem.
1.4 THESIS AND APPROACH
Our research studies the feasibility of the proxy network-based DoS defense by
exploring a proxy networks ability to resist attacks. The thesis of our study is best
stated as follows:
11


By hiding applications from penetration attacks and providing a stable and DoS-
resilient front-end, proxy networks can effectively protect an application from a range of
infrastructure-level DoS attacks. Specifically, a proxy network can be used as an
application mediator, forming a barrier against penetration attacks and thereby
protecting the application from direct attacks. Moreover, a proxy network can
effectively resist proxy depletion attacks by removing the impact of attack, thereby
providing a stable defense. Furthermore, a proxy network can effectively resist
infrastructure-level DoS attacks by dispersing the attack traffic among a distributed
front-end and diffusing the impact of DoS attacks, thereby enabling continued
application service.
The thesis addresses the fundamental properties of the proxy network-based DoS
defense by characterizing a proxy networks resistance to three important classes of
attacks: penetration attacks, proxy depletion attacks, and infrastructure-level DoS
attacks. Resisting these attacks allows a proxy network to protect applications from
DoS attacks effectively. We use the following approaches to study a proxy networks
resistance to these attacks, and thus prove the thesis.
In order to study a general class of proxy networks, we develop a generic
framework which encompasses a wide range of proxy network-based DoS defense. The
framework defines key components of a proxy network system, and describes how
attacks and defenses change the system state. It enables rigorous study of a large class
of proxy networks, with results that bear on the entire class. Based on the generic
framework for proxy network schemes, we develop a stochastic model to characterize
12


how attacks and defenses change the state of system components quantitatively, thereby
allowing for a rigorous study of system dynamics as a function of attacks and defenses.
This generic framework and stochastic model provides a basis for our study of both
penetration attacks and proxy depletion attacks.
A) Resistance to Penetration Attacks
Based on the generic framework and stochastic model, we combine analysis with
Monte Carlo simulation techniques to study how long it takes a penetration attack to
penetrate a proxy network. We study when a proxy network can resist penetration
attacks for a long period of time, making such attacks practically impossible. We also
study the impact of key system parameters on a proxy networks resistance to
penetration attacks, and identify the key system requirements for achieving effective
defense.
B) Resistance to Proxy Depletion Attacks
We use the generic framework and stochastic model described earlier to
characterize the impact of proxy depletion attacks on a proxy network system. Based on
the framework and model, we study system dynamics as a function of attacks and
defenses. We analyze when a proxy network can remove all the compromised proxies,
regardless of how many proxies are compromised initially. This way, we characterize
the circumstances when a proxy network can resist proxy depletion attacks effectively,
and when it cannot. From these results, we develop guidelines for proxy network
design.
13


C) Resilience to DoS attacks
We study the properties of proxy networks under DoS attacks empirically, using
online packet-level network simulation with full applications, a real software
implementation of proxy network, and real attacks. In particular, our experiments are
performed using a large-scale online simulator MicroGrid [37] which enables packet-
level accurate simulation of large-scale network environments with 10,000 routers and
40 Autonomous Systems (ASes). These network sizes are comparable to a large ISP
network. Furthermore, Microgrid supports direct execution of unmodified application
binaries, and thus allows us to use real applications and a real proxy network
implementation in the simulation. In our study, we build a DDoS zombie network
(comparable to one which contains 10,000 zombies with DSL or cable modem
connections) with a real DoS attack toolkit [8], and use the zombies to generate attack
traffic. Total attack traffic intensities up to 6.4Gbps, and a wide range of DoS attack
scenarios are explored.
This experimental configuration is large and real enough to capture key properties
of the Internet environment and application dynamics, such as router queues, packet
drops, real temporal and feedback behavior of network and application protocols, which
are critical to the application behavior and performance under DoS attacks. Therefore,
this approach enables accurate modeling of the full complexity of network and
application behavior needed to reproduce DoS dynamics, and to characterize application
and proxy network performance in varied attack scenarios. With this leverage, we study
application performance delivered by a proxy network for a range of proxy network
structures and attack scenarios.
14


1.5 CONTRIBUTIONS
The primary contribution of our work is to be the first systematic evaluation of the
use of proxy networks for protecting Internet service applications from DoS attacks.
This study includes a thorough evaluation of proxy networks resistance to three
important technical attacks: penetration attacks, proxy depletion attacks, and DoS
attacks, providing a basic understanding of the fundamental capabilities and viability of
proxy network-based DoS defense. The specific contributions of the dissertation are
summarized below:
1) To define a novel, generic analytic framework for proxy network-based DoS
defense, which provides a basis for systematic exploration of a proxy networks
resistance to penetration and proxy depletion attacks. This framework defines a
canonical set of elements and their interactions in proxy network-based DoS
defense, as well as a set of stochastic models to characterize system dynamics.
2) To identify the key system requirements for effective resistance to penetration
attacks. We prove that proactive defenses, such as proxy migration, are required
for resisting penetration attacks. Without such mechanisms, a proxy network will
be penetrated in time which grows linearly with its depth
2
. With proxy migration,
the time to penetrate a proxy network grows exponentially with its depth, thus
making proxy networks of modest depths effectively impenetrable. For example,
with realistic assumptions, it might take thousands of years to penetrate a proxy
network of depth six.

2
The depth of a proxy network is the smallest number of proxy indirections from the edge proxies to the
application. It is formally defined in Chapter 4.
15


3) To quantitatively characterize a proxy networks ability to resist penetration
attacks in systems with correlated host vulnerabilities. First, we show that if host
vulnerabilities are correlated, attackers can easily penetrate a proxy network.
Second, we show that, by exploiting the host (OS/software) diversity and
intelligent proxy network construction, the resistance can be improved
dramatically, enabling proxy networks to resist penetration attacks effectively.
4) To prove two theorems that characterize the circumstances when proxy networks
can stably defend against proxy depletion attacks. The first theorem shows that,
when the eigenvalue of a proxy networks topology is smaller than the ratio
between the defense speed and the attack speed, the proxy network can always
recover all the compromised proxies. The second theorem shows that, when a
function of the Laplacian spectrum of a proxy networks topology is larger than
the ratio between the defense speed and the attack speed, compromised proxies
will linger, and the proxy network will be unable to recover from proxy depletion
attacks.
5) To derive a set of design guidelines for when proxy networks can effectively resist
proxy depletion attacks. Specifically, proxy network topologies with low vertex
degrees and balanced distribution of connectivity (no tightly connected sub-
graphs) are favorable for supporting effective defense against proxy depletion
attacks; topologies with high vertex degrees or large clusters of tightly connected
nodes are unfavorable.
16


6) To present a case study on popular proxy network topologies, which shows that
Chord [38], a widely-used proxy network topology [25, 26, 28, 29], is unfavorable
for resisting proxy depletion attacks; in contrast, 2D-CAN [39] and binary de
Bruijn graphs [40] are better topologies for resistance to proxy depletion attacks.
7) To quantitatively characterize proxy networks resistance to DoS attacks using
online simulation at an unprecedented scale and realism. Our experiments use real
applications and real attack programs in a simulated large-scale network of 10,000
routers and 40 Autonomous Systems. This network is comparable in scale to a
Tier-1 ISP network [37, 41, 42]. The simulation includes a large DoS attack
network, comparable to one having 10,000 hosts with DSL connections, producing
attack traffic intensities up to 6.4 Gbps.
8) To demonstrate via simulation that proxy networks can provide both effective and
scalable defense for applications against DoS attacks. Our studies show that a
192-node proxy network with 64 edge proxies (each connected by a 100Mbps
uplink) can successfully resist a range of large-scale distributed DoS attacks with
up to 6.0Gbps aggregated traffic and several different attack distributions. The
majority (>90%) of users do not experience significant performance degradation
under these attacks. We also demonstrate that by increasing the proxy network
size, we linearly increase the level of resistance to DoS attacks, while preserving
application performance.
17


1.6 ORGANIZATION
The remainder of the dissertation is structured as follows. Chapter 2 presents the
requisite background information needed to understand this dissertation work and to put
it in context. Chapter 3 formulates the precise problem we are addressing, and gives our
thesis statement. Chapter 4 describes the high-level approach. Chapter 5, 6, and 7
present our study of proxy networks resistance to penetration attacks, proxy depletion
attacks, and DoS attacks respectively. Finally, Chapter 8 summarizes our research and
discusses avenues for future work.

18
Chapter 2 BACKGROUND
This chapter provides background on the use of proxy networks for protecting
Internet service applications from Denial-of-Service (DoS) attacks by describing DoS
attacks on Internet service applications, and the proxy network-based DoS defense.
Section 2.1 describes DoS attacks on Internet service applications and surveys existing
defense mechanisms, showing that protecting Internet service applications from DoS
attacks remains an important, open research challenge. Section 2.2 describes the proxy
network-based DoS defense scheme, which has recently emerged, and shows promise in
solving the DoS problem. We summarize the current limited understanding and
outstanding questions.
2.1 DOS PROBLEM FOR INTERNET SERVICE APPLICATIONS
We focus on how to protect Internet service applications from DoS attacks because
such attacks continue to be a major security threat to Internet service applications, a
critical part of todays economy and society. This section describes DoS attacks on
Internet service applications and state of art defense mechanisms against DoS attacks.
In the following, we first describe Internet service applications, and then define DoS
attacks and discuss their impact; finally, we survey the existing defense mechanisms and
point out their key limitations.
19

2.1.1 Internet Service Applications

Figure 2-1 Internet Service Application (Left: Deployment, Right: Model)
During the past two decades, along with the tremendous growth of the Internet,
various Internet service applications, such as search engines, e-Commerce sites, and
online banking, have emerged as indispensable parts of todays society and economy.
Security and availability of these applications are critical components of a stable
Internet. Our research focuses on protecting these applications from DoS attacks
(described in Section 2.1.2). In this section, we define the application model, describe
the key properties of these applications, and discuss the unique challenges and
opportunities in protecting these applications.
An Internet service application is the server program of a client-server application
operating over the Internet. It provides certain services (e.g. web search) to users
running application client programs (e.g. a web browser). The client programs access
the server based on a well-defined application-level protocol. Two important properties
of Internet service applications are relevant to our research:
1. Localized deployment: As shown in Figure 2-1, Internet service applications
typically run on server clusters localized in collocation facilities, or data centers. This
Internet Infrastructure

Application Level Protocol

Users

Internet Service
Application
Internet Service
Application


Users


Internet

Server Cluster

20

simplifies the design and maintenance of Internet service applications. However, the
localized deployment limits the scale and number of (network, CPU, storage) resources
available to the applications, making it possible for attackers to consume all of the
server resources and deny application service. How to protect applications from such
attacks without changing their localized deployment is a key challenge.
2. Well-defined application level protocol: in the Internet service application model
(shown in Figure 2-1), the Internet acts as a communication layer used to convey a well-
defined application-level protocol between an application and it users. So it is possible
to differentiate application messages from other traffic using a mediator, preventing
attack traffic from reaching the application. This provides a basis for the proxy
network-based DoS defense (see Section 2.2) studied in this dissertation.
2.1.2 Denial-of-Service Attacks
A DoS attack is characterized by an explicit attempt to prevent legitimate users of a
service from using that service. A DoS attack on an Internet service application can be
achieved by consumption of scarce, limited, or non-renewable resources on which the
application (or access to the application) depends. These resources may include
network bandwidth, server memory, disk space, CPU time, and access to other
computers and networks. Depletion of these resources can prevent the application from
functioning or disconnect the application from the Internet, thereby causing service
disruption and, thus, making the application unavailable to its users.
The impact of DoS attacks is severe. For example, DoS attacks have shut down
high-profile sites, such as Yahoo!, Amazon, EBay and Buy.com [15, 16], causing
21

millions of dollars in lost revenue. A range of DoS attacks in recent years [11-14]
disrupted the websites of the government and high-profile companies (such as Microsoft
and sco.com), causing a significant social impact. According to a survey [17] collected
from 251 organizations, DoS attacks were the second-most expensive computer crime,
with a cost of more than 65 million dollars, in the year 2003.
Furthermore, DoS attacks are a widespread phenomenon in the Internet. For
example, studies [18] reported more than 12,000 DoS attacks on more than 5000 targets
during the short span of three weeks in February 2001. The victims of these attacks
span the entire spectrum of commercial business sites, such as Yahoo!, CNN and many
small businesses.
In conclusion, DoS attacks are a major threat to Internet service applications. They
are widespread in the Internet, threaten the availability of various Internet service
applications, and cause significant economic and social impact. Therefore, protecting
Internet service applications from DoS attacks is an important problem.
In the following, we first classify DoS attacks according to their high-level
approaches because each approach presents a unique set of problems; then, we describe
how DoS attacks are constructed.
2.1.2.1 Classification of Denial-of-Service Attacks
DoS attacks on an Internet service application can be achieved either by directly
attacking the resources on which the application (or access to the application) depends,
or by attacking through the application interface. We classify DoS attacks as
infrastructure-level and application-level attacks, according to these high-level
22

approaches. Infrastructure-level attacks target the service infrastructure resources
directly, such as the networks and hosts of the application; for example, by sending
floods of network traffic to saturate the victim network, attackers can disconnect the
application from its users. In contrast, application-level attacks exploit an applications
weaknesses via the application interface; for example, by overloading the application
with an abusive workload, attackers can make the application unavailable to legitimate
users.
Infrastructure-level and application-level DoS attacks are fundamentally different.
Infrastructure-level attacks focus on the service infrastructure resources (e.g. hosts and
network), regardless of the application running on that infrastructure; the details of the
application are irrelevant to such attacks. In contrast, application-level attacks focus on
the weaknesses of the application, regardless of the service infrastructure the application
uses; the details of the application are critical to these attacks.
This distinction makes defense against infrastructure-level and application-level
DoS attacks fundamentally different problems. The key challenge in defending against
infrastructure-level attacks is building a system to protect the service infrastructure. In
contrast, the key challenge in defending against application-level attacks is making an
application robust. Since each application is unique, this is an application-specific
problem, and there are no system-level solutions. As system researchers, we focus on
infrastructure-level DoS attacks and explore system-level solutions that protect Internet
service applications from infrastructure-level DoS attacks. We leave application-level
DoS attacks for application designers to solve.
23

2.1.2.2 Construction of Denial-of-Service Attacks
In this subsection, we explain how Denial-of-Service attacks are constructed.
Attackers can use a varied number of hosts, ranging from a single host to millions of
hosts dispersed in the Internet, to construct a DoS attack. We focus on attacks that can
use many hosts, because solutions to such attacks typically apply to attacks using fewer
hosts. In particular, we describe distributed DoS (DDoS) attacks, a common DoS attack
scheme that can use a large number of hosts.

Figure 2-2 A Typical DDoS Zombie Network
Construction of a DDoS attack has two stages. First, attackers build a zombie
network by compromising many Internet hosts and installing zombie programs on each;
the zombie programs are controlled by attackers. Second, attackers activate this large
zombie network, directing them to attack a victim. Figure 2-2 shows a typical zombie
network used in DDoS attacks. There are two types of zombies: daemons which
generate attack traffic, and masters which activate and control the daemons. An attacker
can control many masters, each of which in turn controls a large number of daemons.
Daemon
Master
Daemon Daemon
Master

Daemon

Attacker

Zombies

24

This hierarchical structure allows an attacker to control a DDoS network with a large
number of zombies.
Automated DDoS toolkits such as Trinoo, TFN2k and mstream [8-10] and worms
such as CodeRed and slammer [11-13] automates the process of compromising
vulnerable Internet hosts, enabling attackers to control a large number (e.g. tens of
thousands, or even more) of hosts. This capability increases the scale of DoS attacks
dramatically, bringing significant challenges to the defense. First, it allows an attacker
to generate enough traffic to saturate large network links (e.g. ten thousand hosts with
DSL links can generate multi-Gigabits per second attack traffic). Therefore, attackers
can disconnect the whole sub-network of the application from the Internet, making all
localized defense schemes ineffective. Second, the attack traffic can come from a large
number of hosts dispersed all over the Internet. Therefore it is difficult to prevent the
attack traffic by blocking all the sources.
2.1.3 Defense of Denial-of-Service Attacks
How to protect Internet service applications from DoS attacks is an open research
question. Existing defense mechanisms try to prevent DoS attacks by filtering the attack
traffic at the router level [19-24, 43-45]. They use filters implemented inside routers to
examine all the incoming network packets, and discard the suspected attack packets.
However, accurately distinguishing attack and normal packets is difficult, and
increasingly so, as attack sophistication increases. As a result, these filter-based
defenses are typically based on specific attack details, and do not apply generally to DoS
attacks. Common methods use details of network packets or the source IP addresses to
25

identify attack packets. We briefly describe these approaches and discuss their
limitations.
Schemes using details of network packets to identify attack traffic include type-
based filtering schemes [20, 21, 45-51] and ingress/egress filtering schemes [19, 52].
Type-based filtering schemes treat a specific type of packets as attack traffic. For
example, based on known patterns of attack traffic, these schemes filter all packets of a
specific protocol (e.g. UDP and ICMP), packets with a particular destination port, or
packets that follow a particular statistic pattern. Ingress and egress filtering schemes
treat all packets with forged source addresses as attack traffic, since some attacks use
such packets. When these schemes are globally deployed on all the routers in the
Internet, they can prevent attacks that match the specific filtering criteria. However,
these schemes are attack-specific; they cannot apply to DoS attacks in general.
Some schemes [22-24, 43, 44, 53-57] use a packets source IP address to identify
attack traffic. These schemes select the sources that send traffic to the victim at a high
rate, and block all the packets from those sources. Such schemes are effective against
small-scale DoS attacks which use only a handful of hosts because the traffic rate from
each attack source is prominently high. However, in a large-scale DoS attack using
many hosts, it is difficult to identify the sources of the attack traffic because the traffic
rate from each source can be low enough to avoid suspicion, but the aggregated attack
traffic rate can still be devastating. Therefore, these schemes have serious limitations
against large-scale distributed DoS attacks.
26

In addition, these schemes require global deployment and modification in the basic
Internet infrastructure, since they aim at filtering attack traffic from its sources at the
router level, and the attack traffic can come from millions of hosts dispersed all over the
Internet. A partial deployment of these defense mechanisms still leaves enough
resources for attackers to generate a large amount of attack traffic, thereby providing
little defense. In practice, this poses a challenge for their use.
2.1.4 Summary
To summarize, Denial-of-Service attacks are an important threat to Internet service
applications. Current defense mechanisms have critical limitations: they are attack-
specific and do not protect applications from DoS attacks in general; in practice, they
are also difficult to deploy. Therefore current defense mechanisms do not provide an
effective solution to the DoS problem. This problem remains an open research
challenge. In Section 2.2, we introduce a newly emerged scheme to address this
problem the proxy network-based DoS defense.
2.2 PROXY NETWORK-BASED DOS DEFENSE
Recently, researchers proposed the use of proxy networks as a system-level defense
that protects Internet service applications from DoS attacks [25-29] [30-34]. This new
scheme uses a proxy network to mediate the communication between an application and
its users, thereby shielding the application from DoS attacks. This scheme is attractive
because it has the potential to protect applications from general DoS attacks, and it
requires no changes to the basic Internet infrastructure, thereby facilitating its large-
scale use in practice.
27

However, the research communitys understanding of these problems has been
limited and incomplete. Existing studies [25-29] on proxy network-based DoS defense
are confined to specific implementations of proxy networks. There has been no
systematic exploration of the fundamental properties of a general class of proxy
network-based DoS defense schemes. Furthermore, existing studies do not address
important attack scenarios, and their analysis is based on simple models, which do not
capture system dynamics critical to application performance. As a result, these studies
provide only limited insight. The fundamental problem of whether a proxy network can
resist attacks and protect an applications availability remains an open research
challenge. Solving this problem can fundamentally improve our defensive capability
against DoS attacks.
This section describes the proxy network-based DoS defense, discusses the known
properties of this scheme, and points out the key unsolved issues. Section 2.2.1
introduces the basics of overlay networks, as the proxy network-based DoS defense is a
specific use of overlay networks. Section 2.2.2 defines the proxy network-based DoS
defense; section 2.2.3 discusses possible attacks on a proxy network-based DoS defense;
and Section 2.2.4 surveys defensive mechanisms that a proxy network can use to resist
these attacks. Finally, Section 2.2.5 describes implementations of the proxy network-
based DoS defense and discusses what is known and what remains unclear.
2.2.1 Basics of Overlay Networks
An overlay network is a network of interconnected nodes built on top of an existing
network. The connections between overlay nodes are logical connections, not physical
28

links. Typically, an overlay network is built on top of the Internet with nodes running
on a set of Internet hosts, acting as a higher-level communication layer with new
capabilities. Figure 2-3 illustrates a typical overlay network. Each overlay node is a
software program that runs on an Internet host. These nodes connect to each other (e.g.
via TCP connections) to form an overlay network, which can be used as an application-
level communication layer to provide applications with new capabilities. For example,
overlay networks have been used to support efficient multicast [58-66], mobility [67-
69], data sharing [70-76], increase reliability [59, 73, 77-83], and enhance security [25-
29, 68, 84, 85]. Among these uses, our research focuses on the use of overlay networks
for protecting Internet service applications from DoS attacks.

Figure 2-3 Illustration of an Overlay Network
An overlay network has three key properties: topology, routing, and deployment.
Topology is the most important property of an overlay network relevant to our research.
It defines how overlay nodes are connected to one another. Specifically, an overlay
topology can be represented by a graph, where vertices represent overlay nodes, and
edges represent the connections among the nodes. Topology has critical impacts on

Internet
Overlay Network
Overlay Node
Internet Host
29

many important characteristics of an overlay network. For instance, studies [86, 87]
have shown that topology has critical impacts on performance and fault tolerance of an
overlay network. More importantly, as we will see in this dissertation, when an overlay
network is used for DoS defense, its topology has a critical impact on its resistance to
important attacks (see Chapter 6 for details).
Overlay network routing protocol determines how a message is routed from one
overlay node to another along a path in the overlay network topology. Specifically, a
routing protocol is a set of rules the overlay nodes use to determine the appropriate path
onto which a message should be forwarded. An overlay network can use different
routing protocols to support communication between overlay nodes.
Overlay network deployment defines the mapping between overlay nodes and the
underlying Internet hosts. Specifically, it defines which overlay node runs on which
Internet host. The deployment of an overlay network determines the latency and
bandwidth between connected overlay nodes, thereby affecting the overall performance
(e.g. latency, bandwidth) between any pair of overlay nodes.
2.2.2 Definition of Proxy Network-based DoS Defense
A proxy network is an overlay network that serves as an application mediator to
support communication between an application and its users. In our research, we study
proxy networks that are used to protect Internet service applications from infrastructure-
level DoS attacks. As shown in Figure 2-4, the application is hidden behind the proxy
network which mediates the application messages between the application and its users.
On one side of the proxy network, a set of proxies (known as application proxies) are
30

connected to the application; on the other side of the proxy network, a select set of
nodes (known as edge proxies) publish their IP addresses providing access to users of
the application. In this way, users access the edge proxies to communicate with the
application via the proxy network. To ensure that the proxy network is the only public
interface for the application, the application either has a secret IP address or resides
behind a distributed set of filters which blocks all packets except for those coming from
the application proxies.

Figure 2-4 Proxy Network-based DoS Defense
The proxy network operates in a large resource pool of tens of thousands or even
millions of Internet hosts. Existing infrastructure of large-scale distributed systems,
such as content delivery networks and peer-to-peer systems, demonstrate the feasibility
of such a large resource pool. For example, the Akamai network has over 15,000
servers deployed in over 1,200 ISP networks in 65 countries [36]; peer-to-peer overlay
systems, such as Skype [88] and BitTorrent [89], operate continuously with millions of
hosts online, and hundreds of millions of participant nodes in total. Such large resource
pools amassed by Skype for VoIP relay and BitTorrent for file serving provide an
massive server infrastructure to support large overlay systems. Furthermore, the number
of Internet hosts is increasing rapidly, thus the size of the resource pools that can be built
User
Application

Proxy Network
edge proxy
proxy
application proxy
31

will increase accordingly in the near future. Therefore, the proxy network-based DoS
defense system which depends on having a resource pool of millions of hosts appears
reasonable.
Proxy network-based DoS defense has two key ideas. First, a proxy network
provides the only public interface for application access, so that DoS attackers cannot
attack the application directly. Second, the proxy network shields the application from
DoS attacks by providing a large number of front-ends (edge proxies) for the application
to disperse attack traffic and dilute the impact of attacks. In this way, the proxy
network-based DoS defense has the potential to protect application availability from
DoS attacks.
Furthermore, proxy networks are also promising for large-scale deployment. Since
proxy networks are application-level overlay networks, they do not require any
modification to the existing Internet infrastructure. This greatly facilitates large-scale
deployment of proxy networks; for example, a variety of overlay networks, such as
Skype [88] and BitTorrent [89], have been successfully deployed on millions of hosts in
the Internet. Since the proxy network-based DoS defense is promising for protecting
application availability and feasible for large-scale deployment, it has the potential to
have a qualitative advance over existing DoS defense mechanisms, and provide a
feasible solution to protect Internet service applications from DoS attacks.
2.2.3 Attacks on Proxy Network-based DoS Defense
There are three high-level strategies to attack the proxy network-based DoS
defense. First, attackers can compromise the application proxies. Since application
32

proxies connect to the application directly, compromising them enables attackers to
bypass the proxy network and expose the application to direct attacks. Second, attackers
can make the proxy network dysfunctional, preventing it from mediating
communication between users and the application. Third, attackers can make the proxy
network inaccessible to users, thereby denying users application access.
Corresponding to these high-level strategies, there are three important classes of
technical attacks against the proxy network-based DoS defense: penetration attacks,
proxy depletion attacks, and DoS attacks. Penetration attacks attempt to compromise
proxies along a path in a proxy network towards the application, thereby penetrating the
proxy network, and eventually compromising an application proxy, exposing the
application to direct attacks. Proxy depletion attacks compromise proxies along a proxy
networks topology, thereby increasing the number of compromised proxies, and
eventually disabling the proxy network. DoS attacks attempt to flood the infrastructure
around edge proxies with network traffic, in order to saturate them, thereby preventing
communication between users and the application. In addition to these three attacks,
attackers can also make the proxy network dysfunctional by exploiting weaknesses
specific to a particular implementation of proxy network-based DoS defense. We do not
focus on such attacks because they do not apply to the proxy network-based DoS
defense in general.
Penetration attacks, proxy depletion attacks, and DoS attacks on proxy networks are
further studied in this dissertation. Here we describe the low-level mechanisms used to
implement these attacks. The low-level mechanisms used in DoS attacks on proxy
33

networks are the same as those described in Section 2.1.2. The low-level mechanisms
used in penetration attacks and proxy depletion attacks are host compromise attacks,
which can compromise proxy nodes.
A host compromise attack is characterized by an explicit attempt by attackers to
gain unauthorized control over a computer system. A host compromise attack can be
achieved by using password attacks [90], Trojan horse programs [90], or buffer
overflow mechanisms [90, 91]. A successful host compromise attack allows attackers to
gain unauthorized access to files, monitor network communication, and run or kill
arbitrary programs on the victim system. Therefore, attackers can use these attacks to
compromise proxy nodes, preventing them from functioning. Furthermore,
compromising a proxy node also allows attackers to discover the IP addresses of all
other proxies communicating with it. Due to these impacts, host compromise attacks
can be used to construct penetration attacks and proxy depletion attacks.
2.2.4 Mechanisms Used to Protect Proxy Network-based DoS Defense
The high-level defense scheme used by proxy networks to resist penetration attacks
and proxy depletion attacks is proxy network reconfiguration. Proxy network
reconfiguration schemes dynamically change a proxy networks structure or proxies
location, in order to invalidate the information acquired by attackers. By doing this,
proxy networks can disrupt both penetration attacks and proxy depletion attacks. Proxy
network reconfiguration schemes include dynamic change of a proxy networks
topology and proxy migration. In the former case, a proxy networks topology is
changed dynamically, so that a compromised proxy is disconnected from the rest of the
34

network, thereby preventing the progress of attacks which propagate along the proxy
network topology. In the latter case, proxies migrate among Internet hosts; a proxy can
thus escape to a new location unknown to attackers, after its IP address is discovered by
attackers, thereby retracting the attackers progress. Both schemes can disrupt the
propagation of penetration attacks and proxy depletion attacks by invalidating the
structure and location information acquired by attackers.
The low-level defense mechanism used by proxy networks to address host
compromise attacks is resource recovery. Resource recovery mechanisms eliminate
attackers control on compromised hosts and proxies; they also prevent future attacks
that exploit the same vulnerabilities of the host. There are three levels of resource
recovery mechanisms against host compromise attacks: preemptive defense, detection,
and recovery. Preemptive defense schemes prevent hosts from being compromised;
examples of preemptive defense schemes include patch management [90, 92, 93], safe
runtime systems [94-97], and firewalls [90]. Detection schemes detect on-going host
compromises; they can be used to trigger other defensive mechanisms in order to
mitigate, contain, and remove the impact of attacks; examples of intrusion detection
systems include [98-108]. Recovery schemes remove the impact of host compromises,
and return a compromised host to a clean state; examples of recovery mechanisms
include termination of compromised processes, removal and replacement of infected
software components, clean reload of system images, revocation of suspected user
accounts, and so on. Recovery mechanisms are typically combined with installation of
up-to-date software patches to set the system into a state without known vulnerabilities.
They can be triggered by intrusion detection systems, or be applied periodically.
35

Preemptive defense, detection, and recovery schemes are used together to counter host
compromise attacks.
2.2.5 Understanding of Proxy Network-based DoS Defense
So far, there are two implementations of proxy network-based DoS defense: Secure
Overlay Services (SOS) and Internet Indirection Infrastructure (i3). Studies have
explored some properties of these implementations and evaluated their potential for DoS
defense. In this subsection, we describe these proxy network implementations, and
summarize our current understanding of proxy network-based DoS defense.
A) Implementations of Proxy Network-based DoS Defense
Secure Overlay Services (SOS) [26] is an implementation of proxy network-based
DoS defense. As shown in Figure 2-5, SOS uses the Chord [38] overlay network to
mediate all traffic between users and applications and to protect applications from DoS
attacks. On one side of the Chord network, a set of overlay nodes known as access
points publish their IP addresses and provide users access to the application. On the
other side of the Chord network, a set of overlay nodes known as servlets connect to
the application. Application-level traffic between users and applications is mediated
through the Chord network via the access points and the servlets. Furthermore, filters
are used around the application to ensure that only traffic from the servlets can reach the
application, thereby preventing direct infrastructure-level DoS attacks against the
application.
36


Figure 2-5 Secure Overlay Services (SOS)
Internet Indirection Infrastructure (i3) [28] is another implementation of proxy
network-based DoS defense. As shown in Figure 2-6, i3 uses the Chord overlay to
protect applications from infrastructure-level DoS attacks by means of rendezvous-
based indirect communication. On one side of the Chord network, the IP addresses of a
set of overlay nodes are published; users can access these nodes to communicate with
any node in the Chord network. On the other side of the Chord network, an overlay
node called trigger directly connects to the application and serves as a rendezvous
point for the application. As such, users can access the application by sending messages
through the Chord network to the trigger which forwards the messages to the
application. This structure allows communication between users and the application
without disclosing the applications IP address, thereby preventing direct infrastructure-
level DoS attacks on the application.
Chord Overlay Network
application


Filtered region
Access Points
User
Servlets
Overlay Nodes
37


Figure 2-6 Internet Indirection Infrastructure (i3)
B) Known Results on Proxy Network-based DoS Defense
Studies [25-34] have explored some properties of the SOS and i3 implementations
of the proxy network-based DoS defense. Using a simplistic analytical model, studies
[25, 26, 30-33] have explored an attack specific to the SOS protocol. They have shown
that the SOS implementation (which depends on the Chord routing protocol) can
provide continued user access to the application when attackers disable random SOS
nodes. Other studies [28, 29, 34] have explored some i3-specific attacks targeted at the
protocol used by i3 for trigger installation. They have shown that the i3 implementation
can resist such attacks and provide continued user access to the application.
However, these existing explorations of the proxy network-based DoS defense have
three fundamental limitations:
First, each of these efforts focuses on a specific implementation of the proxy
network-based DoS defense. The evaluation of one applies only to that particular
implementation. There has been no systematic exploration of the fundamental
capabilities and limitations of the general class of proxy network-based DoS defense.
Chord Overlay Network
application
User
Trigger
Overlay Nodes
38

Second, these efforts have not studied penetration attacks and proxy depletion
attacks which are critical threats to the proxy network-based DoS defense. In order to
understand the fundamental feasibility of the proxy network-based defense and learn
how to design such schemes, we need to study whether and when a proxy network can
resist these important attacks.
Third, these efforts have not studied how well a proxy network can protect an
applications performance under DoS attacks. In order to understand the effectiveness
of a proxy network-based DoS defense, we need to study detailed application
performance under DoS attacks, in large-scale network environments.
In summary, our understanding of proxy network-based DoS defense schemes has
been limited and incomplete. The fundamental capabilities and limitations of this
scheme remain unclear. Specifically, little is known about a proxy networks resistance
to the three important classes of technical attacks: penetration attacks, proxy depletion
attacks, and DoS attacks. A clear understanding of these issues is essential to the proxy
network-based DoS defense, and will provide a major advance in the area of DoS
defense.
2.3 SUMMARY
This chapter has provided relevant background for our research by describing the
Denial-of-Service problem for Internet service applications, current defenses against
DoS attacks, and the newly emerged proxy network-based DoS defense.
We have shown that DoS attacks are an important threat to Internet service
applications. Current defense mechanisms have critical limitations and do not provide
39

effective defense. Therefore, protecting Internet service applications from DoS attacks
remains an important open research challenge.
A newly emerged proxy network-based DoS defense shows promise in solving the
DoS problem. By mediating application accesses to prevent direct infrastructure-level
DoS attacks, and providing a distributed front-end for the application to disperse attack
traffic, this new scheme shows promise in protecting the applications availability from
DoS attacks. Furthermore, it is feasible in practice to deploy this scheme at the Internet-
scale, providing a global DoS defense for Internet service applications.
However, fundamental properties of this new scheme are poorly understood. For
example, it is unclear whether a proxy network can resist large-scale DoS attacks and
protect applications. It is also unclear whether attackers can penetrate a proxy network
and expose the application to direct DoS attacks. Furthermore, it is unclear how the
system behaves under different attack scenarios and how a proxy network should be
designed for better resistance to various attacks. A clear understanding of these issues is
essential to the proxy network-based DoS defense, and would provide a major advance
in the area of DoS defense.

40
Chapter 3 THESIS STATEMENT
Denial-of-Service (DoS) attacks are an important security threat to Internet
applications. Our research focus is the study of a generic system-level approach which
protects Internet applications against infrastructure-level DoS attacks, and the
characterization of the capabilities and limitations of such approach. Through the study,
we develop design guidelines for its effective deployment. In this chapter we outline the
research context, define the research problem, and present the thesis statement.
3.1 CONTEXT
In recent years, varied Internet services, such as search engines and e-Commerce
applications, have emerged as critical parts of todays society and economy. Typically,
these applications are made available by publishing an IP address which enables direct
user connection (see Figure 3-1). However, this public IP address means that the
application is exposed to DoS attacks. How to protect Internet services from DoS
attacks is an important research problem.

Figure 3-1 Direct Access vs. Mediation
One approach to the problem is to mediate user access to an application. As shown
in Figure 3-1, mediation adds a level of indirection; application servers do not publish
User Application Server
User Application Server Mediator
Direct Access
41

their IP addresses; instead users access the application through the mediator. Thus,
instead of the application servers being exposed to direct DoS attacks, the burden is
shifted to the mediators. For a mediator to protect an application from infrastructure-
level DoS attacks, it must support communication between users and the application,
hide the applications IP addresses, and resist DoS attacks.
If the application is only accessible via the mediator, direct infrastructure-level DoS
attacks on the application are prevented, and the mediator can shield the application.
Furthermore, if the mediator can resist DoS attacks and continue to support user access
to the application, then attackers cannot deny application service by attacking the
mediator. Therefore if these requirements are met, a mediator can protect applications
from infrastructure-level DoS attacks. The idea of using mediation to address the DoS
problem is straightforward, but the key research challenge is how to design mediators to
meet the requirements.
3.2 PROBLEM DEFINITION

Figure 3-2 Proxy Network as Mediator
Proxy networks are an attractive approach to building mediators for DoS resistance
(see Figure 3-2). In the proxy network scheme, a proxy network runs on a large
resource pool of Internet hosts. Applications are hidden behind the proxy network and
User Application Server

Proxy Network
Edge proxies
42

all traffic to and from the application goes through the proxy network. A select set of
nodes known as edge proxies publish their IP addresses, providing public access to users
of the applications. To ensure that the proxy network is the only public interface for the
application, the application either has a secret IP address or resides behind a distributed
set of filters which blocks all packets except for those coming from the application
proxies.
Proxy networks are an attractive approach to building mediators for DoS defense
[25-29, 35], for the following reasons. First, the application is protected by a series of
proxy indirections, all of which must be compromised by attackers to expose the
application to direct attacks. Since the number of indirections can be adjusted by
reconfiguring the proxy network, proxy networks provide a flexible structure for
resisting an attackers penetration and, therefore, protecting the application from direct
attacks. Second, the edge proxies can be widely dispersed, making it difficult for
attackers to saturate them and, thereby, interrupt application service. This allows proxy
networks to tolerate DoS attacks by dispersing attack traffic. By mediating application
access to prevent direct attacks and by providing a DoS-resilient front-end for the
application to dilute the impact of DoS attacks, a proxy network can protect the
application from infrastructure-level DoS attacks.
However, to understand whether or not proxy networks can be a viable DoS
defense, we need to understand their resistance to possible attacks. We assume that
attackers cannot attack a proxy unless they know its IP address, and that attackers
cannot concurrently attack all of the resource pool. In this case, the three important
43

classes of technical attacks on proxy networks are penetration attacks, proxy depletion
attacks, and infrastructure-level DoS attacks. Penetration attacks attempt to compromise
proxies along a path in a proxy network towards the application, in order to penetrate the
proxy network and expose the application to direct attacks. Proxy depletion attacks
compromise proxies along the proxy network topology in order to control all the
proxies, and thus disable the proxy network. Infrastructure-level DoS attacks flood the
infrastructure around edge proxies with network traffic to saturate them, and thereby
prevent the proxy network from mediating the communication between users and the
application. Studying proxy networks resistance to these attacks provides a deeper
understanding of the viability of the proxy network-based DoS resistance scheme. In
this dissertation, we explore the following research questions.
- Can a proxy network resist penetration attacks?
Penetration attacks are a key threat to the proxy network scheme because, if
successful, they can expose the application to direct DoS attacks. Therefore, a basic
question for proxy network-based DoS defense is whether proxy networks are capable
of resisting penetration attacks. Specifically, we ask the basic feasibility questions: How
much time is required to penetrate a proxy network? Can the proxy indirections alone
resist penetration attacks, or are some other defensive mechanisms required, and if so
what are they?
- Can a proxy network resist proxy depletion attacks?
Proxy depletion attacks are another threat to the proxy network scheme because, if
successful, all proxies in the proxy network are under the attackers control, and thus
44

make the proxy network dysfunctional. A proxy network must be able to resist such
attacks, in order to provide a stable defense for the applications. Specifically, we ask the
following question: can a proxy network recover all the compromised proxies regardless
of how many proxies are compromised at the beginning?
- Can proxy networks resist infrastructure-level DoS attacks and shield applications?
To protect applications from infrastructure-level DoS attacks, proxy networks
themselves must be capable of resisting such attacks, so that attackers cannot deny
application service by attacking the proxy network. Specifically, we ask critical
questions about the effectiveness and scalability of proxy networks resilience to DoS
attacks. How well can proxy networks tolerate infrastructure-level DoS attacks and
keep applications accessible to their users? Can a proxy networks resistance to DoS
attacks be increased by increasing the size of the proxy network? Can this resistance be
used to resist stronger DoS attacks?
3.3 THESIS STATEMENT
My thesis is stated as follows:
By hiding applications from penetration attacks and providing a stable and DoS-
resilient front-end, proxy networks can effectively protect an application from a range
of infrastructure-level DoS attacks. Specifically, a proxy network can be used as an
application mediator that forms a barrier against penetration attacks, and thereby
protects an application from direct attacks. Moreover, a proxy network can effectively
resist proxy depletion attacks by removing the impact of attack, thereby providing a
stable defense. Furthermore, a proxy network can effectively resist infrastructure-level
45

DoS attacks by dispersing the attack traffic among a distributed front-end and diffusing
the impact of DoS attacks, thereby enabling continued application service.
The thesis addresses the fundamental properties of the proxy network scheme in
protecting Internet service applications from DoS attacks. The thesis addresses three
important classes of attacks: penetration attacks, proxy depletion attacks, and
infrastructure-level DoS attacks. Resisting these attacks allows a proxy network to
effectively protect applications from DoS attacks.
A) Resistance to Penetration Attacks
To prove that proxy networks can resist penetration attacks, we build a generic
framework and a stochastic model to describe the proxy network system and
characterize system dynamics, modeling the progress of attacks and defenses as
stochastic processes. Based on our stochastic model, we use analysis and Monte Carlo
simulations to show that proactive mechanisms, such as proxy migration, enable a proxy
network to defend penetration attacks effectively. With such a defense, an attackers
penetration requires a significant amount of time, which grows exponentially with the
proxy network depth. For example, in realistic settings, penetrating a proxy network of
depth five can take hundreds of years on average, and a proxy network of depth six
would take thousands of years on average. Practically, this means that a proxy network
of a modest size can be made effectively impenetrable.
B) Resistance to Proxy Depletion Attacks
To prove that proxy networks can resist proxy depletion attacks, we use a generic
framework and a stochastic model to describe the proxy network system and
46

characterize system dynamics, modeling the progress of proxy depletion attacks and
defenses as stochastic processes. Based on this model, we characterize analytically the
circumstances under which a proxy network can resist proxy depletion attacks
effectively. Specifically, the analysis shows that an appropriate topology can enable a
proxy network to remove compromised proxies completely regardless of how many
proxies are compromised initially. We then apply these results to a range of popular
proxy network topologies to identify favorable ones which enable effective defense
against proxy depletion attacks.
C) Resilience to Infrastructure-level DoS attacks on Proxy Networks
We take two steps to study the DoS-resilience of proxy networks. First, by
simulation, we demonstrate that in a large resource pool (hosts and network), a proxy
network can continue to deliver application service during DoS attacks. These results
are then confirmed over a range of attack magnitudes and distributions. Second, to
show that proxy networks cannot simply be overwhelmed, we show that the magnitude
of DoS attacks that a proxy network can resist may be increased by using a larger proxy
network. In fact, the magnitude of DoS attacks that can be resisted grows linearly to the
proxy network size. These two results together show that proxy networks can be both
effective and scalable DoS-resilient mediators.
Our experiments are performed using a large-scale online simulator MicroGrid
[37, 41] which enables packet-level accurate simulation of large-scale network
environments with up to 10,000 routers and 40 ASes. These network sizes are
comparable to a large ISP network. Furthermore, Microgrid supports direct execution
47

of unmodified application binaries, allowing us to use real applications and a real proxy
network implementation in the simulation. In our study, we use a DDoS zombie
network of 100 nodes with a real DoS attack toolkit, and use the zombies to generate
attack traffic. The total attack traffic intensities up to 6.4Gbps and a wide range of DoS
attack scenarios are explored. This experimental configuration is large enough to
capture key properties of the Internet environment, such as router queues, as well as
networking and routing protocol dynamics, which are critical to the application behavior
and performance under various DoS attack scenarios. These tools enable a realistic
study of the proxy network-based scheme.
In summary, to prove the thesis, our study explores proxy network resistance
against three important attacks: penetration, proxy depletion, and infrastructure-level
DoS attacks. We first prove that proxy networks can resist penetration attacks
effectively, and then show how proxy network can be designed to resist proxy depletion
attacks effectively. Next, to show that proxy networks can provide both effective and
scalable resilience against DoS attacks, we use simulation to demonstrate that, in a large
resource pool, a proxy network can continue to deliver application service during DoS
attacks. These simulations also show that the magnitude of DoS attacks that a proxy
network can resist may be increased linearly by increasing proxy network size. These
results together prove that proxy networks can resist penetration attacks, proxy depletion
attacks, and DoS attacks effectively, thereby providing a viable DoS defense for Internet
service applications. Furthermore, study of these problems also develops a deeper
understanding of the fundamental capabilities of proxy networks, and provides
guidelines for proxy network design in support of DoS resistance.

48
Chapter 4 APPROACH
4.1 OVERVIEW
This chapter describes our high-level approach used to study proxy network-based
DoS defense. In order to understand proxy networks ability to protect Internet service
applications from infrastructure-level DoS attacks, we consider possible attacks against
proxy networks, and study their properties under such attacks.
From an attackers perspective, there are three strategies to defeat the proxy
network scheme. First, attackers can penetrate the proxy network and compromise the
application proxies. Since the application proxies connect to the application directly,
this enables attackers to bypass the proxy network and attack the application directly.
Second, attackers can make the proxy network dysfunctional by compromising all the
proxies. Third, attackers can make the proxy network inaccessible to users, preventing
users from accessing the application service.
Corresponding to these high-level strategies, there are three important classes of
attacks against the proxy network scheme (see Figure 4-1): penetration attacks, proxy
depletion attacks, and DoS attacks on proxy network. Using the host compromise
mechanisms described in Section 2.2.3, penetration attacks attempt to compromise
proxies along a path in a proxy network towards the application, penetrating the proxy
network, and thereby eventually exposing the application to direct attacks. Using the
host compromise mechanisms described in Section 2.2.3, proxy depletion attacks
compromise proxies along a proxy networks topology, thereby increasing the number
49

of compromised proxies and eventually disabling the proxy network. Infrastructure-
level DoS attacks attempt to flood the infrastructure around edge proxies with network
traffic in order to saturate them, thereby preventing communication between users and
the application. By studying proxy networks resistance to these attacks, we can
develop a deeper understanding of the viability of proxy network-based DoS resistance.
In our research, we study proxy networks resistance to these attacks. The approaches
used to study each attack are outlined as follows.

Figure 4-1 Three Classes of Attacks on Proxy Networks

Application Server
Application Server

Penetration
Attack
Proxy Network
Edge proxies

Proxy Network
Edge proxies
DoS Attack
Proxy
Depletion
Attack
Proxy Network
Application Server
50

A) Study of Penetration Attacks using Generic Framework and Stochastic
Modeling
Our approach to studying penetration attacks has two elements: a generic
framework for proxy network-based DoS defense and the use of a stochastic model to
characterize the impact of attacks on a proxy network system.
In order to study a general class of proxy networks, we develop a generic
framework which encompasses a wide range of proxy network-based DoS defense. The
framework defines key components of a proxy network system and describes how
attacks and defenses change the system state. It enables rigorous study of a large class
of proxy networks with results that bear on the entire class.
Based on the generic framework for proxy network schemes, we develop a
stochastic model to characterize how attacks and defenses change the state of system
components quantitatively, thereby allowing rigorous study of system dynamics as a
function of attacks and defenses. Based on our stochastic model, we combine analysis
with Monte Carlo simulation techniques to study how long it takes a penetration attack
to penetrate a proxy network. As such, we answer a range of fundamental feasibility
questions, and study when a proxy network can resist penetration attacks effectively.
B) Study of Proxy Depletion Attacks using Generic Framework and Stochastic
Modeling
Our approach to studying proxy depletion attacks has two elements: a generic
framework for proxy network-based DoS defense and the use of a stochastic model to
characterize the impact of attacks on a proxy network system. Since proxy depletion
51

attacks use the same attack mechanism (host compromise attacks) as penetration attacks,
we use the same framework and stochastic model as describe above.
Using the framework and model, we study system dynamics as a function of attacks
and defenses. We analyze when a proxy network can remove all the compromised
proxies regardless how many proxies are compromised initially and when it cannot. As
such, we characterize when a proxy network can resist proxy depletion attacks
effectively and when it cannot.
C) Study of DoS Attacks on Proxy Network using Online Simulation
We study the properties of proxy networks under DoS attacks empirically, using
online packet-level network simulation with full applications, a real software
implementation of proxy network, and real attacks. This approach enables study of
detailed network and application dynamics such as packet drops, router queues, real
temporal and feedback behavior of network and application protocols, which are critical
to application and proxy network performance under DoS attacks. Therefore, this
approach enables accurate modeling of the full complexity of network and application
behavior needed to reproduce DoS dynamics, and to characterize application and proxy
network performance in varied attack scenarios. With this leverage, we study
application performance delivered by a proxy network for a range of proxy network
structures and attack scenarios. As such, we study proxy networks resilience to DoS
attacks.
The rest of the chapter is structured as follows. Section 4.2 describes our generic
framework which encompasses a wide range of proxy network-based DoS defense. We
52

use this framework to study penetration attacks and proxy depletion attacks. Section
4.3, Section 4.4, and Section 4.5 describe the high-level approach used to study
penetration attacks, proxy depletion attacks, and DoS attacks on proxy networks
respectively. Section 4.6 gives a brief summary of our approach.
4.2 A GENERIC FRAMEWORK FOR PROXY NETWORK-BASED DOS
DEFENSE
Researchers explore the use of proxy networks as mediators to protect Internet
applications from DoS attacks [25-29, 35]. Two key elements are the common core of
all of these approaches (e.g. SOS [25, 26] and i3 [28, 29, 35]). First, all these
approaches use an overlay network proxy network to mediate communication
between users and applications. As long as the application is only accessible via the
proxy network, the application servers cannot be attacked directly. Second, all these
approaches use a large set of public proxies to provide access to the application and
allow the number of public proxies to be increased flexibly. In order to deny application
service, attackers must saturate this large number of proxies. The flexibility enables
scalable resilience against DoS attacks. The commonality of these approaches allows
them to be studied within a single framework.
In this section, we propose a generic framework which captures the key elements of
all proxy network approaches and defines a system state model which describes the
impact of attacks and defenses. The framework serves two purposes: 1) it provides a
formal basis for discussion of proxy networks and attacks, and 2) it enables study of
properties of a large class of proxy networks. We use this framework to study both
53

penetration attacks and proxy depletion attacks. In the following, we introduce our
generic framework, and then discuss how previously proposed proxy network schemes
are captured in the framework.
4.2.1 Definition of the Generic Framework
The framework for proxy network schemes has two parts, a description of system
components, including applications, users, hosts, and a generic proxy network, and a
description of how attack and defense processes affect system dynamics.
4.2.1.1 System Components

Figure 4-2 Generic Framework for Proxy Networks
As shown in Figure 4-2, our generic framework describes a system where a proxy
network mediates all traffic between an application and its users, and protects the
application from infrastructure-level DoS attacks. In the following section, we define
the four key system components: applications, users, hosts, and a proxy network.

User
Edge Proxy
Internal Proxy
Resource Pool
Host

Application
Internet

Proxy Network
54

A) Application
An application is a deployed software system that implements an Internet service
which responds to user requests and runs on a host in the Internet. In the proxy network
scheme (see Figure 4-2), the IP address of the application is hidden and the application
has connections with the proxy network, through which the application communicates
with its users.
B) Users
A user is the principal that uses the application client software to interactively
access the application, in order to use the application service. For example, a user can
be a person using a web browser to access the Internet service application. In the proxy
network scheme (see Figure 4-2), users are outside the proxy network and access the
application via edge proxies (defined below) and through the proxy network.
C) Hosts
A host is a computer system connected with the Internet which provides the
software and hardware infrastructure to support the operation of proxy nodes (defined
below). A large number of such hosts dispersed widely in the Internet form a resource
pool for the proxy network (see Figure 4-2).
Hosts may have vulnerabilities, such as exploitable bugs in the operating system
software, which allow attackers to compromise the hosts. Furthermore, the
vulnerabilities of the hosts in the resource pool may be correlated (e.g. same operating
system software with the same bugs). If host vulnerabilities are correlated, once a host
is compromised, others may be easily compromised using similar techniques.
55

D) Proxy Network
As shown in Figure 4-2, a proxy network is an overlay network which runs on the
resource pool of Internet hosts and mediates all traffic to and from the application. A
proxy network is a set of interconnected proxies, each of which is a software program
that runs on an Internet host and forwards application traffic. There are two types of
proxies, edge proxies and internal proxies. Edge proxies have published IP addresses.
Internal proxies are those which are not edge proxies; their IP addresses are hidden.
As shown in Figure 4-2, on one side of the proxy network a selected set of proxies
are connected to the application, and on the other side of the proxy network, a set of
edge proxies publish their IP addresses providing access to users of the application. As
such, the proxy network mediates all traffic between users and the application.
There are three important properties of a proxy network: topology, depth, and
width.
The topology of a proxy network characterizes the internal connectivity amongst
proxies. The topology of a proxy network can be represented by a graph, where vertices
represent proxies and edges represent the connections among proxies. Technically two
proxies are connected if they can route packets to each other. In the context of network
security, the important distinction is that connected proxies know each others IP
address.
The depth of a proxy network is the minimum number of proxy indirections
between an application and its users. The depth of a proxy network for an application is
defined as the minimum path length in the proxy network topology graph from any edge
56

proxy to the application. For example, the depth of the proxy network shown in Figure
4-2 is four.
The width of a proxy network is the number of public access points the proxy
network presents to the users of an application. The width of a proxy network is defined
as the number of edge proxies. For example, the width of the proxy network shown in
Figure 4-2 is six.
4.2.1.2 System Dynamics
System dynamics describes the changes in system state which result from attacks
and defenses. By studying the system dynamics of a proxy network under various
attack and defense scenarios, we can understand when the proxy network can provide
stable defense against penetration attacks and proxy depletion attacks. We first
introduce terminology to describe the system state, and then discuss how attacks and
defenses affect the overall system dynamics.
A) System State
We define the state of system components as follows. A host has two states:
compromised and intact. A host is compromised when attackers have control over it
and any information stored there may be revealed to attackers. A host is intact if and
only if it is not compromised.
A proxy has three states: exposed, compromised and intact. A proxy is exposed if
attackers know its location, i.e. the IP address of the host where the proxy runs; in this
case the proxy is subject to future attacks. A proxy is compromised if it runs on a
compromised host. A proxy is intact if it is neither exposed nor compromised.
57

The system state is the combined state of all the proxies in the proxy network and
all the hosts in the resource pool. However, it is convenient to also consider the system
state as the progress of the attacks having the following attributes:
- The number of intact hosts in the resource pool. The health of the resource pool and
the amount of intact resource available to the proxy network.
- The number and distribution of compromised proxies in the proxy network. How
many and which proxies are compromised and under attackers control. It reflects the
amount of control attackers have on the proxy network.
- The minimum distance between the exposed proxies and the application in the proxy
network topology graph. The minimum number of proxy indirections that separates the
application from attackers. It reflects the progress and structural information of the
proxy network attackers have obtained.
In a healthy proxy network system, all the hosts in the resource pool are intact, none
of the proxies are compromised, and only edge proxies are exposed because their IP
addresses are published to provide user access. By compromising and exposing proxies,
attacks may increase the population of compromised proxies and reduce the minimum
distance to application. Defenses may recover hosts and proxies, decreasing the number
of compromised hosts and proxies, and increasing attackers distance to application. In
the next two sections, we discuss how attacks and defenses change the system state.
B) Attacks
Our generic framework captures a range of attacks, among which we study
penetration attacks and proxy depletion attacks.
58

The goal of penetration attacks is to discover the IP address of the application
protected by a proxy network. The strategy is to explore the structure of the proxy
network and compromise proxies along a path in the proxy network towards the
application. As shown in Figure 4-3, these attacks allow attackers to penetrate into the
proxy network, reducing the distance between the application and the exposed proxies,
and perhaps, eventually discovering the IP address of the application.

Figure 4-3 Penetration Attacks
The goal of proxy depletion attacks is to compromise all the proxies in a proxy
network, thereby making the proxy network dysfunctional. The strategy is to
compromise proxies and propagate along the proxy network topology. As shown in
Figure 4-4, these attacks allow attackers to propagate in the proxy network, increase the
number of compromised proxies, and perhaps, eventually compromise all the proxies.

Figure 4-4 Proxy Depletion Attacks

Proxy Depletion
Attack
Proxy Network
Application Server
Compromised
Exposed

Edge proxy
Internal Proxy


Penetration
Attack
Application Server
Proxy Network
Edge proxy
Internal Proxy

Compromised
Exposed

59

Both penetration attacks and proxy depletion attacks use the same mechanisms,
host compromise attacks, such as those explained in Chapter 2. As shown in Figure 4-5,
host compromise attacks change the state of hosts and proxies. A successful host
compromise attack changes an intact host to a compromised host. By compromising the
host on which a proxy runs, an attacker can compromise the proxy. The neighbors of
the compromised proxy then become exposed because attackers may learn their IP
addresses from the compromised proxy.
Using host compromise attacks, we can construct both penetration attacks and
proxy depletion attacks. In a penetration attack, attackers start from an edge proxy and
use host compromise mechanisms to compromise the edge proxy. Once the proxy is
compromised, all of its neighbor proxies become exposed. By compromising a
sequence of exposed proxies along a path from the edge proxy to the application,
attackers can penetrate the proxy network and eventually expose the application. On the
other hand, in a proxy depletion attack, after compromising a proxy, attackers attack all
the exposed neighbors, thereby propagating along the proxy network topology,
increasing the number of compromised proxies.

Figure 4-5 System Component State Transitions
intact









compromised









Host State
Transition






intact






exposed









Proxy State
Transition





Host compromise attack






Resource Recovery






Reconfiguration





compromised






60

C) Defensive Mechanisms
The goal of defense is to reverse the negative impact of attacks on the system.
Defenses can recover compromised hosts, making them intact, thereby increasing the
population of intact hosts for proxy networks to use. Defenses can also turn
compromised and exposed proxies into intact proxies, thereby reducing the population
of compromised proxies and increasing the distance between exposed proxies and the
application. We discuss two types of defense in the following section: resource
recovery and proxy network reconfiguration.
Resource recovery mechanisms are defenses which address host compromise
attacks. Examples of resource recovery include removal of infected software
components, clean reload of system images with up-to-date security patches, revocation
of suspected user accounts, and so on. Such resource recovery can eliminate attackers
control on compromised hosts and proxies, and also prevent future attacks using the
same vulnerabilities of the hosts. We consider their use on all the hosts in the resource
pool and trigger them using two policies: reactive recoveries and proactive resets.
Reactive recoveries depend on intrusion or compromise detection, and are triggered
when compromises are detected. In contrast, proactive resets happen periodically,
regardless of the current state of the host.
The detailed mechanics of our resource recovery mechanisms are explained in
Chapter 2. They change the state of system components. At the host level (see Figure
4-5), resource recovery takes compromised hosts and returns them to the intact state. At
61

the proxy level, resource recovery turns a compromised proxy into the exposed state by
recovering the underlying host.
Proxy network reconfiguration is another type of defense. Reconfiguration can
invalidate the location information acquired by attackers, and disrupt both penetration
attacks and proxy depletion attacks. Examples include changing proxy network
topology and proxy migration. We focus on random proxy migration, where proxies
can migrate from one host to another inside the resource pool, but the proxy network
topology is unchanged. The migration mechanism is deployed on all the proxies in the
proxy network, and every proxy (except edge proxies) periodically migrates randomly
amongst hosts in the resource pool.
Proxy migration can change the state of proxies. As shown in Figure 4-5, proxy
migration can turn an exposed or compromised proxy into an intact one, by moving the
proxy to an intact host unknown to attackers. Furthermore, this mechanism allows
proxies to escape from exposed locations before they are compromised by attackers,
thereby preventing the propagation of attacks and disrupting both penetration attacks
and proxy depletion attacks.
4.2.2 Generality of the Generic Framework
Having defined a generic framework for proxy network-based DoS defense, we
show how it captures several previously proposed proxy network schemes, including
Secure Overlay Services (SOS) [25, 26] and Internet Indirection Infrastructure (i3) [28,
29, 35]. Then, moving beyond specific examples, we discuss the space of proxy
network-based DoS defense schemes captured by our framework.
62

A) Secure Overlay Services (SOS)

Figure 4-6 Secure Overlay Services (SOS)
As shown in Figure 4-6, Secure Overlay Services (SOS) is a proxy network scheme
that uses the Chord overlay network [38] to mediate all traffic between users and
applications and protect applications from DoS attacks. On one side of the Chord
network, a set of overlay nodes (access points) publish their IP addresses and provide
users access to the application. On the other side, a set of overlay nodes (servlets)
connect to the application. Application traffic between users and applications is
mediated through the Chord network via the access points and the servlets.
Furthermore, filters are used around the application to enforce that only traffic from the
servlets can reach the application, thereby preventing direct infrastructure-level DoS
attacks on the application. Our generic framework captures the key properties of the
SOS scheme as follows.
First, the key components of SOS system match those of our generic framework.
The Chord network used by SOS can be represented using our generic proxy network
with a Chord topology, the access points of SOS correspond to the edge proxies in our
Chord Overlay Network



application





Filtered region



Access Points



User



Servlets



Overlay Nodes



63

framework, and the servlets correspond to the proxies that directly connect to the
application in our framework.
Second, the attack and defense processes described in our generic framework can
apply to the SOS system. Regarding attacks, both penetration attacks and proxy
depletion attacks described in our framework are key threats to the SOS system. Using
penetration attacks, attackers can penetrate the Chord network and discover the IP
addresses of the servlets. Once the servlets are exposed, attackers can easily defeat the
SOS defense, because DoS attacks using packets spoofed with servlets IP addresses can
go through the filters, and reach the application. On the other hand, using proxy
depletion attacks, attackers may compromise all the SOS nodes, thereby disabling the
SOS system. Regarding defenses, both reactive and proactive resource recoveries
described in our framework can directly apply to the SOS system. The SOS proposal
does not include any proxy network reconfiguration mechanism.
B) Internet Indirection Infrastructure (i3)

Figure 4-7 Internet Indirection Infrastructure (i3)
Chord Overlay Network



application
User
Trigger
Overlay Nodes
64

Internet Indirection Infrastructure (i3) is another proxy network scheme that
protects Internet services from DoS attacks. As shown in Figure 4-7, the i3 system uses
a Chord overlay network to mediate all traffic between users and applications,
protecting applications from DoS attacks. In the i3 system, the IP address of the
application is hidden from users. On one side of the Chord network, a set of overlay
nodes publish their IP addresses, providing users access to the Chord network. On the
other side, an overlay node called trigger directly connects to the application and
serves as a rendezvous point for the application. As such, i3 mediates application traffic
through the Chord network and prevents direct infrastructure-level DoS attacks on the
application. Our generic framework captures the key properties of the i3 scheme as
follows.
First, the key components of the i3 system match those of our generic framework.
The Chord network used by i3 can be represented using our generic proxy network with
a Chord topology, the i3 nodes with published IP addresses correspond to the edge
proxies in our framework, and the triggers correspond to the proxies that directly
connect to the application in our framework.
Second, the attack and defense processes described in our generic framework can
also apply to the i3 system. Regarding attacks, both penetration attacks and proxy
depletion attacks described in our framework are key threats to the i3 system. Using
penetration attacks, attackers can penetrate the Chord network and discover the IP
addresses of the application, thereby exposing the application to direct DoS attacks. On
the other hand, using proxy depletion attacks, attackers may compromise all the i3
65

nodes, thereby disabling the i3 system. Regarding defenses, both reactive and proactive
resource recoveries described in our framework can apply to the i3 system directly. The
i3 proposal does not include any proxy network reconfiguration mechanism.
C) Space of Proxy Networks
Besides the existing proxy network proposals, our generic framework admits DoS
resistance schemes using a wide range of proxy networks, varying in topologies, depth
and width, deployment schemes, and defensive mechanisms. For example, a proxy
network may use a tree or a hypercube [40] as its topology instead of Chord. A proxy
network may also employ defensive mechanisms such as proxy migration or dynamic
change of proxy network topology.
Our generic framework provides a basis for a general exploration of the space of
proxy networks. First, this framework allows study of fundamental capabilities and
limitations of a large class of proxy network-based DoS defense schemes with results
that bear on the entire class. Second, this framework also allows exploration of the
design space of proxy networks, providing design guidelines for proxy network-based
DoS defense.
4.3 RESISTING PENETRATION ATTACKS
Penetration attacks are an important class of attacks on proxy networks. As shown
in Figure 4-8, penetration attacks attempt to compromise proxies along a path in a proxy
network towards the application, thereby penetrating the proxy network, and eventually
exposing the application to direct attacks.
66


Figure 4-8 Penetration Attacks
We use the amount of time attackers take to penetrate a proxy network as a metric
to evaluate the proxy networks resistance to penetration attacks. If the time to penetrate
a proxy network is sufficiently long (e.g. over a hundred years), then penetration attacks
are no longer a practical threat to the proxy network. In this case, the proxy network can
resist penetration attacks effectively. We study when a proxy network can resist
penetration attacks effectively and what defensive mechanisms are required to achieve
effective resistance.
In order to study these problems, we develop a stochastic model from the generic
framework (defined in Section 4.2) to characterize how attacks and defenses change the
state of system components. In particular, we model the attacks and defenses as
stochastic processes which describe how attacks compromise hosts and proxies and how
defenses recover them. Using this stochastic model, we combine analysis and Monte
Carlo simulation to quantify how long it takes for attackers to penetrate a proxy network
as a function of attacks and defenses. In such way, we characterize the circumstances
under which a proxy network can resist penetration attacks effectively, and what defense
parameters are critical for effective defense.

Penetration
Attack
Application Server
Proxy Network
Edge proxy
Internal Proxy

Compromised
Exposed

67

Using a stochastic approach has two advantages. First, it provides a simple model
to characterize attacks and defenses, making study tractable and results easy to
understand. Second, stochastic analysis enables study of a full spectrum of proxy
networks and attack scenarios at once, and a thorough exploration of the design space.
However, the stochastic approach also has limitations. It is subject to the correctness
and precision of the stochastic model which does not capture all the details of the system
components.
4.4 RESISTING PROXY DEPLETION ATTACKS

Figure 4-9 Proxy Depletion Attacks
Proxy depletion attacks are an important class of attacks on proxy networks. As
shown in Figure 4-9, proxy depletion attacks attempt to compromise all the proxies in a
proxy network, by compromising proxies and propagating along the proxy network
topology, thereby making the proxy network dysfunctional.
To study a proxy networks resistance to proxy depletion attacks, we study when a
proxy network is recoverable under such attacks. We define a proxy network to be
recoverable under proxy depletion attacks if all the compromised proxies can be
recovered regardless how many proxies are compromised initially. A recoverable proxy
network can provide stable defense against proxy depletion attacks.

Proxy Depletion
Attack
Proxy Network
Application Server
Compromised
Exposed

Edge proxy
Internal Proxy

68

In order to study the system dynamics under proxy depletion attacks, we develop a
stochastic model from the generic framework (defined in Section 4.2) to characterize
how attacks and defenses change the state of system components. In particular, we
model the attacks and defenses as stochastic processes which describe how attacks
compromise hosts and proxies and how defenses recover them. Using this stochastic
model, we use graph-theoretical analysis to quantify how the population of
compromised proxies changes under proxy depletion attacks as a function of attacks,
defenses, and proxy network topologies. We use these results to study when a proxy
network is recoverable under proxy depletion attacks, providing stable defense, and
when it is not. By doing so, we develop guidelines of proxy network design for
effective resistance to proxy depletion attacks.
The stochastic approach used for the study of proxy depletion attacks is similar to
the one discussed in Section 4.3; thereby, it shares similar advantages and limitations. It
provides a simple model, and thus makes study tractable and results easy to understand.
Furthermore, the analysis allows for the examination of a full spectrum of proxy
networks and attack scenarios at once, as well as a thorough exploration of the design
space. However, the key limitation is that it is subject to the correctness and precision
of the stochastic model, which does not capture all the details of the system components.
4.5 RESILIENCE TO DOS ATTACKS ON PROXY NETWORK
DoS attacks are another important class of attacks on proxy networks. As shown in
Figure 4-10, attackers can use infrastructure-level DoS attacks to saturate the edge
69

proxies by flooding the infrastructure around edge proxies with network traffic, thereby
causing Denial-of-Service for users.

Figure 4-10 Denial of Service attacks
In order to study the use of proxy networks for DoS defense, we need to understand
how well a proxy network can keep applications accessible and maintain good
performance for users under DoS attacks. In particular, we use the user experienced
application performance delivered by a proxy network under DoS attacks as a metric to
evaluate a proxy networks resilience to DoS attacks. A proxy network can resist a DoS
attack effectively, if the majority of the users (e.g. >90%) do not experience significant
performance degradation during the attack. Using this metric, we study whether a proxy
network can resist DoS attacks effectively for a variety of attack scenarios and proxy
network configurations.
There are two major challenges to perform this study. First, for realistic studies we
need to capture detailed network dynamics and behavior of applications and attacks,
since they greatly affect application and proxy network performance under DoS attacks.
Second, we need to study the problem in a large-scale network environment, because it
is a key aspect of the DoS problem for Internet applications.
Application Server

Proxy Network
Edge proxies

DoS Attack

70

Theoretical analysis and small-scale simulation cannot meet these challenges
because they cannot capture detailed network behavior in large networks, such as router
queues, packet drops, and dynamic behavior of network and application protocols. All
these factors are critical to application performance and DoS behavior. On the other
hand, experiments on large testbeds such as PlanetLab [109] cannot meet the challenges
either because such testbeds are shared infrastructure; DoS experiments may disrupt
other testbed users by flooding the infrastructure. Thus, the scale, intensity, and range
of attack scenarios that can be studied using an open testbed are very limited.
To address these challenges, we take an experimental approach based on online
simulation. The element is the use of a large-scale packet-level online network
simulation tool, MicroGrid [37, 41], that supports direct execution of real applications
and can model detailed network dynamics, real temporal and feedback behavior of
network protocols correctly. Furthermore, MicroGrid also supports simulation of large
networks (size comparable to tier-1 ISP networks [37]). These capabilities of
MicroGrid meet the challenges stated above. In our empirical study, we use the
following components to construct our experiments.
- a large-scale, high-fidelity packet-level online network simulator MicroGrid to
simulate a large-scale realistic network environment, which has up to 10,000 routers and
40 ASes, comparable to the size of a Tier-1 ISP network,
- a real proxy network implementation and real applications deployed in the
simulation environment, and
71

- a zombie network and a real distributed DDoS toolkit to create attack scenarios.
Attack traffic intensities up to 6.4 Gbps and a wide range of different attack scenarios
are explored.
Using these experiments, we take two steps to study how well proxy networks can
resist DoS attacks. First, we demonstrate that in a large resource pool (hosts and
network), a proxy network maintain good performance for most users during DoS
attacks. These results are then confirmed over a range of varied attack magnitude and
distribution. Second, to show that proxy networks cannot be overwhelmed by simply
increasing the volume of DoS attack, we show that the magnitude of DoS attacks that a
proxy network can resist may be increased by using a larger proxy network. These
results together show that proxy networks can be both effective and scalable DoS-
resilient mediators.
Our simulation-based approach has several advantages. First, the direct execution
of real applications enables use of a real implementation of the proxy network, real
applications, and real attacks in our study to correctly capture all their complex
dynamics and performance behavior. Second, correct modeling of the detailed network
and protocol dynamics enables correct characterization of application and proxy
network performance under DoS attacks. Third, simulation of large-scale networks
enables study of the DoS problem in a large-scale network environment. Fourth, the use
of a simulator enables study of a wide range of attack scenarios of various scales and
intensities. These advantages are the key to enable large-scale realistic study.
72

4.6 SUMMARY
In summary, to study the use of proxy networks for DoS defense, we explore the
capability of proxy networks against three important attacks: penetration attacks, proxy
depletion attacks, and DoS attacks. To study penetration attacks and proxy depletion
attacks, we develop a generic framework to capture a wide range of proxy network-
based DoS defense and build stochastic models for attack and defense processes to
characterize system dynamics. Using the stochastic models, we combine analysis with
Monte Carlo simulation to study when stable defense against penetration attacks is
feasible. We then use graph-theoretical analysis based on the stochastic models to study
when a proxy network can resist proxy depletion attacks effectively. On the other hand,
we study DoS attacks empirically based on online simulation. In particular, we use a
large-scale online packet-level network simulator to simulate a large network
environment and deploy a real software implementation for the proxy network,
applications, and DoS attackers. By using full applications and network protocol stacks
in a realistic detailed packet-level simulation environment, we can model the full
complexity of the network behavior needed to reproduce DoS dynamics accurately.
With this leverage, we study the resilience to DoS attacks for a range of proxy network
structures and attack scenarios.
The analysis and experiments are presented in the next three chapters. Chapter 5
studies whether proxy networks can resist penetration attacks effectively, and
characterizes the key requirements for effective defense against penetration attacks.
Chapter 6 studies proxy networks ability to resist proxy depletion attacks and shows
73

how to design proxy networks for effective resistance to proxy depletion attacks.
Chapter 7 studies proxy networks resilience to DoS attacks by empirical exploration of
application performance under DoS attacks for a range of attack parameters and proxy
network configurations.


74
Chapter 5 RESISTING PENETRATION ATTACKS
Penetration attacks are a key threat for the proxy network-based DoS defense. By
compromising a chain of proxies towards the application, such attacks penetrate a proxy
network and defeat the proxy network-based scheme by exposing the application to
direct DoS attacks. In this chapter, we study proxy networks ability to resist
penetration attacks and characterize the requirements for successful resistance.
5.1 INTRODUCTION
We study proxy networks ability to resist penetration attacks. In particular, we
study the following questions. How long can a proxy network resist a penetration attack
and hide an applications location? How do the defense properties affect a proxy
networks resistance to penetration attacks, and what factors make resistance feasible?
To study these problems, we develop a stochastic model for the generic framework
(defined in Chapter 4) to characterize the dynamics of system components. In
particular, our stochastic model describes quantitatively how attacks, defenses, and
correlated host vulnerabilities affect changes in the state of system components. With
the stochastic model, we combine analysis and Monte-Carlo simulation to analyze
behavior of proxy network systems under penetration attacks, characterizing when their
resistance to penetration attacks is feasible.
We consider correlated vulnerabilities among hosts, which can greatly affect the
behavior of penetration attacks. This is because the low-level mechanisms for
penetration attacks host compromises depend on the exploitation of host
75

vulnerabilities, and correlated vulnerabilities among hosts affect the speed of host
compromises, thereby affecting the progress of penetration attacks. Since correlated
host vulnerabilities complicate the analysis, our approach has two steps.
First, we study a system with uncorrelated host vulnerabilities and analytically
characterize the system behavior. In particular, we characterize quantitatively the
expected time for attackers to expose an applications location as a function of system
parameters. We prove two theorems which characterize dynamic system behavior, and
show that, with appropriate defense, proxy networks can resist penetration attacks
effectively. We use these theorems to study the questions described above.
Second, we use a Monte Carlo simulation to study a system with correlated host
vulnerabilities. In particular, we study how correlation in host vulnerabilities affects a
proxy networks ability to resist penetration attacks. We show that correlated
vulnerabilities can jeopardize a proxy networks ability to resist attacks. We also
demonstrate that, by exploiting limited host diversity and intelligent proxy network
construction, we can compensate for the negative impact of correlated host
vulnerabilities and build a proxy network which can resist penetration attacks
successfully.
Combining both the correlated and uncorrelated host vulnerability cases, we prove
that, in general, proxy networks can be designed to resist penetration attacks effectively.
The remainder of the chapter is structured as follows. Section 5.2 describes our
stochastic model. Section 5.4 and Section 5.5 present the results of our analysis and
76

Monte Carlo Simulation respectively. We conclude in Section 5.6 with a brief
summary.
5.2 STOCHASTIC MODEL FOR SYSTEM COMPONENT DYNAMICS
We model system state as a discrete-time stochastic process in which the state
transitions of system components hosts and proxies are stochastic events. As such,
we can quantify how attacks, defenses, correlated host vulnerabilities, and proxy
network topology affect the system. Our stochastic model has two parts: host state
transitions and proxy state transitions; Table 5-1 shows the parameters of the model.
We first describe the model and then interpret the model in practical settings.
Table 5-1 Parameters of the Stochastic Model
Notation Meaning

0
Rate of host compromises based on new vulnerabilities

v
Rate of host compromises based on known vulnerabilities

s
Rate of proactive resets

d
Speed of reactive recovery

r
Rate of proxy migration

A) Host State Transitions
Attacks, resource recovery (both proactive and reactive), and correlated host
vulnerabilities are the three main factors that affect the transitions of host states. We
first describe how our model captures attacks and resource recovery when the host
77

vulnerabilities are uncorrelated; we then describe how our model captures correlated
host vulnerabilities.

Figure 5-1 Host State Transitions
The shaded area in Figure 5-1 shows the host state transitions when the host
vulnerabilities are uncorrelated. Our model uses three parameters
0
,
d
, and
s
to
describe the speed of attacks, reactive resource recovery, and proactive resets,
respectively. Within a discrete time step, attackers have a probability
0
to compromise
an intact host by exploiting a vulnerability of the host. Meanwhile, reactive resource
recovery has a probability
d
to recover a compromised host by detecting and removing
the infection, while proactive resets have a probability
s
to recover a compromised host
by proactively reloading the host with a clean system image.
Our model also captures correlated host vulnerabilities. We use domains to
describe the correlated vulnerabilities among hosts (see Figure 5-2). Hosts are grouped
into domains. Within a domain, hosts use similar software with similar configurations,
thereby sharing similar vulnerabilities. Across domains, hosts differ in software,
configurations, and other attributes, thereby providing a model for uncorrelated
vulnerabilities. A system with uncorrelated host vulnerabilities (see Figure 5-2.A) is an
intact





















Host compromise























Reactive Recovery






















Proactive Reset

s























intact
v
























compromised

d






















78

extreme case where each host is in its own domain. Another extreme case is one where
all hosts are in the same domain (see Figure 5-2.B). In general, hosts in a system are
grouped into multiple domains (see Figure 5-2.C), and the number of domains is a
measure of host diversity in the system.

Figure 5-2 Domain-Based Correlated Host Vulnerability Model
To model the impact of correlated host vulnerabilities, we introduce an intermediate
host state intact
v
(an intact host with a known vulnerability) and one more parameter

v
(see Figure 5-1). Here is the revised model. Within a discrete time step, with
probability
0
attackers can compromise an intact host by exploiting a new vulnerability,
changing the other intact hosts in the same domain to the intact
v
state. With
probability
v
attackers can compromise an intact
v
host by exploiting a known
vulnerability. Meanwhile, with probability
s
proactive resets can return a host from the
ntact
v
state to the intact state, by removing the known vulnerabilities. With
probability
d
and
s
, reactive recovery and proactive resets can return a compromised
host to the intact state respectively.
Uncorrelated
Host
Vulnerabilities
( Domains)

Correlated
Host
Vulnerabilities
(1 Domain)
Correlated
Host
Vulnerabilities
(k Domains)
host
domain
A B
C
79

B) Proxy State Transition

Figure 5-3 Proxy State Transition
A proxys state depends on three factors: the state of the host where the proxy runs,
the state of the neighboring proxies, and whether or not the proxy is an edge proxy.
Based on the host state transition model described above, we can use the following rules
to determine the state of a proxy under host compromise attacks.
- A proxy is compromised if and only if its host is.
- The neighbors of a compromised proxy are exposed, or compromised.
- All edge proxies are exposed or compromised.
Furthermore, proxy migration moves a proxy to a different host and changes the
proxys state accordingly. We use a migration rate
r
to describe the proxy migration
process, where proxies choose migration targets randomly and the migration overhead is
small compared to the interval between migrations. More precisely, a proxy has
probability
r
to move to a different host within a discrete time step. After migration,
the proxys state is determined by the rules above.
intact






















exposed

























Host compromise
attack























Resource Recovery























Proxy Migration























compromised






















80

C) Discussion of the Model and Real World Data
Our model, while simple, captures all the key factors of the system, including speed
of attack, speed of defense, proxy network structure, and correlated host vulnerabilities.
These factors together determine how the system state changes over time, and allow us
to study the system dynamics under penetration attacks. To interpret our model (see
Table 5-1) in practical settings, we present numbers from real systems.
Table 5-2 Windows Vulnerability Statistics
Year 2001 2002 2003 2004
WinXp Pro 5 20 19 18
Win2K Server 28 24 19 18

Parameter
0
is the rate of discovery and exploit of new host vulnerabilities, an
example of which is the exploitable vulnerabilities of the operating system software.
The Microsoft security bulletin [110] catalogues critical and remotely exploitable
vulnerabilities of Windows XP Professional and Windows 2K Server. Table 5-2 shows
the number of new vulnerabilities discovered for each period. On average, there are
about 20 new vulnerabilities discovered each year, one new vulnerability every two to
three weeks. These numbers provide a realistic approximation of
0
in practice.
Parameter
v
is the rate of host compromises using known vulnerabilities. Studies
on computer vulnerabilities and attack incidents [111, 112] show that discovery and
exploitation of new vulnerabilities is time-consuming and requires a significant amount
of expertise in the victim system. In contrast, compromising a host using a known bug
is fairly easy, because techniques and tools used in previous attacks can be leveraged.
81

Therefore,
v
is typically significantly larger than
0
(
0
<<
v
). An example of
correlated host compromises is worms [11-13, 113] which use the same bug to
compromise hundreds of hosts in minutes, or even less.
Parameter
d
is the speed of reactive recovery which depends on intrusion
detection. Previous research on Intrusion Detection Systems (IDS) [17, 18] indicates
that modern IDS can achieve real time detection. Therefore
d
is primarily determined
by how fast a detected intrusion can be removed.
Parameter
r
is the proxy migration rate. Our prototype implementation of a proxy
network has a sub-second migration overhead in a large network. This suggests that
current technology can support daily, or even hourly, proxy migration rates, i.e.
10x~100x higher than
0
.
5.3 SYSTEM DYNAMICS UNDER PENETRATION ATTACKS
We use an example to show how to use the stochastic model to describe a system
under penetration attacks. Figure 5-4 shows a snapshot of a proxy networks state (the
state of all the proxies) under a penetration attack. As shown in Figure 5-4, an attacker
penetrates the proxy network along a path from an edge proxy to the application
(proxies on the path are labeled with 1, 2 d in Figure 5-4).
Within a discrete time step, attackers have probability
0
(or
v
) to compromise the
deepest exposed proxy on the chain (proxy 2 in the figure). If successful, attackers
expose the next proxy (proxy 3 in the figure) on the chain, and penetrate one step
further. Meanwhile, the deepest exposed proxy has probability
r
to migrate to a new
82

location, thereby returning to the intact state and reducing the attack progress by one or
more steps. Furthermore, reactive (proactive) resource recovery has probability
d
(
s
)
to return compromised proxies to the exposed state by recovering compromised hosts.
As such, we can characterize the system dynamics using the stochastic model.
In addition, our model considers correlated host vulnerabilities. For example, as
shown in Figure 5-4 (shaded areas mark the domains for proxy hosts), since proxy 2s
host is the first being attacked in its domain, compromising it requires exploitation of a
new vulnerability; therefore, the probability to compromise proxy 2 is
0
. On the other
hand, since proxy 2 and 3 run on hosts in the same domain, once proxy 2 is
compromised, proxy 3 can be compromised using the same vulnerability; therefore, the
probability to compromise proxy 3 after compromising proxy 2 is
v
. As such, we
model the impact of correlated host vulnerabilities on system dynamics.

Figure 5-4 System Dynamics under Penetration Attacks



Compromised
Exposed
Intact
1 2 3 d
Application











Penetration Attack

Domain
Proxy Network
83

5.4 ANALYTICAL RESULTS: UNCORRELATED VULNERABILITIES
In this section we study analytically a system with uncorrelated host vulnerabilities
to provide a baseline for understanding proxy networks ability to resist penetration
attacks. This study also provides a basis for a more general analysis. We first present
and prove two theorems which quantify the expected time for attackers to penetrate a
proxy network, then address feasibility questions.
5.4.1 Theorems for Penetration Resistance
We study proxy networks under penetration attacks in two cases. First, we study
proxy networks which do not use reconfiguration schemes. This allows us to
understand whether the proxy indirections of a proxy network are sufficient for
penetration resistance. Second, we study whether simple reconfiguration schemes, such
as random proxy migration, can improve a proxy networks ability to resist penetration
attacks.
5.4.1.1 Theorem 1: Systems without Proxy Network Reconfiguration
Theorem 1. Without proxy network reconfiguration, the expected time to application
exposure is TsdT

where T

=
0
-1
is the expected time to compromise a host and d is the
proxy network depth.
Proof:
If there are no reconfiguration mechanisms which can invalidate the information
that attackers have acquired, a proxy remains exposed once it has become so. Consider
a proxy network of depth d.
0
is the probability for a successful host compromise in
one stochastic trial. The Markov state transition graph for the system is shown in Figure
84

5-5. Node i (0sisd) corresponds to the state where the deepest exposed proxy is at
depth i. Initially, system is at state 0, because edge proxy is exposed.

Figure 5-5 Markov State Transition (without reconfiguration)
Consider the case where there is only one attacker. Let p
d
(t) be the probability of
the system reaching state d before time t. It is straightforward to see that p
d
(t) follows
an Erlang distribution (each state transition to the right in Figure 5-5 can be viewed as a
Poisson event with rate
0
, therefore reaching state d is equivalent to occurrence of the
dth Poisson event with rate
0
). Therefore the expected time to application exposure T
= d
0
-1
=dT

(T

=
0
-1
). In the general case, where there are multiple attackers, the
expected time to application exposure can only be shorter. Therefore the time to
application exposure T is TsdT

. Q.E.D.
5.4.1.2 Theorem 2: Systems with Proxy Migration
Theorem 2. Consider a proxy network with random proxy migration rate
r
. When

r
>2
0
, the expected time to application exposure T grows exponentially with the proxy
network depth d; as

T
d r
) ) ((
2
2
0

O sTs

T
d r
) ) ((
1
0

O ; when
r
<
0
, the expected time
to application exposure T grows linearly with the proxy network depth d; as
Ts

T
r
d
) (
0
0

O , where T

=
0
-1
is the expected time to compromise a host.
0 1 2

0
0

0
d
85

Proof:
Consider a chain of proxies with depth d. Each proxy on the chain is labeled with
its depth, e.g. edge proxy is proxy 0, and a proxy at depth k is proxy k. The Markov
state transition graph for this proxy network is shown in Figure 5-6 (for brevity, let =
0

for the remainder of the proof). In state 0, only the edge proxy is exposed. In state k
(1sksd), the (k-1)th proxy is compromised and the kth proxy is exposed. In state k, the
kth proxy is exposed, but the (k-1)th proxy is not compromised. We study the expected
time from state 0 to reach state d in two boundary cases: no recovery and perfect
recovery. When there is no recovery, a proxy stays compromised until it migrates.
With perfect recovery, hosts are recovered instantaneously after being compromised (in
Figure 5-6, state k goes to state k with certainty).
Let T
k
denote the expected time to reach state d from state k (0sksd); let T
k
denote
the expected time to reach state d from state k (1sksd-1). By definition T
d
= 0. We
must compute T
0
, the expected time to penetrate a proxy network of depth d from an
edge proxy. We compute T
0
for the two cases: no recovery and perfect recovery.

0 1 2 d -1 d
1 2 d-1

r
r

r
No Recovery
0 1 2 d -1 d
1 2 d-1

1
1

r
Perfect Recovery
1

r

Figure 5-6 Markov State Transition (with proxy migration)
86

A) No Recovery
From the Markov state transition graph (see Figure 5-6), we can get

+ + + + =
> + + + =
+ + + + =
+ + =
+ + =
+
+
' ' 1 1 '
' 1
' 1 0 1 2 ' 1
1 2 1
0 1 0
) 2 1 ( ) ( 1
) 1 ( ) 1 ( 1
) 2 1 ( ) ( 1
) 1 ( 1
) 1 ( 1
k r k r k k k
k r k r k k
r r
T T T T T
k T T T T
T T T T T
T T T
T T T





.
Solve it and we get
)
1 ) (
1
1
1 ) (
1
1 ) (
) 1 ) ((
1 ) (
1 ) (
1 ) (
1 (
1
2
2 2
2
2
1
2
2
1
2
0

+
+

+
+

+ =

x
x x
x
d x
x
d x
d
x x
T

(I)
where

r
x = . Therefore in the case of no recovery, when
r
>2,

T T
d
r
) ) ((
2
2
0

O =
where T

=
-1
.
B) Perfect Recovery
From the Markov state transition graph (see Figure 5-6), we can get

+ + + + =
> + =
+ + + + =
+ =
+ + =
+ ' ' 1 1 '
'
' 1 0 1 2 ' 1
' 1 1
0 1 0
) 2 1 ( ) ( 1
) 1 ( 1
) 2 1 ( ) ( 1
1
) 1 ( 1
k r k r k k k
k k
r r
T T T T T
k T T
T T T T T
T T
T T T



.
Solve it and we get
)
1
1
) 1 (
)(
1
2 ( )
1
)(
1
1 (
1
2
0

+ +

+ + =
x
d
x
x x
x
x x
T
d d

(II)
87

where

r
x = . Therefore in the case of perfect recovery, when
r
>, we have

T T
d
r
) ) ((
1
0

O = ; and when
r
<, we have

T
r
d
) (

O where T

=
-1
.
Combining both cases, we know that, in general, when
r
>2
0
, T
0
is between

T
d r
) ) ((
2
2
0

O and

T
d r
) ) ((
1
0

O ; when
r
<
0
, T
0
is no greater than

T
r
d
) (
0
0

O .
Q.E.D.
Equipped with these theorems, we study proxy networks ability to resist
penetration attacks. First, we study whether proxy networks can hide an applications
location indefinitely from penetration attacks. Then, we identify important system
parameters for effective defense against penetration attacks by analyzing the impact of
defenses, such as proxy migration, proxy network depth, and resource recovery.
5.4.2 Can Proxy Networks Resist Penetration Attacks?
Without proxy network reconfiguration, a proxy network is vulnerable to
penetration attacks, since Theorem 1 shows that an attacker can penetrate the proxy
network within a short period of time, which is a linear function of proxy network depth.
The reason for this linear growth is that without reconfiguration, a proxy network allows
attackers to gain information monotonically (once a proxy is exposed, it remains so), so
that attackers need only compromise the proxies on a path to the application exactly
once to penetrate the proxy network.
On the other hand, with proxy migration, a proxy network can resist penetration
attacks effectively. Theorem 2 shows that when proxy migration is added, the time to
88

penetrate a proxy network can be made to grow exponentially with the proxy network
depth. Thus, small increases in proxy network depth (small increased application
overhead) can significantly improve resistance to penetration attacks. Consequently,
proxy networks of moderate depth can resist penetration attacks effectively, securely
hiding the applications IP address. For example, using the numbers in Table 5-2, if
attackers take two weeks to compromise a host, and proxies migrate once per day
(
r
10
0
), then penetrating a proxy network of depth four takes about fifty years on
average, a proxy network of depth six would take about five thousand years on average,
eliminating this type of attacks as a practical concern.
In summary, without reconfiguration, proxy networks are vulnerable to penetration
attacks. However, when proxy migration is added, proxy networks can not only resist
penetration attacks effectively, but their resistance to penetration attacks has excellent
scaling properties.
5.4.3 What System Parameters Enable Effective Resistance?
To identify which system parameters matter most, we study the impact of system
defenses. There are three key defense parameters: proxy network depth, proxy
migration rate and resource recovery performance. To understand the impact of proxy
network depth and migration rate, we vary them and study the amount of time required
to penetrate a proxy network. To understand the impact of resource recovery schemes,
we explore two cases: no recovery and perfect recovery. With no recovery,
compromised hosts are never recovered (this case assumes an infinite resource pool).
89

With perfect recovery, all compromised hosts are recovered immediately. These
cases provide an envelope for general cases using any resource recovery schemes.
5.4.3.1 Impact of Proxy Network Depth
0 5 10 15 20
10
0
10
5
10
10
10
15
10
20
Proxy Network Depth (d)
T
i
m
e

t
o

A
p
p
l
i
c
a
t
i
o
n

E
x
p
o
s
u
r
e
(
u
n
i
t
:

0 -
1
)
No Recovery
Perfect Recovery

r
=10
0

Figure 5-7 Impact of Proxy Network Depth
Proxy network depth is critical for resisting penetration attacks. Theorem 2 shows
that increasing a proxy networks depth can increase the time to application exposure
exponentially (when
r
>2
0
), thereby improving penetration resistance significantly.
For example, Figure 5-7 shows the time to application exposure (computed using
equation (I) and (II) in Section 5.4.1.2) as a function of proxy network depth for a
migration rate
r
=10
0
; the X-axis is a proxy networks depth, and the Y-axis is the
amount of time required for exposing the application. Figure 5-7 clearly shows that the
time to application exposure increases exponentially with proxy network depth (note the
log scale). For example, in Figure 5-7, when the depth grows by five (e.g. from 5 to 10),
the time to application exposure grows by several orders of magnitude (10
4
X and 10
5
X
90

on each curve, respectively). Thus, proxy networks can be an effective barrier to
penetration attacks and proxy network depth is a critical factor to increase the resistance.
5.4.3.2 Impact of Proxy Migration Rate
Proxy migration rate is critical for effective resistance to penetration attacks; it can
change a proxy networks penetration resistance qualitatively. Theorem 2 states that
when the proxy migration rate is sufficiently fast (
r
>2
0
), the time to penetrate a proxy
network grows exponentially with the proxy networks depth. In this case, small
increases in proxy network depth can improve penetration resistance significantly.
Consequently, proxy networks of moderate depth can resist penetration attacks
effectively. For example, using the numbers in Table 5-2 (attackers take two weeks to
compromise a host), if the proxy migration rate is sufficiently fast (e.g.
r
=10
0
), then
penetrating a proxy network of depth four takes about fifty years on average, a proxy
network of depth six would take about five thousand years on average, thus eliminating
penetration attacks as a practical concern. In contrast, Theorem 2 states that when the
proxy migration rate is insufficient (
r
<
0
), the time to penetrate a proxy network grows
at most linearly with the proxy networks depth. In this case, increasing proxy network
depth cannot improve resistance significantly, and proxy networks of moderate depth
can be penetrated in a short period of time. For example, with the same attack speed as
the previous example, if proxy migration rate is insufficient (e.g.
r
=0.1
0
), then
penetrating a proxy network of depth four only takes two months on average, a proxy
network of depth six would only take three months on average, providing no effective
defense against penetration attacks.
91

0 10 20 30 40 50 60 70 80 90 100
10
0
10
2
10
4
10
6
10
8
10
10
Proxy Migration Rate
r
(unit:
0
)
T
i
m
e

t
o

A
p
p
l
i
c
a
t
i
o
n

E
x
p
o
s
u
r
e

(
u
n
i
t
:

0 -
1
)
Perfect Recovery
No Recovery
proxy network depth d = 5

0 10 20 30 40 50 60 70 80 90 100
10
0
10
5
10
10
10
15
10
20
Proxy Migration Rate
r
(Unit:
0
)
T
i
m
e

t
o

A
p
p
l
i
c
a
t
i
o
n

E
x
p
o
s
u
r
e

(
u
n
i
t
:

0 -
1
)
Perfect Recovery
No Recovery
proxy network depth d = 10

Figure 5-8 Impact of Proxy Migration
Furthermore, proxy migration rate also affects the time to application exposure
significantly. Figure 5-8 shows how proxy migration rate affects the expected time to
application exposure for proxy networks of depth 5 and 10 respectively. These results
clearly show that increasing migration rate increases the time to application exposure
significantly (note the log scale). For example, for a proxy network of depth 10,
doubling the migration rate increases the time to application exposure by 1000 times.
5.4.3.3 Impact of Resource Recovery
In both Figure 5-7 and Figure 5-8, the curves for no recovery and perfect
recovery differ by moderate margin, indicating that resource recovery has only
moderate impact on the resistance to penetration attacks. Adjusting the proxy migration
rate and the proxy network depth can compensate for poor resource recovery by
92

allowing proxies to flee the compromised area. This is workable as long as sufficient
intact hosts remain in the resource pool. However, in general, good resource recovery is
necessary because it can sustain an intact host population in the resource pool, and help
to overcome correlated host vulnerabilities as discussed in Section 5.5.2.
5.5 SIMULATION RESULTS: CORRELATED VULNERABILITIES
From the previous section, we know that with proxy migration, proxy networks can
resist penetration attacks effectively; the time to penetrate a proxy network increases
exponentially with the proxy networks depth. However, analysis so far assumed
uncorrelated host vulnerabilities. Typically, hosts share a range of correlated host
vulnerabilities (e.g. exploitable bugs in the same software or operating systems,
common configuration errors, same user accounts with same passwords), and
compromising one host can increase the chance of compromising others significantly.
In this section, we use a Monte-Carlo simulation to study systems in which hosts have
correlated vulnerabilities. We first analyze how adding correlated host vulnerabilities
affects the previous results, and what can be used to mitigate the negative impact of
correlated host vulnerabilities. Then, based on these results, we study whether proxy
networks can resist penetration attacks with correlated host vulnerabilities.
In the simulation, we choose
v
to be close to 1, to represent highly correlated host
vulnerabilities
3
; i.e. once attackers compromise a host, they can compromise any other
host in the same domain with a high probability
v
within the next time step (recall that
hosts in a domain have highly correlated vulnerabilities, and hosts across domains are

3
As long as
v
is significantly larger than
0
, the results are qualitatively the same.
93

uncorrelated).
0
is set according to Table 5-2; other parameters are relative to
0
, and
can be easily inferred.
5.5.1 How Does Adding Correlated Host Vulnerabilities Affect Previous Results?
0 5 10 15 20 25 30 35
0
0.5
1
1.5
2
2.5
3
3.5
4
Proxy Network Depth
T
i
m
e

t
o

A
p
p
l
i
c
a
t
i
o
n

E
x
p
o
s
u
r
e

(
U
n
i
t
:

0 -
1
)

r
=10
0
,
v
=0.90

r
=30
0
,
v
=0.90

Figure 5-9 Impact of Proxy Network Depth with Correlated Host Vulnerabilities
To answer this question, we consider a system in which all hosts are in the same
domain where the host vulnerabilities are highly correlated (
v
=0.9) and the hosts do not
use proactive resets to remove known vulnerabilities (
s
=0). Figure 5-9 shows the time
to application exposure as a function of proxy network depth with high proxy migration
rates (
r
=10
0
and
r
=30
0
respectively) and instantaneous reactive resource recovery
(
d
=1, all hosts are recovered immediately after they are compromised). In Figure 5-9,
the X-axis is proxy network depth, and the Y-axis is the time to application exposure.
Our simulation results show that correlated vulnerabilities have a major impact on a
proxy networks resistance to penetration attacks. Recall that if host vulnerabilities are
uncorrelated (as in Figure 5-7), the time to application exposure would increase
exponentially with proxy network depth. However, both curves in Figure 5-9 stay flat,
94

indicating that in a system with correlated host vulnerabilities, the time to application
exposure does not increase much with proxy network depth, which means that the proxy
network cannot resist penetration attacks effectively. Therefore, correlated host
vulnerabilities can change a proxy networks ability to resist penetration attacks
qualitatively, thus dramatically reducing the effectiveness of defense.
5.5.2 How to Mitigate the Impact of Correlated Host Vulnerabilities?
Unless the negative impact of correlated host vulnerabilities can be mitigated,
proxy networks cannot resist penetration attacks effectively. We consider two
techniques for mitigation: proactive resets and host diversity. Proactive resets can
remove known host vulnerabilities before they can be attacked, thereby mitigating the
impact of correlated host vulnerabilities. Meanwhile, host diversity (recall that the
degree of host diversity is the number of domains in the system) can reduce correlated
host vulnerabilities because only hosts inside the same domain have correlated host
vulnerabilities, and hosts in different domains are uncorrelated.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y

(
1
0
6

t
i
m
e

s
t
e
p
s
)

s
=1
0

s
=5
0

s
=10
0

s
=20
0
No Correlation

r
=10
0

v
=0.99
1 domain

Figure 5-10 Penetration Probability under Varied Proactive Reset Rates
95

To study how proactive resets reduce the negative impact of correlated host
vulnerabilities, we vary the proactive reset rate and study the penetration probability for
proxy networks in a system of one domain (all the hosts have highly correlated
vulnerabilities,
v
=0.90). Specifically, for a range of proxy networks with varied
depths, we measure the probability of penetrating them within 10
6
time steps under
varied proactive reset rates. The results are shown in Figure 5-10. The X-axis is the
depth of a proxy network, and the Y-axis is the probability of penetrating the proxy
network within 10
6
time steps. Each curve corresponds to a proactive reset rate (
s
).
The case of uncorrelated host vulnerabilities is also shown for comparison; it displays a
contrast to the uncorrelated case. A smaller difference indicates a better reduction of the
negative impact of correlated host vulnerabilities. Figure 5-10 shows that even for high
proactive reset rates, the impact of correlated host vulnerabilities is still prominent. This
is because proactive resets are not guaranteed to happen before attacks, and known host
vulnerabilities are not always removed before being attacked. Therefore proactive resets
alone cannot contain the impact of correlated host vulnerabilities effectively.
We study whether adding host diversity into the system can reduce the negative
impact of correlated host vulnerabilities. In particular, at a fixed proactive reset rate
(e.g.
s
=10
0
) and a fixed proxy migration rate (e.g.
r
=10
0
), we measure the
probability of penetrating a proxy network in systems of varied degrees of host
diversity. In each system, hosts are partitioned equally into k domains (k = 1, 2, 3, 4, 8),
and proxies are placed randomly on the hosts. The results are shown in Figure 5-11.
The X-axis is the depth of a proxy network, and the Y-axis is the probability of
96

penetrating the proxy network within 10
6
time steps. Each curve corresponds to a
certain degree of host diversity; the case of uncorrelated host vulnerabilities is also
plotted for comparison, and shows a contrast to the uncorrelated case.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y
No Correlation ( domains)
1 domain (no diversity)
2 domains
3 domains
4 domains
8 domains

r
=10
0

s
=10
0

v
=0.99

Figure 5-11 Penetration Probability under Varied Host Diversity
Figure 5-11 shows that adding even small degrees of host diversity into the system
can reduce the impact of correlated host vulnerabilities significantly. In Figure 5-11,
without host diversity, a proxy network of depth 32 can be penetrated within 10
6
time
steps (with probability 1). In contrast, in a system with two domains, a proxy network
of depth 25 cannot be penetrated within 10
6
time steps (penetration probability is close
to zero); and in a system with three domains, a proxy network of depth 15 cannot be
penetrated within 10
6
time steps.

Figure 5-12 Host Diversity in a Proxy Chain
1 2 3 d Application
Proxies

Domain 1
Domain 2

97

We use an example to explain why host diversity reduces the negative impact of
correlated host vulnerabilities. Consider a proxy chain shown in Figure 5-12; proxy 1
and 3 run on hosts in the same domain, while proxy 2 runs on a host in a different
domain. After proxy 1 is compromised, the host of proxy 3 becomes vulnerable because
it has the same vulnerability used for compromising proxy 1. However, proxy 3 is not
exposed yet, and attackers cannot attack proxy 3 before compromising proxy 2. Since
proxy 1 and proxy 2 are uncorrelated, proxy 2 is not affected by proxy 1s compromise,
and becomes a barrier to slow down attackers. By the time attackers compromise proxy
2 and start attacking proxy 3, there is a good chance that proactive resets have already
removed the known vulnerability on proxy 3s host. Therefore, host diversity (with
proactive resets) can greatly reduce the impact of correlated host vulnerabilities.
5.5.3 Can Proxy Networks Resist Penetration Attacks with Correlated
Vulnerabilities?
We have shown that host diversity and proactive resets can potentially counter the
negative impact of correlated host vulnerabilities. However, as shown in Figure 5-11, a
nave scheme (proxies are randomly placed on hosts) is insufficient to remove the
negative impact of correlated host vulnerabilities. The simple scheme has two main
shortcomings.
First, placing proxies randomly allows neighboring proxies to run in the same
domain, so their host vulnerabilities are correlated and they will fail together. A better
approach is to place neighboring proxies on hosts in different domains, which will
increase the effectiveness of the proxy network in slowing the attack progress.
98

Second, allowing proxies to migrate to random hosts may help attackers, because a
proxy may migrate to a host which has known vulnerabilities, allowing it to be
compromised quickly, thereby improving the attack progress.

Figure 5-13 Interleaved Design for A Proxy Chain
To address these issues, we develop an interleaved proxy network design where 1)
proxy hosts are selected such that the distance is maximized between any pair of proxies
in the same domain, and 2) proxy migrations are confined to hosts from the same
domain. For example, as shown in Figure 5-13, we can place a chain of proxies to hosts
of k domains using a round-robin order
4
.
To understand the effectiveness of the interleaved design in reducing the impact of
correlated host vulnerabilities, we measure the probability of penetrating proxy
networks using this design in systems with varied degrees of host diversity. The results
for two proxy migration rates (
r
=5
0
and
r
=10
0
) are shown in Figure 5-14. The X-
axis is the depth of a proxy network, and the Y-axis is the probability of penetrating the
proxy network within 10
6
time steps. Each curve corresponds to a certain degree of host
diversity, and the case of uncorrelated host vulnerabilities is also plotted for comparison.
In Figure 5-14, the curves for 4 and 8 domains closely follow the curve for the

4
Here we only consider simple proxy network topologies, such as a line or a tree, in which round-robin
assignment can trivially implement the heuristic. Complex topologies require more sophisticated
assignment schemes; for a system of k domains the minimum distance between proxies of the same
domain may be less than k-1.
1 2 3 Application
Proxies

Domain 1
Domain 2

Domain 3

4 5
99

uncorrelated case. To verify this finding, we also study the system for longer time
periods (10
7
and 10
8
time steps, see Figure 5-15), and observe the same phenomena
with 4 or more domains, the system behaves almost identically to one with uncorrelated
vulnerabilities. This indicates that using a small degree of host diversity, e.g. 4
domains, our design can reduce the negative impact of correlated host vulnerabilities
significantly, and enable a proxy network to resist penetration attacks effectively.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y

(
1
0
6

t
i
m
e

s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains

r
=5
0

s
=10
0

v
=0.99

0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y

(
1
0
6

t
i
m
e

s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains

r
=10
0

s
=10
0

v
=0.99

Figure 5-14 Effectiveness of Interleaved Design
no correlation
100

0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y

(
1
0
7

t
i
m
e

s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains

r
=10
0

s
=10
0

v
=0.99

0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n

P
r
o
b
a
b
i
l
i
t
y

(
1
0
8

t
i
m
e

s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains

r
=10
0

s
=10
0

v
=0.99

Figure 5-15 Effectiveness of Interleaved Design
(data points observed from 10
7
and 10
8
time steps)
Here is why a small degree of host diversity can be used for effective defense. In
the interleaved design for a chain of proxies in a system of k domains (illustrated in
Figure 5-13), between any two proxies (A and B) in the same domain there is a path of
k-1 proxies in the different domains. After compromising proxy A, attackers must
penetrate this path before they can attack proxy B. Since the penetration time grows
exponentially with the path length (which is k-1), a small degree of host diversity (or the
number of domains k) can provide a large penetration time
5
, allowing enough time for

5
It takes 100 times longer to penetrate a path with length three (case of 4 domains) than length one (case
of 2 domains), when
r
=10
0
.
no correlation
no correlation
101

proactive resets to remove the known vulnerabilities on proxy Bs host (used for proxy
As compromise) before they are attacked. Therefore, the interleaved design can reduce
the impact of correlated host vulnerabilities significantly, thus enabling effective
resistance to penetration attacks.
5.6 SUMMARY
We develop a stochastic model based on the generic framework introduced in
Chapter 4 and use it to characterize the impact of attacks and defenses on the proxy
network system. Based on this model, we combine analysis with Monte Carlo
simulation to study proxy networks resistance to penetration attacks. We show that,
- without reconfiguration mechanisms, a proxy network is vulnerable to penetration
attacks,
- with proxy migration, a proxy network can resist penetration attacks effectively
the time to penetrate the proxy network grows exponentially with its depth, so that a
moderate depth enables effective resistance to penetration attacks. Proxy network depth
and proxy migration rates are the critical factors for achieving effectiveness.
- in many cases, correlated host vulnerabilities can make a proxy network vulnerable
to penetration attacks.
- by exploiting the host (OS/software) diversity and intelligent proxy network
construction, a proxy network can mitigate the negative impact of correlated host
vulnerabilities and resist penetration attacks effectively.
102

First, we analyze situations with uncorrelated host vulnerabilities. We prove that
without reconfiguration, the time to penetrate a proxy network grows linearly with the
proxy network depth; it indicates that, without reconfiguration, a proxy network is
vulnerable to penetration attacks. We also prove that with proxy migration, the time to
penetrate a proxy network can grow exponentially with the proxy network depth; it
indicates that, with proxy migration, a proxy network of a moderate depth can resist
penetration attacks effectively.
Then, using Monte Carlo simulations, we study situations with correlated host
vulnerabilities. We show that, by exploiting host diversity and intelligent proxy network
construction, a proxy network can behave as well as in the uncorrelated case, mitigating
the impact of correlated host vulnerabilities and enabling effective resistance to
penetration attacks.

103
Chapter 6 RESISTING PROXY DEPLETION ATTACKS
Proxy depletion attacks are a critical threat for applications using proxy network-
based DoS defense. By compromising proxies along a proxy networks topology, such
attacks can increase the number of compromised proxies, and may eventually make the
proxy network dysfunctional by compromising all the proxies. In this chapter, we study
proxy networks ability to resist proxy depletion attacks and characterize the
requirements for effective resistance.
6.1 INTRODUCTION
We study the circumstances under which a proxy network can provide stable
defense against proxy depletion attacks in a system where host vulnerabilities are
uncorrelated. In particular, we study the question of when a proxy network is
recoverable under proxy depletion attacks and when it is not. As defined in Section 4.4,
a proxy network is recoverable if all the compromised proxies can be recovered
regardless of how many proxies are compromised initially.
We study these problems analytically. We use the stochastic model defined in
Section 5.2 to characterize the dynamics of system components. In particular, the model
quantifies how attacks and defenses affect changes in the state of system components.
Based on this model, we use a graph-based analysis to study the changes in
compromised proxy population as a function of attacks, defenses, and proxy network
topology.
104

Through this analysis, we find that topology is critical for a proxy networks
resistance to proxy depletion attacks. We provide two theorems one which
characterizes the class of topologies that allow the attackers progress to be erased
quickly, thereby enabling effective defense against proxy depletion attacks, and the
other which identifies the class of topologies that allows attacks to expand quickly,
thereby making the proxy network vulnerable. Using these results, we conduct a case
study on a range of popular proxy network topologies to identify the topologies that can
support effective resistance to proxy depletion attacks, and those that cannot.
The remainder of the chapter is structured as follows. Section 6.2 describes the
stochastic model used in our analysis. Section 6.3 presents our analytical results and the
design principles based on the analysis. Section 6.4 presents the case study. Section 6.5
summarizes our results.
6.2 STOCHASTIC MODEL
We use the stochastic model defined in Chapter 5 to describe how attacks and
defenses change the state of system components; as such, we can quantify how attacks,
defenses, and proxy network topology affect the system dynamics under proxy depletion
attacks. Since considering topology in the analysis adds significant complexity, we only
study systems with uncorrelated host vulnerabilities and without resource recovery
6
to
make the analysis tractable. Specifically, we fix the following parameters in the model.
First, the resource recovery rates (both reactive and proactive) are fixed to zero. Second,
host vulnerabilities are uncorrelated.

6
This assumes an infinite resource pool.
105


Figure 6-1 Proxy State Transition
For clarity, we briefly describe the model used in the analysis. The model, denoted
by M(G, , ), uses three parameters to describe proxy state transition (see Figure 6-1).
Parameter G is the proxy network topology; parameter is the speed of attack (host
compromise rate
0
in the previous model); parameter is the speed of defense (proxy
migration rate
r
in the previous model). Proxies change state according to three rules:
- With probability , an exposed proxy can be changed into the compromised state at
the next step.
- With probability , a compromised or exposed proxy can be changed into the intact
state at the next step (or exposed, according to the last rule).
- u and v are vertices of G. If uv is an edge in G, and u is compromised and v is intact,
then v is instantaneously exposed.
We use an example to show how to apply the stochastic model to describe a system
under proxy depletion attacks. Figure 6-2 shows a snapshot of a proxy networks state
(the state of all the proxies) under a proxy depletion attack. As shown in Figure 6-2,
proxy depletion attacks propagate along proxy network topology. Within a discrete time
step, attackers have probability to compromise an exposed proxy; if successful,
intact
exposed
compromised

106

attackers expose all the neighbors of the compromised proxy. Meanwhile, within a
discrete time step, defenses have probability to migrate an exposed (or compromised)
proxy to a new location, thereby changing its state to intact. As such, we can use the
stochastic model to describe a proxy network under proxy depletion attacks.

Figure 6-2 System Dynamics under Proxy Depletion Attacks
6.3 GRAPH-THEORETIC ANALYSIS
In this section we study, analytically, proxy networks resistance to proxy depletion
attacks. Using the stochastic model described in Section 6.2, we study the changes of
compromised proxy population as a function of attacks, defenses, and topology, in order
to understand when a proxy network can provide stable defense against proxy depletion
attacks. Specifically, we present and prove two theorems which characterize the
circumstances when a proxy network is recoverable under proxy depletion attacks, and
when it is not. Based on these results, we discuss design principles for proxy networks
in order to achieve effective resistance to proxy depletion attacks.



Compromised
Exposed
Intact
Proxy Depletion Attack


107

6.3.1 Analysis and Results
Using the stochastic model defined in Section 6.2, we study the time evolution of
compromised proxy population by analyzing the state transitions for all the proxies in
the proxy network. Specifically, for each proxy, we consider its probability of being
compromised, and study how this probability changes over time, according to the proxy
state transition rules described in the stochastic model. Through this approach, we can
determine whether or not a proxy network is recoverable. If for all proxies in a proxy
network the probability of being compromised approaches zero over time, then the
proxy network is recoverable; on the other hand, if there are always proxies whose
probability of being compromised is non-zero, then the proxy network is not
recoverable.
Through this analysis, we provide Theorem 3 and Theorem 4, which characterize
the circumstances when a proxy network is recoverable and when it is not, respectively.
They show how attack, defense, and the spectra or eigenvalues of proxy network
topology G determine a proxy networks resistance to attacks. In the following, we
describe the theorems, discuss their meaning, and present proofs. For reference, some
general graph theory background about the spectra of graphs used in the proofs is
introduced in the Appendix.
108

A) Theorem for Recoverable Proxy Networks
Theorem 3. Theorem for Recoverable Proxy Networks: For model M(G, , ), G is
robust if
1
) (
o

>
+
, where o
1
be the largest eigenvalue of the adjacency matrix of G.
In particular, for any initial states, almost surely all compromised and exposed vertices
vanish after
|
|
.
|

\
|
+
+
n O log
2
1
2
1
o
o
steps, where n is the number of vertices in G.
Theorem 3 uses attack speed , defense speed , and graph property o
1
of proxy
network topology to characterize when a proxy network is recoverable under proxy
depletion attacks. o
1
is the eigenvalue of proxy network topology, characterizing
connectivity. Informally, we can treat o
1
as an average vertex degree of the graph.
7


Figure 6-3 Illustration of Theorem 3
Theorem 3 provides a sufficient condition of a proxy network being recoverable. It
says that when the defense speed (proxy migration rate) is o
1
times
8
faster than the
attack speed (host compromise rate), the proxy network is recoverable. In this case, all

7
We have d
min
o
1
d
max
for any graph G. d
min
and d
max
are, respectively, the smallest and the largest
vertex degree of the graph. In particular, o
1
= d for any d-regular graph.
8
More precisely, (+)/ >o
1
. We know + is a non-trivial constant. Therefore, / is the deciding
factor of the left-hand side of the inequality.
Compromised Proxy
Proxy
Attack
109

compromised proxies will be quickly returned to the intact state regardless of the initial
state of the proxy network, even if there are many compromised proxies initially. Here
is an intuitive explanation of Theorem 3. As shown in Figure 6-3, a proxy depletion
attack propagates along the proxy network topology; once a proxy is compromised, all
its neighbors (each proxy has approximately o
1
neighbors) are exposed and subject to
immediate attacks. If the defense speed is o
1
times faster than the attack speed, then the
defense can move all the newly exposed proxies to new locations before attackers
compromise any of them, thereby preventing attack propagation. Proof of Theorem 3 is
given below.
Proof of Theorem 3:
Let
t
v
f (or
t
v
g ) be the probability that the node v is compromised (or exposed) at
time t, respectively. We have the following recurrence formula for every vertex v and
time t.

+ =
+ =
[ [
+ + + +
+
v u v u
t
u
t
v
t
u
t
v
t
v
t
v
t
v
t
v
f g f f g
g f f
~ ~
1 1 1 1
1
) 1 ( ) 1 ( )) 1 ( 1 )( 1 (
) 1 (



Here u~v means uv is an edge. The first additive item in
1 + t
v
g is the contribution
due to the fact that a neighbor of v is compromised at time t+1. The second item is the
probability that a vertex is being exposed at time t and continues to be exposed at t+1.
We can rewrite it as follows.

+ =
+ =
[
+ +
+
v u
t
v
t
u
t
v
t
v
t
v
t
v
t
v
t
v
g f g f g
g f f
~
1 1
1
) 1 ( )) 1 ( 1 )( ) 1 ( ) 1 ( 1 (
) 1 (



110

Furthermore, we have

+ s
+ +
v u
t
v
t
u
t
v
g f g
~
1 1
) 1 ( . Here we use the inequality
[
+ +
s
v u v u
t
u
t
u
f f
~ ~
1 1
)) 1 ( 1 ( . Let
t
f be the column vector with i-th entry
t
i
f . Let
t
g
be the column vector with i-th entry
t
i
g . We get the following equations.

+ s
+ =
+ +
+
t t t
t t t
g Af g
g f f
) 1 (
) 1 (
1 1
1



A is the adjacency matrix of G. Given two vectors X and Y, the notation X s Y
means X
i
s Y
i
for every index i. We can rewrite it into the following matrix form.
|
|
.
|

\
|
|
|
.
|

\
|

s
|
|
.
|

\
|
|
|
.
|

\
|

+
+
t
t
t
t
g
f
I
I I
g
f
I A
I
) 1 ( 0
) 1 ( 0
1
1



We left-multiply both sides with a non-negative matrix
|
|
.
|

\
|
I A
I 0
, and we have
|
|
.
|

\
|
=
|
|
.
|

\
|
|
|
.
|

\
|
+

s
|
|
.
|

\
|
+
+
t
t
t
t
t
t
g
f
M
g
f
I A A
I I
g
f
) 1 ( ) 1 (
) 1 (
1
1


(i)
Let M denote the square matrix in the above inequality. We have
|
|
|
.
|

\
|
+

|
|
|
.
|

\
|
+
+ +
+
|
|
.
|

\
|
+

=
|
|
.
|

\
|
+ + +
+
=
I
I
x
I
A
x
x
I x
I x
I A
x
I
I x A A
I I x
M xI
0
1
1
) 1 ( 0
0 ) 1 (
1
1
0
) 1 ( ) 1 (
) 1 (

111

Therefore
[
=
+ + + =
n
i
i
x x x M xI
1
) ) 1 )( 1 (( ) det( o ...(ii).
Here o
1
>o
2
>>o
n
are the eigenvalues of A. Furthermore, let x
1
>x
2
>>x
2n
be the
eigenvalues of M, and we know that
|
|
.
|

\
|
=
|
|
.
|

\
|
0
0
lim
t
t
t
g
f
if |x
i
|<1. It is clear from (ii) that
all the eigenvalues of M are positive. Therefore, for |x
i
|<1, it is sufficient if x
1
<1.
x
1
satisfies the equation 0 ) 1 )( 1 ( ) (
1
= + + + = x x x x o k and x
1
<1 if and
only if 0 ) ( ) 1 (
1
> + = o k which is
1
) (
o

>
+
. Therefore, when
1
) (
o

>
+
, for any initial state, almost surely there are no compromised or exposed
nodes after ) log
2
( )
log
log
(
1
2
1
1
n O
x
n
O
o
o
+
+
=

steps. Q.E.D.
B) Theorem for Unrecoverable Proxy Networks
Theorem 4. Theorem for Unrecoverable Proxy Networks: For the model M(G, , ),
G is vulnerable if 1
1
2
<
t

, where
i i
t t =
=
1 max
0
and {t
i
} are the Laplacian
spectrum of G. In particular, with some constant probability, the volume of
compromised vertices reaches
|
.
|

\
|
O ) (
2
G vol t within
|
|
.
|

\
|
+ +

O n log
) 1 ) /( (
2
2
t
t

steps, where n is the number of vertices in G. The volume of a vertex set S, vol(S), is
the sum of degrees of the vertices in S, i.e.

e
=
S v
v
d S vol ) ( .
112

Theorem 4 uses attack speed , defense speed , and graph propertyt of proxy
network topology to characterize when a proxy network is not recoverable under proxy
depletion attacks. Parametert is the Laplacian spectrum of the proxy network
topology graph. The Laplacian spectrumt is another important property that
characterizes graph connectivity, describing how a set of vertices expands to its
neighborhood; informally, it is the ratio between the number of edges connecting these
vertices, and the total number of edges these vertices have. For any graph, 0 st s 1; a
smallert implies richer connectivity and better neighborhood expansion in the graph,
where a small set of vertices connect many neighbors. Extensive discussion about
Laplacian spectrum can be found in [114].

Figure 6-4 Illustration of Theorem 4
Theorem 4 describes a sufficient condition of a proxy network being unrecoverable.
It says that when the defense speed (proxy migration rate) is less than 1
2

t times the
attack speed (host compromise rate), the proxy network is unrecoverable. In this case,
even if attackers only have one compromised proxy at the beginning, the number of
compromised proxies will grow quickly, and the defense can never cleanly remove
Compromised Proxy
Proxy
Attack
113

them. More importantly, this theorem applies to any sub-graph of a proxy network
topology. If this condition holds in any sub-graph of a proxy network, then the
compromised proxies in that sub-graph will linger and never be completely removed.
Here is an intuitive explanation of Theorem 4. As shown in Figure 6-4, for a set of N
compromised proxies (in the shaded area in Figure 6-4), there are approximately
N ) 1 (
2

t other proxies adjacent to them. If the defense speed is less than 1

2

t
times the attack speed, then there is a high level of probability that the defense cannot
move all the newly exposed proxies to new locations before some of them are
compromised, thereby allowing the attack to propagate. Proof of Theorem 4 is given
below.
Proof of Theorem 4:
In the proof, we use the following lemma about Laplacian spectrum, which has
already been proved in [114].
Lemma 0: Suppose G is not a complete graph. For S c V(G), the neighborhood
N(S) satisfies
) (
) (
) 1 (
1
) (
) (
2 2
G vol
S vol
S vol
S volN
t t +
> , where
i i
t t =
=
1 max
0
is the
Laplacian spectrum of G.
Let S
t
(or T
t
) be the set of compromised (or exposed) nodes at time t, respectively.
Let X
t
be the volume of the set of compromised nodes, i.e. X
t
=vol(S
t
). Let Y
t
=vol(T
t
) be
the volume of the set of exposed nodes. We have
114

+ + >
+ =
+ =
+ +
+ + + + +
+
)) \ ) ( ( ( ) ( ) ( ) 1 (
)) \ ) ( ( ( ))) \ ) ( ( \ ( ( ) 1 ( ) (
) ( ) ( ) 1 ( ) (
1 1
1 1 1 1 1
1
t t t
t t t t t t
t t t
S S N vol E Y E
S S N vol E S S N T vol E Y E
Y E X E X E



.
From Lemma 0, for any subset S with vol(S) s cvol(G), we have
c t t ) 1 (
) (
)) ( (
2 2
+
>
S vol
S N vol . Let 1
) 1 (
1
2 2

+
=
c t t
o . The following recurrence
formula holds as long as vol(S
t+1
) s cvol(G).

+ + >
+ =
+ +
+
) ( ) ( ) ( ) 1 ( ) (
) ( ) ( ) 1 ( ) (
1 1
1
t t t
t t t
X E Y E Y E
Y E X E X E
o


We can rewrite it into the following form.
|
|
.
|

\
|
|
|
.
|

\
|

>
|
|
.
|

\
|
|
|
.
|

\
|
+
+
+
) (
) (
1 0
1
) (
) (
1 ) (
0 1
1
1
t
t
t
t
Y E
X E
Y E
X E


o

Left-multiplying both sides by a non-negative matrix
|
|
.
|

\
|
+ 1 ) (
0 1
o
, we have
|
|
.
|

\
|
>
|
|
.
|

\
|
+
+
) (
) (
) (
) (
1
1
t
t
t
t
Y E
X E
M
Y E
X E
, where
|
|
.
|

\
|
+ + +

=
o o

) ( ) 1 ( ) 1 ( ) (
1
M .
The characteristic polynomial p(x) of M is
x x x x p o ) ( ) 1 )( 1 ( ) ( + + + + = .
Since ) )( ( ) 1 ( o + = p , the largest eigenvalue o(M) of M is greater than 1 if
<o. In this case, we have
o

o
) ( 2
2
) (
2
+ +
+
> M . Let (c
1
,c
2
) be the
corresponding eigenvector of o(M) so that (c
1
, c
2
)M=o(M)(c
1
, c
2
). Then, both c
1
and c
2

115

are positive. The expect value of c
1
X
t
+c
2
Y
t
increases by a factor of at least
o
o
o
) ( 2
) )( (
1 ) (
+ +
+
+ > M until X
t
> cvol(G).
Let Z
t
= c
1
X
t
+c
2
Y
t
. The statement above shows the expected value of Z
t
grows
exponentially as a function of t. By the recurrence formula of E(X
t
) and E(Y
t
), both
expected values of X
t
and Y
t
will grow exponentially. It is sufficient to show Z
t
grow
exponentially with constant probability.
By Chernoff's Inequality, we can show Z
t
concentrates on its expected value. There
exists an absolute constant c so the following statement holds.
) (
2
)) ( ) 1 ( Pr(
t
Z E c
t t
e Z E Z
c
c

s > .
Since E(Z
t
) increases by a factor of o(M) and

>

0
) (
2
t
M c
t
e
o c
converges, there
exists an absolute constant t
0
such that
2
1
0
2
) (
<

>

t t
Z E c
t
e
c
. Moreover, there is a
constant probability that ) (
0
t t
Z E Z > for some t s 2t
0
. Hence, with a positive constant
probability, Z
t
will grow at least by a factor 1
2
) ( 1
>
+ M o
until X
t
reaches cvol(G). We
choose ) (
2
t c O = so that 1
1
2
~
t
o . Therefore we have the following statement.
116

When 1
1
2
~ <
t
o

, Z
t
, X
t
and Y
t
will reach )) ( (
2
G vol t O with a constant
probability within ) log
) 1 ) /( (
( ) log
2
) )( (
(
2
2
2
n n
t
t
o o
o
+ +

O =
+
+
O steps.
Therefore Theorem 4 is proved. Q.E.D.
6.3.2 Design Principles
Our analysis shows that topology is important for a proxy networks resistance to
proxy depletion attacks. A good topology supports robust defense against proxy
depletion attacks, enabling attackers' progress to be erased quickly; conversely, a bad
topology allows attacks to expand quickly, making a proxy network vulnerable to proxy
depletion attacks. Our theorems reveal the relation between key properties of topology
and a proxy networks resistance to proxy depletion attacks. As a result, the theorems
allow us to identify favorable and unfavorable proxy network topologies for effective
defense against proxy depletion attacks.
A) Unfavorable Topologies for Resisting Proxy Depletion Attacks
Topologies with high vertex degrees or large clusters of tightly connected vertices
are unfavorable for supporting effective defense against proxy depletion attacks. From
Theorem 3, we know that topologies with high vertex degrees allow attackers to expose
a large number of proxies by compromising one proxy, thereby requiring the defense
speed to be significantly faster than the attack speed to erase the attack progress, and
thus make the proxy network recoverable. Therefore, such topologies are unfavorable
for supporting effective defense against proxy depletion attacks. Furthermore, from
117

Theorem 4 we know that topologies with large clusters of tightly connected nodes (such
clusters have large 1
2

t values) allow compromised proxies to linger inside those

clusters, from where they cannot easily be removed. Therefore, such topologies are also
unfavorable.
B) Favorable Topologies for Resisting Proxy Depletion Attacks
Topologies with low vertex degrees and balanced distribution of connectivity (no
tightly connected sub-graphs) are favorable for supporting effective defense against
proxy depletion attacks. Having a topology of a low vertex degree allows a proxy
network to use a low-speed defense in order to contain the attack and to recover
compromised proxies (according to Theorem 3), thereby effectively resisting proxy
depletion attacks. Furthermore, according to Theorem 4, having a balanced distribution
of connectivity ensures that the topology does not have vulnerable sub-graphs to harbor
attacks.
In the design of proxy networks for DoS defense, one should observe these
principles and build topologies that allow effective resistance to proxy depletion attacks,
and avoid topologies that make proxy networks unrecoverable under such attacks.
6.4 CASE STUDY
Using the theorems presented in the previous section, we can determine whether or
not a proxy network topology is favorable for supporting effective resistance to proxy
depletion attacks. To demonstrate how this can be done, we conduct a case study,
applying the theorems to several popular topologies in order to compare their support
for effective defense against proxy depletion attacks. We identify which topologies are
118

favorable and which are not. In the following section, we first describe the topologies
considered in our case study, and then apply the theorems to evaluate these topologies.
6.4.1 Topologies
We consider the following candidate topologies for proxy network-based DoS
defense: Chord [38], CAN [39], de Bruijn graphs [40] and hypercube [40]. Chord and
CAN are reasonable candidates for proxy networks, because they are widely used for
overlay network topology. On the other hand, de Bruijn graphs and hypercube are
obvious candidates because they are popular topologies for communication networks
[40], and their properties have been well-studied. In addition, since the adjacency
relationship between neighboring proxy nodes is symmetric, we only consider
undirected versions of these topologies, even though some of them, such as Chord and
de Bruijn graphs, are directed in their original form. Table 6-1 summarizes the
topological properties of the graphs discussed in this section.
Table 6-1 Topological Properties of Selected Graphs
Graph Size Vertex
Degree
Diameter
CAN network (n-dimensional torus of dimensions z
1
,
z
2
,, z
n
)
[
=
n
i
i
z
1

2n

=
(

n
i
i
z
1
2

Chord graph with N=2
n
nodes 2
n
2n-1 n
k-ary de Bruijn graph of order n (undirected) k
n
s2k n
n-dimensional hypercube 2
n
n n

119

6.4.1.1 Chord
As a convention, we use N to denote the number of vertices in a graph. Chord [38]
topology is a regular graph with degree 1 log 2
2
N . Consider a Chord network with N =
2
n
nodes, each node is given a unique ID between 0 and N-1, and there is an edge
between vertices i and j if and only if
k
j i 2 = , where 0 s k s (n-1) is an integer
(Figure 6-5). Intuitively, in a Chord topology all the nodes are on a ring and two nodes
are connected if and only if there are 2
k
-1 nodes between them.

Figure 6-5 Chord Network Topology (N=8)
6.4.1.2 CAN

Figure 6-6 Two-dimensional CAN Network (N=9)
120

CAN [39] topology is an n-dimensional Cartesian space torus [40]. A n-
dimensional torus of dimensions z
1
,,z
n
is a regular graph of degree 2n, which has
N=
[
=
n
i
i
z
1
vertices with edges joining two vertices, whenever their Cartesian coordinates
adjacent (wrap-around allowed) and differ only in one dimension. The diameter of it is

=
(

n
i
i
z
1
2
. Figure 6-6 shows a 2D-CAN network with 9 nodes.
6.4.1.3 De Bruijn

Figure 6-7 Undirected Binary de Bruijn Graph (N=8)
A binary de Bruijn graph is the state transition graph of a shift register. A binary de
Bruijn graph [40] of order n has N=2
n
nodes labeled with a bit representation of the
numbers 02
n
-1, where vertices are connected if and only if the label of one is the left-
or right-shifted label of the other, or it is the left- or right-shifted label of the other and
differs, correspondingly, in the first or last bit. An undirected de Bruijn graph can be
straightforwardly derived by removing self-loops and redundant edges. Figure 6-7
shows an undirected binary de Bruijn graph of order 3. Furthermore, a k-ary de Bruijn
graph is defined similarly by allowing k labeling symbols instead of bits. A k-ary de
000
111
100
001
010
101
110
011
121

Bruijn graph of order n has N=k
n
nodes with a maximum vertex degree of 2k and a
diameter of n.
6.4.1.4 Hypercube
A n-dimensional hypercube [40] is a graph with N=2
n
vertices labeled by n-bit
binary strings, with edges joining two vertices whenever their labels differ in a single
bit. Figure 6-8 shows a 3-dimensional hypercube. It is a regular graph with vertex
degree of n and has a diameter of n.

Figure 6-8 3-dimensional Hypercube (N=8)
6.4.2 Comparison using Theory
We study the following seven representative topologies: 2D-, 3D- and 4D-CAN,
Chord, binary and 4-ary de Bruijn, and hypercube. We study proxy networks of
moderate sizes, which have 256 and 1024 nodes. Figure 6-9 and Figure 6-10 show the
eigenvalues and the 1
2

t values of these graphs (t is the Laplacian spectrum of a

graph) respectively. From these results, we can use Theorem 3 and Theorem 4 to
identify the most favorable and unfavorable topologies for effective defense against
proxy depletion attacks.
By applying the theorems to the results shown in Figure 6-9 and Figure 6-10, we
can see that, among all the topologies studied, the Chord topology is the most
122

unfavorable for resisting proxy depletion attacks. Figure 6-9 shows that the Chord
topology has the largest eigenvalue among the topologies studied. For example, the
eigenvalue of a 1024-node Chord topology is at least twice as high as the eigenvalues of
the other topologies, and almost five times as high as the eigenvalues of 2D-CAN and
binary de Bruijn graph. According to Theorem 3, this indicates that with the same
attack speed, the Chord topology requires the highest defense speed (2X to 5X higher
than the other topologies) to make a proxy network recoverable, and to allow for stable
resistance to proxy depletion attacks. Furthermore, Figure 6-10 shows that the Chord
topology has the largest 1
2

t value among the studied topologies. According to

Theorem 4, this indicates that with the same defense speed, the Chord topology makes a
proxy network unrecoverable at a lower attack speed than the other topologies do.
Therefore the Chord topology is less favorable than other topologies because it requires
a much higher defense speed to ensure stable defense and because it becomes
unrecoverable at a lower attack speed.
0 5 10 15 20
2D-CAN
3D-CAN
4D-CAN
Chord
Binary de Bruijn
4-ary de Bruijn
Hypercube
Eigenvalue (the larger the worse)
1024-node graph
256-node graph

Figure 6-9 Eigenvalues of the Topologies Studied
123


0 0.2 0.4 0.6 0.8 1
2D-CAN
3D-CAN
4D-CAN
Chord
Binary de Bruijn
4-ary de Bruijn
Hypercube
1024-node graph
256-node graph

Figure 6-10 1
2

t Values of the Topologies Studied (t is Laplacian Spectrum)

On the other hand, by applying the theorems to the results shown in Figure 6-9 and
Figure 6-10, we can see that 2D-CAN and binary de Bruijn graphs are the most
favorable topologies among them. Figure 6-9 shows that 2D-CAN and binary de Bruijn
graphs have the smallest eigenvalue among all the topologies studied. According to
Theorem 3, this indicates that with the same attack speed, 2D-CAN and binary de Bruijn
topologies require the lowest defense speed among all the studied topologies to make a
proxy network recoverable, and to allow stable resistance to proxy depletion attacks.
Furthermore, Figure 6-10 shows that the 2D-CAN and binary de Bruijn topology have
small 1
2

t values (close to 0), indicating that attackers need a high attack speed that
is significantly higher than the defense speed to make proxy networks of such topologies
unrecoverable. Therefore, 2D-CAN and binary de Bruijn graphs are the most favorable
among these topologies because they need the lowest defense speed to support effective
resistance to proxy depletion attacks, and a high attack speed to make the proxy network
vulnerable.
1
2

t value (the larger the worse)

124

In summary, our case study demonstrates how our theoretical results can be used to
guide the design of proxy networks for effective resistance to proxy depletion attacks.
We show that popular proxy network topologies, such as Chord, are in fact not
favorable for supporting stable defense against proxy depletion attacks. We also show
that 2D-CAN and binary de Bruijn graphs are favorable topologies for proxy networks
to support stable defense.
6.5 SUMMARY
In this chapter, we study proxy networks ability to resist proxy depletion attacks.
In particular, we prove two theorems which characterize the circumstances when proxy
networks are recoverable against proxy depletion attacks (compromised proxies can be
quickly and completely removed), and when proxy networks are not recoverable to
proxy depletion attacks (compromised proxies can linger and never be removed
completely). We apply these theorems to a range of popular topologies to demonstrate
their use, and identify favorable and unfavorable topologies for proxy network-based
DoS defense.
From our results, we find that the Chord [38] topology, which is used for proxy
network-based DoS defense [25, 26, 28, 29, 35], is in fact not a favorable topology for
such purposes because, due to the high connectivity, it is difficult to make a proxy
network recoverable under proxy depletion attacks. In contrast, we find that 2D-CAN
[39] and binary de Bruijn graph [40] are favorable topologies because, due to their low
vertex degree and topological properties, they can support effective resistance to proxy
depletion attacks easily.
125

Our theoretical results and case study lead to a few design principles: proxy
networks with high average vertex degrees are in general unfavorable since it is difficult
to make them recoverable under proxy depletion attacks. Furthermore, proxy networks
with clusters of tightly connected nodes are also unfavorable because such clusters are
vulnerable to attacks. On the other hand, graphs with low average vertex degrees and
balanced distribution of connectivity are in general good candidates for proxy networks
because they do not have vulnerable regions to harbor attacks and it is easy to make
them recoverable under proxy depletion attacks.
These results serve as a screening tool to evaluate proxy network topologies, to
identify the favorable and filter out the undesirable, and to provide a set of principles
one should observe during the design of proxy networks for better resistance to proxy
depletion attacks.

126
Chapter 7 RESISTING DENIAL-OF-SERVICE
ATTACKS
Infrastructure-level DoS attacks are a key threat for applications using proxy
network-based DoS defense. Such attacks flood the network infrastructure around the
edge proxies with large quantities of network traffic, which prevents users from
reaching the proxies, thereby preventing them from accessing the application. In this
chapter, we study whether proxy networks can resist such DoS attacks and provide users
continued application access.
7.1 INTRODUCTION
To understand proxy networks ability to resist infrastructure-level DoS attacks, we
study the following problems. In large realistic networks, under various DoS attack
scenarios, how much can proxy networks mitigate the impact of DoS attacks on user
performance? What are the key parameters to achieve effective and efficient resilience?
How does this resilience scale up when proxy networks grow in size?
To answer these questions, we perform a set of experiments based on online packet-
level network simulation, with full applications, a real software implementation of proxy
network, and real attack programs. This approach allows study of detailed network and
application dynamics, such as packet drops, router queues, real temporal and feedback
behavior of network and application protocols, which are critical to application and
proxy network performance under DoS attacks. By accurately modeling the full
127

complexity of the network and application behavior, we are able to reproduce DoS
dynamics and correctly characterize the application and proxy network performance.
We use a range of experiments to study proxy networks resistance to DoS attacks.
First, we study application performance delivered by a proxy network under a range of
large-scale DoS attack scenarios of varied attack magnitudes and distributions. This
study shows that, in a large resource pool (hosts and network), a proxy network can
resist these DoS attacks effectively; the majority (>90%) of the users do not experience
significant performance degradation during the attacks. Second, to understand the
scalability of the resistance, we study application performance delivered by proxy
networks of varied sizes under DoS attacks, with a fixed ratio between the attack
magnitude and the proxy network size. This study shows that the magnitude of DoS
attacks that a proxy network can resist may be increased by using a larger proxy
network. These results show that proxy networks have effective and scalable resilience
to DoS attacks.
The remainder of the chapter is organized as follows. Section 7.2 describes the
methodology for our study. Section 7.3 presents the experiments and results. Section
7.4 concludes with a brief summary.
7.2 METHODOLOGY
To understand whether a proxy network can resist DoS attacks and protect the
application, we use a set of experiments in a large-scale simulated network to study
application performance delivered by the proxy network under DoS attacks.
Specifically, as shown in Figure 7-1, we use MicroGrid [37, 42] an online packet-level
128

simulator to simulate a large-scale network environment for our study. Then, we use
full application programs, a real software implementation of proxy network, and real
attack programs to construct our experiments in the simulated network environment. In
the following section, we first present the high-level design of our experiments, then
discuss the system elements, next describe the simulation framework (including
MicroGrid and the cluster it uses) which generates the simulated network, and finally
demonstrate the veracity of our experiments.

Figure 7-1 Experiment Configuration
7.2.1 High-level Design of Experiments
In the simulated network, we use the following system components to construct
experiments to capture the behavior of a proxy network system with and without DoS
attacks: an application, a proxy network, users, and attackers. As shown in Figure 7-1,
the application and the proxy network are deployed in the simulated network; users are
distributed in the network and access the application via the proxy network by
contacting the edge proxies. Meanwhile, attackers are distributed in the simulated
Simulated Network

Application
Attackers

Proxy Network
Users
MicroGrid Simulator
Edge Proxy
Proxy

User

Attacker

Application

Cluster


Cluster


Cluster


Cluster





129

network, and try to prevent users from accessing the application, by flooding the edge
proxies with network traffic. Using these components, we can construct a range of
experiments with varied proxy network configurations and attack scenarios.
We construct two sets of experiments to study a proxy networks ability to resist
DoS attacks. First, we create a range of attack scenarios of varied magnitudes and
distributions, and measure the application performance delivered by a proxy network in
each attack scenario. These experiments allow us to understand how well the proxy
network can resist these attacks and protect the application performance. Second, we
create a range of proxy networks of varied sizes, and use them to study the scalability of
their resistance to DoS attacks whether a larger proxy network can resist a larger
attack. Specifically, we study the application performance delivered by proxy networks
of varied sizes under DoS attacks, with a fixed ratio between the attack magnitude and
the proxy network size.
In these experiments, the basic performance metric is the time for a complete
request-response transaction between a user and the application. We use Cumulative
Density Function (CDF) of this basic performance metric over the user population to
characterize the application performance delivered to all the users. In our experiments,
we sample 100 users from the user population uniformly, and measure their transaction
time. Then, we compute the CDF from the collected performance data.
7.2.2 System Components
In this subsection, we describe the role, behavior, implementation, and parameters
of the system elements in the experiments. As described in Section 7.2.1, the elements
130

of a proxy network system include an application, a proxy network, a set of users, and a
set of attackers.
A) Application
An application provides services to users by responding to user requests. Upon
receiving a request, the application processes it, and sends a response back to the user.
We use an Apache [115] web server to capture this behavior of the application. In
particular, we use the Apache server to serve files of different sizes as a representative
scenario, since we focus on the network impact of DoS attacks, and specific details of
the application logic at the back-end are not critical.
B) Proxy Network
A proxy network mediates the communication between users and the application,
and protects the application from DoS attacks by providing a distributed front-end to
disperse attack traffic. The key parameters of a proxy network include its width, depth,
topology, and deployment. Width, depth, and topology are important proxy network
properties defined in Section 4.2. The deployment of a proxy network defines on which
host in the resource pool each proxy is deployed. It determines the latency between
neighboring proxies. In the following, we describe how we implement proxy networks,
and discuss how the key parameters of proxy network are configured in our
experiments.
We use a software implementation of a proxy network in our experiments. In our
proxy network implementation (see Figure 7-2), each pair of neighboring proxies
maintains a persistent TCP connection, which is established upon proxy initialization.
131

Through these connections, the proxy network can route messages between the edge
proxies and the application proxies (the proxies that directly connect to the application).
The edge proxies receive requests from users, and deliver them through the proxy
network to the application proxies, which forward the requests to the application.
Similarly, responses from the application are delivered to the users through the proxy
network. In this way, the proxy network mediates the communication between users
and the application.

Figure 7-2 Proxy Network Implementation
In our implementation, we use a tree topology, rooted at the application with the
edge proxies at the leaves, to capture a range of proxy networks because, for a localized
application deployment, a tree corresponds to the subset of links that would be exercised
in all proxy networks. The width and depth of the proxy network can be configured by
changing the number of leaves and the height of the tree.
In our experiments, we use a heuristic for proxy deployment to minimize the
latency between proxies and the latency between users and the application through the
proxy network. The heuristic deploys the proxy network on a set of hosts, called the
Proxy Network
Application
User


User


User


User




User


Edge Proxy


Edge Proxy


Edge Proxy


Edge Proxy




Edge Proxy
Internal Proxy


Internal Proxy


Internal Proxy


Internal Proxy




Internal Proxy
Application
Proxy


App Proxy


App Proxy


App Proxy




App Proxy

132

resource pool, inside the simulated network. Within the resource pool, the heuristic
places edge proxies randomly, while application proxies are placed close to the
application; the remaining proxies are evenly distributed between the edge proxies and
application proxies. As such, this heuristic aligns the proxy network structure with the
underlying network by avoiding high latency paths through the proxy network when a
significantly lower latency path exists elsewhere.
C) Users
A user requests services from the application via the proxy network. The user first
chooses an edge proxy, then sends a request via the chosen edge proxy to the application
(through the proxy network), and finally receives an application response.
A key parameter is the way users choose edge proxies for application access. We
consider two schemes: static and dynamic. In the static scheme, a user chooses an edge
proxy based on proximity, and continue to use it even if the proxy is under attack. In the
dynamic scheme, a user can switch to other proxies if the closest edge proxy is under
attack.
We use siege [116] a web-testing program to simulate user behavior, by
downloading files of varied sizes from the application via the proxy network. In our
experiments, we use a set of siege programs, uniformly distributed in the simulated
network, to simulate the user population. To simulate different edge proxy selection
schemes, we compute the mapping between users and edge proxies for every attack
scenario in each selection scheme, and instruct the siege programs to access the edge
proxies accordingly.
133

D) Attackers
Attackers deny users application access by flooding the network infrastructure
around edge proxies with network traffic. There are two key parameters for an attack:
magnitude and distribution. The attack magnitude is the aggregated rate of the attack
traffic. It characterizes the overall attack load on the edge proxies. The distribution of
an attack characterizes how the attack load is distributed across the edge proxies.
According to the distribution of the attack load, we consider two types of large-scale
DoS attacks: spread and concentrated DoS attacks. In a spread DoS attack, the attack
load is distributed evenly on all the edge proxies; in a concentrated DoS attack, the
attack load is concentrated on a subset of edge proxies to saturate their incoming links.
In our experiments, we use Trinoo [8], a DDoS attack toolkit generally available on
the Internet, to simulate attack behavior. The Trinoo software package includes a
daemon and a master program. A Trinoo network consists of hosts running the Trinoo
daemon program. Given a list of IP addresses, Trinoo daemons send UDP packets to
the targets at a given start time. The master program is used to control this Trinoo
network to make DoS attacks. In its original form, the Trinoo daemon repeatedly sends
UDP packets at its full speed. To support controlled experiments, we changed the
Trinoo daemon software to allow its sending rate to be adjusted.
In our experiments, we use a Trinoo network of 100 Trinoo daemons distributed in
the simulated network uniformly. Each Trinoo daemon connects to the network with a
100Mbps link. This Trinoo network is comparable to one that has 10,000 nodes with
DSL or cable modem connections.
134

Using this Trinoo network, we generate dilute and concentrated DoS attacks of
varied magnitudes. By varying the aggregated rate of attack traffic and the list of edge
proxies as the targets for attacks, we can generate these attack scenarios of varied
magnitudes and distributions.
7.2.3 Simulation Framework
To accurately model detailed network dynamics and protocol behavior in large-
scale networks, we use the MicroGrid simulation toolkit [41, 42] to generate the
simulated network environment for our experiments (see Figure 7-1). In this subsection,
we describe the MicroGrid simulation toolkit, the physical resources that MicroGrid
uses to support our experiments, and the configuration of the simulated networks
generated by MicroGrid.
A) MicroGrid Simulation Toolkit
MicroGrid is an integrated online packet-level simulator that provides accurate,
validated modeling of virtual network environments. Using MicroGrid, users can
configure an arbitrary virtual network, deploy it to a cluster, and then execute their
unmodified applications directly in that virtual network. Three key capabilities of
MicroGrid are crucial in enabling our study.
- The ability to simulate large networks at high fidelity even at high levels of traffic.
MicroGrid has demonstrated good scalability in realistic large-scale simulations of
networks with 20,000 routers (comparable to a large Tier-1 ISP network like AT&T)
[37]. Furthermore, MicroGrid supports scaled real-time execution, which allows the
simulated resources (e.g. network link speed) to run at a slower rate than real-time. This
135

capability enables us to accurately simulate large network traffic with limited hardware
resources; for instance, slowing down the simulation by a factor of 10 allows us to
simulate 1Gbit networks using a 100Mbit network.
- Support for realistic topology, routing, and a full network protocol stack. MicroGrid
is integrated with a topology generator, maBrite [117], which can create realistic
Internet-like network topologies, and set up BGP routing policies automatically based
on realistic Internet AS relationships. It supports Internet routing protocols, such as
BGP [118] and OSPF [119]. It also supports networking protocols, such as IP, UDP,
TCP [120] and ICMP [121].
- Support for direct execution of unmodified applications. MicroGrid intercepts all
interactions between the application and the operating system transparently, providing
the application a virtualized execution environment, including virtualized network and
CPU resources.
These capabilities of MicroGrid allow us to study the properties of proxy networks
and detailed behavior of the system in a large-scale network environment with realistic
settings, running real applications and real attacks.
B) Physical Resources
Our experiments use two clusters. The MicroGrid network simulator runs on a 16-
node dual 2.4GHz Xeon Linux cluster with 1GB main memory on each machine,
connected by a 1Gbps Ethernet switch. Other software components in the experiments
run on a 24-node dual 450MHz PII Linux cluster with 1GB main memory on each
136

machine, connected by a 100Mbps Ethernet switch. These two clusters are connected
with a 1Gbps link.
C) Simulated Network
Using the maBrite topology generator [117], MicroGrid generates the simulated
networks for our experiments, which are Internet-like Power-Law network topologies
[117, 122]. We use two simulated networks named R1K and R10K in our experiments.
The R1K network includes 1000 routers and 20 ASes, and the R10K network includes
10,000 routers and 40 ASes, which is comparable to the size of a large ISP network.
Both networks span a geographic area of 5000 miles by 5000 miles, which is roughly
the size of the North American continent. This physical extent determines link
latencies. OSPF [119] routing is used inside ASes, and BGP4 [118] is used for inter-AS
routing.
7.2.4 Veracity of the Experiments
After describing the experiment design and the simulation environment, we show
the veracity of our approach by comparing the application performance (with and
without a proxy network) measured in our experiments to theoretical predictions. We
first analyze the application performance, and then show the results of our experiments.
We analyze the application performance for two cases: direct application access and
proxy network mediation. As shown in Figure 7-3, for direct application access, a user
establishes and uses a direct TCP connection to the application. In contrast, when using
a proxy network, the user accesses the application through a series of shorter TCP
connections, and the TCP connections among proxies are persistent. Based on these
137

facts, we can make the following predictions about the performance delivered by a
proxy network as compared to direct application access.

Figure 7-3 Direct Access vs. Proxy Network Mediation
1. For small requests, a proxy network improves performance by reducing the
connection set up time. Since the TCP connections among proxies are persistent,
when a user connects to the application via a proxy network, two TCP connections
are established: from the user to the edge proxy, and from the application proxy to
the application. Both connections have small RTTs because application proxies
are close to the application, and users are close to edge proxies. In contrast, a
direct connection between the user and the application has a larger RTT. Since
TCP handshake [120] takes 1.5 RTT, using a proxy network can reduce the
connection setup cost by one RTT between the user and the application
9
.
2. For requests of modest sizes, a proxy network improves performance by avoiding
the TCP slow start phase [120]. Since the TCP connections among proxies are
persistent, in most cases the TCP congestion windows for those connections have
already been fully opened by previous data transfers and other users traffic. Thus,

9
Instead of a full hand-shake, only a one-way trip is needed from the edge proxy to the application proxy.
In fact, once the user connects to the edge proxy, it can start sending data. This can be overlapped with
the connection setup at the application proxy side.
Proxy Network


Proxy Network


Proxy Network


Proxy Network


Proxy Network


Proxy Network


Proxy Network


Proxy Network

User


User


User


User




User


User


User

Application


Application


Application


Application




Application


Application


Application

138

they no longer suffer from a slow start phase to grow the congestion window,
thereby improving the throughput.
3. For large requests, a proxy network improves performance by having a series of
short TCP connections, which improves throughput as studied in Logistic
Networking [123]. Here we give a brief explanation, and details can be found in
[123]. The throughput can be improved because the TCP throughput is roughly
the TCP send buffer size divided by RTT, and the connections among proxies have
shorter RTTs comparing to the RTT between the user and the application.
Using experiments, we measure the application performance for direct application
access and for proxy network mediation. The experiments use the simulated R1K
network described in Section 7.2.3 and a 192-node tree-topology proxy network in
which 64 nodes are edge proxies. We measure the response time for users to download
a file of a given size (1.5KB, 100KB or 1MB). Figure 7-4 shows the results. The X-
axis is the response time for a file download (1.5KB, 100KB or 1MB). The Y-axis is
Cumulative Density Function (CDF) of the performance over the user population.
Hence, a curve closer to the Y-axis implies that more users experiencing good
performance. The results in Figure 7-4 match the theoretical predictions: for small
requests (e.g. 1.5KB), the 50-percentile response time is reduced by half, and for
requests of modest sizes (e.g. 100KB), the improvement is more significant, and so is
the case of large files (e.g. 1MB). This shows the veracity of our experiments.
139

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l a
t
i o
n
Performance Implication of ProxyNetwork (1.5KB file)
Direct Application Access
Access via Proxy Network

0 0.5 1 1.5 2 2.5
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l a
t
i o
n
Performance Implication of ProxyNetwork (100KB file)
Direct Application Access
Access via Proxy Network

0 2 4 6 8 10 12 14
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l a
t
i o
n
Performance Implication of Proxy Network (1MB file)
Direct Application Access
Access via Proxy Network

Figure 7-4 Application Performance
(Direct Application Access vs. Proxy Network Mediation)
7.3 EXPERIMENTS AND RESULTS
We study proxy networks resilience to DoS attacks using three sets of experiments.
First, by comparing the application performance with and without DoS attacks, we study
the impact of DoS attacks on an application not protected by proxy networks. This
provides a reference point for understanding the application performance during DoS
attacks. Second, we study the application performance under two large-scale DoS
attacks: spread and concentrated DoS attacks. This allows us to understand a proxy
networks ability to resist these attacks. Third, we study the application performance
140

delivered by proxy networks of varied sizes under DoS attacks, keeping a fixed ratio
between the attack magnitude and the proxy network size. This allows us to understand
the scalability of proxy networks resistance to DoS attacks.
7.3.1 Impact of DoS Attacks on Application Performance
0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
No Attack
250Mbps Attack

Figure 7-5 Impact of DoS attacks on Application Performance
We study the impact of a DoS attack on the application. Our experiment uses the
R1K simulated network described in Section 7.2.3. The application is connected by a
250Mbps link. We measure the application performance (for downloading a 100KB
file) in two cases: without DoS attacks and with a 250Mbps DoS attack on the
application. Figure 7-5 shows the results. The X-axis is the response time for a file
download. The Y-axis is Cumulative Density Function (CDF) of the performance over
the user population. The maximum value of X-axis is eight seconds because, for an
interactive application with messages of modest sizes, a worse response time makes the
application unusable to human users [124, 125].
141

Figure 7-5 shows that, without DoS attacks, the CDF curve is steep, and reaches 1
quickly around 2 seconds, indicating that the response time for nearly all users is less
than 2 seconds. In contrast, Figure 7-5 shows that, with a 250Mbps DoS attack on the
application, the CDF curve stays zero until around 2 seconds, and reaches 0.4 at 8
seconds, indicating that the performance for nearly all users is worse than 2 seconds, and
the application is unusable for 60% of users. These numbers show that DoS attacks
significantly degrade the application performance, and deny application access to the
majority of users.
7.3.2 Resisting Large-Scale DoS Attacks
After showing the impact of DoS attacks on the application, we study how well a
proxy network can mitigate such impact. In particular, we study the application
performance delivered by a proxy network under two DoS attack scenarios: spread DoS
attacks which evenly spread attack load across all the edge proxies (Figure 7-6), and
concentrated DoS attacks which concentrate the attack load on a subset of edge proxies
to saturate them (Figure 7-7).

Figure 7-6 Spread DoS Attacks
Proxy Network
Application
Edge Proxy

Proxy

DoS Attackers
142


Figure 7-7 Concentrated DoS Attacks
7.3.2.1 Resisting Spread DoS Attacks
We measure the application performance (for downloading a 100KB file) for a
proxy network under spread DoS attacks in the simulated networks (R1K and R10K)
described in Section 7.2.3. The proxy network has a tree topology of 192 nodes,
including 64 edge proxies, each of which has a 100Mbps link. In these experiments, we
vary the attack magnitude from 3.2Gbps to 6.4Gbps.
Figure 7-8 shows the application performance delivered by the proxy network
under spread DoS attacks. For comparison, Figure 7-8 also shows the application
performance delivered by the proxy network without DoS attacks. The X-axis is the
response time for a file download. The Y-axis is the CDF of the performance over the
user population.
Figure 7-8 shows that, when the attack magnitude is no more than 6.0Gbps, the
curves of the attack cases follow closely to the curve of the non-attack case until the
CDF reaches over 95%. This indicates that more than 95% users experience no
significant performance degradation, and the proxy network resists spread DoS attacks
of 6.0Gbps successfully. The reason is that the edge proxies dilute attack impact; even
Proxy Network
Application
Edge Proxy

Proxy

DoS Attackers
143

under heavy attack loads, most of the edge proxies still have sufficient capacity left to
serve user requests.
0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
No Attack
3.2 Gbps Attack
6.0 Gbps Attack
6.4 Gbps Attack
Spread Attack (R1K Network)

0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Spread Attack (R10K Network)
No Attack
3.2 Gbps Attack
6.0 Gbps Attack
6.4 Gbps Attack

Figure 7-8 Application Performance under Spread DoS Attack
In addition, Figure 7-8 shows two phenomena. First, when the attack load reaches
6.4Gbps (recall that the aggregated link capacity for all the edge proxies is 6.4Gps), the
CDF curve is flat and far from the non-attack case, indicating a significant performance
degradation for all the users. This is because the attack traffic is large enough to reach
the capacity of the proxy network, and thus saturates all the edge proxies. Second, we
144

can see a performance degradation for a small fraction of users (<5%) in the R1K
network when the attack magnitude is 6.0Gbps. It is due to the correlation among
proxies and users (see Figure 7-9). For example, two edge proxies A and B share a link
of OC3 (155Mbps), which is congested before the attack traffic can saturate both
proxies local links (100Mbps). Therefore, users of these two proxies and users in the
same network as these proxies are affected. This effect limits the effectiveness of proxy
networks. However, since edge proxies are dispersed in a network, the larger a network
is, the less likely this correlation will occur. It explains why this phenomenon does not
occur in the R10K simulated network (see Figure 7-8).

Figure 7-9 Correlation among Proxies and Users
7.3.2.2 Resisting Concentrated DoS Attacks
In this subsection, we study a proxy networks resistance to concentrated DoS
attacks. Since only a subset of edge proxies are under attack, how users choose edge
proxies is important. We consider both the static and dynamic schemes for edge proxy
selection which have been described in Section 7.2.2. For both selection schemes, we
measure the application performance delivered by a proxy network under concentrated
DoS attacks of varied magnitude (from 3.2Gbps to 6.0Gbps) in the simulated networks
Internet


Internet


Internet


Internet




Internet


Edge proxy A


Edge proxy A


Edge proxy A


Edge proxy A



OC3 uplink


OC3 uplink


OC3 uplink


OC3 uplink




OC3 uplink


Edge proxy B


Edge proxy B


Edge proxy B


Edge proxy B


User


User


User


User



Attack Traffic


Attack Traffic


Attack Traffic


Attack Traffic




Attack Traffic

Attack Traffic


Attack Traffic


Attack Traffic


Attack Traffic




Attack Traffic


Attack Traffic
145

(R1K and R10K) described in Section 7.2.3. The proxy network has a tree topology of
192 nodes, including 64 edge proxies, each of which has a 100Mbps uplink.
0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Concentrated Attack (R1K Network)
No Attack
3.2 Gbps Attack on 32 Proxies
4.0 Gbps Attack on 32 Proxies
6.0 Gbps Attack on 48 Proxies
6.0 Gbps Attack on 60 Proxies

0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Concentrated Attack (R10K Network)
No Attack
3.2 Gbps Attack on 32 proxies
4.0 Gbps Attack on 32 proxies
6.0 Gbps Attack on 48 proxies
6.0 Gbps Attack on 60 proxies

Figure 7-10 Application Performance under Concentrated DoS Attacks
(Static Edge Proxy Selection)
Figure 7-10 shows the application performance (for downloading a 100KB file)
using the static edge proxy selection scheme under concentrated attacks in the two
simulated networks. The attack load is concentrated on a subset of edge proxies (32, 48,
and 60 edge proxies respectively). The X-axis is the response time for a file download.
The Y-axis is the CDF of the performance over the user population. In Figure 7-10, the
CDF curves for the attack case are far from the non-attack case, indicating that a
146

significant percentage of users have degraded performance. This is because the attack
traffic saturates a subset of edge proxies, and thereby degrades the performance for users
accessing the attacked edge proxies.
0 1 2 3 4 5 6 7
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Concetrated Attack w/ Proxy Switching (R1K Network)
No Attack, w/ Proxy Network
3.2 Gbps Attack on 32 Proxies
4.0 Gbps Attack on 32 Proxies
6.0 Gbps Attack on 48 Proxies
6.0 Gbps Attack on 60 Proxies
Direct Application Access
No Attack, direct application access

0 1 2 3 4 5 6 7 8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Concentrated Attack w/ Proxy Switching (R10K Network)
No Attack, w/ Proxy Network
3.2 Gbps Attack on 32 proxies
4.0 Gbps Attack on 32 proxies
6.0 Gbps Attack on 48 proxies
6.0 Gbps Attack on 60 proxies
Direct Application Access
No Attack, direct application access

Figure 7-11 Application Performance under Concentrated DoS Attacks
(Dynamic Edge Proxy Selection)
Since some edge proxies are not attacked during concentrated DoS attacks, the
dynamic edge proxy selection scheme (described in Section 7.2.2) may improve
application performance by switching users to edge proxies not under attack. Figure
7-11 shows the application performance (for downloading a 100KB file) using the
dynamic edge proxy selection scheme under concentrated attacks. The X-axis is the
147

response time for a file download. The Y-axis is the CDF of the performance over the
user population. For comparison, Figure 7-11 also plots the baseline case where users
access the application directly without attacks. It shows that, before CDF reaches 90%,
the curves of the attack case are closer to the Y-axis than the curve of the baseline case,
indicating that proxy networks can deliver a good performance (better than direct
application access without attacks) for 90% users under these attacks. Therefore, proxy
networks can resist concentrated DoS attacks effectively.
0 1 2 3 4 5 6 7
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Response Time (seconds)
C
D
F

O
v
e
r

U
s
e
r

P
o
p
u
l
a
t
i
o
n
Concentrated Attack Proxy Switching Analysis (R1K Network)
No Attack
3.2 Gbps Attack on 32 Proxies
4.0 Gbps Attack on 32 Proxies
No Attack (Proxy Switching)
No Attack, Proxy Switching

Figure 7-12 Analysis of Dynamic Edge Proxy Selection
To understand what contributes to the performance degradation when dynamic edge
proxy selection is used, we further investigate the case of concentrated attacks on 32
proxies in the R1K network. We measure the user performance without attacks, but let
users access the edge proxies they switch to during the attacks (shown in Figure 7-12).
For most users, this curve follows the attack cases closely, indicating that the
performance degrades mainly because users switch to edge proxies that are far away.
148

Additionally, a small number of users are greatly affected by the attack due to the
limitation of the underlying network discussed in Figure 7-9.
7.3.3 Scalability of Proxy Networks Resilience to DoS attacks
We study whether proxy networks have scalable resilience to DoS attacks
whether attackers can overwhelm them easily by increasing the attack magnitude. We
measure the application performance delivered by proxy networks of varied sizes under
DoS attacks, keeping a fixed ratio between the attack magnitude and the proxy network
size. In our experiments, we use the simulated networks described in Section 7.2.3
(R1K and R10K) and a set of proxy networks of varied widths (ranging from 16 to 64).
Edge proxies of the proxy networks have 100Mbps links. The attack magnitude is set to
be 95% of the aggregated link capacity of the edge proxies. For example, for a proxy
network with 16 edge proxies, the attack magnitude is 1.52Gbps (16*100Mbps*95%).
Figure 7-13 shows the scaling results of proxy networks. The X-axis is the number
of edge proxies, and the Y-axis is the performance (for downloading a 100KB file) for a
certain percentile of users. For the R1K network, we can see that, for up to 95 percent
users, the curves stay horizontal and less than 2 seconds (recall from Figure 7-4 that the
95 percentile performance for direct application access without attacks is 2 seconds).
Therefore, in the R1K network, for 95% users, the amount of attack traffic that can be
tolerated grows linearly with the width of the proxy network. Furthermore, for the
R10K network, all the curves stay horizontal, indicating that the proxy networks
resilience to DoS attacks scales better. Since The R10K network is significantly larger
than the R1K network, the proxies are more dispersed than those in the R1K network.
149

Therefore, they have less correlation as discussed in Figure 7-9, allowing them to fully
utilize the link capacity of edge proxies to dilute attack traffic. These results show that
proxy networks have scalable resilience to DoS attacks, and the amount of attack load
that can be tolerated grows almost linearly with the width of the proxy network.
0 10 20 30 40 50 60 70
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
Scalability (R1K Network)
Number of Edge Proxies
U
s
e
r

E
x
p
e
r
i
e
n
c
e
d

R
e
s
p
o
n
s
e

T
i
m
e

(
S
e
c
o
n
d
s
)
90 Percentile
92 Percentile
95 Percentile
97 Percentile

0 10 20 30 40 50 60 70
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
Scalability (R10K Network)
Number of Edge Proxies
U
s
e
r

E
x
p
e
r
i
e
n
c
e
d

R
e
s
p
o
n
s
e

T
i
m
e

(
S
e
c
o
n
d
s
)
90 Percentile
92 Percentile
95 Percentile
97 Percentile

Figure 7-13 Resilience and Proxy Network Size
7.4 SUMMARY
To understand proxy networks resilience to infrastructure-level DoS attacks in
large realistic networks, we use a detailed large-scale online network simulator
MicroGrid to study proxy networks with real applications and real DoS attacks. Using
150

our experiments, we study how well proxy networks can protect application
performance under DoS attacks for a range of network sizes, proxy network
configurations, and attack scenarios. Our experiments show that proxy networks can
provide effective and scalable resilience to infrastructure-level DoS attacks, protecting
applications from such attacks. Specifically, we show that,
- Proxy networks can resist both spread and concentrated DoS attacks effectively in
large network environment. Our experiments have shown that a 192-node proxy
network with 64 edge proxies (each connected by a 100Mbps uplink) can successfully
resist a range of large-scale distributed DoS attacks with up to 6.0Gbps aggregated
traffic and different attack load distribution; the majority (>90%) of the users do not
experience significant performance degradation under these attacks.
- Proxy networks have scalable resilience to DoS attacks resilience can be scaled up
to meet the size of the attack, enabling the application performance to be protected. We
demonstrate, in two simulated networks, that the attack load that proxy networks can
resist, while preserving a particular level of application performance, grows almost
linearly with the proxy network size.


151
Chapter 8 CONCLUSION
In this chapter, we summarize the research described in this dissertation. Section
8.1 highlights the key research contributions. Section 8.2 discusses the implications and
impacts of our research. Section 8.3 discusses deployment issues of proxy network-
based DoS defense systems. Section 8.4 discusses avenues for future work.
8.1 DISSERTATION SUMMARY
Protecting Internet service applications from DoS attacks is an important open
research challenge. The proxy network-based DoS defense has recently emerged, and
shows promise in solving this problem. However, the fundamental capabilities and
limitations of this scheme are poorly understood. It is unclear whether and how
effectively this scheme can protect applications; it is also unclear how to design such a
system in order to achieve the most effective defense.
In this dissertation, we answer these key questions by exploring a proxy networks
ability to resist attacks. There are three important classes of technical attacks:
penetration attacks, proxy depletion attacks, and DoS attacks. We study the properties
of the proxy network-based DoS defense under these attacks, in order to understand
when resistance is possible, how well a proxy network can resist these attacks, and how
to design a proxy network-based system for the most effective defense.
We have developed a generic framework to capture a wide range of proxy network-
based DoS defense. The framework defines a canonical set of elements in a proxy
network-based system and their interactions. From this framework, we have built a
152

stochastic model for attack and defense processes to characterize system dynamics. The
generic framework and stochastic model provide a basis for a quantitative study of a
proxy networks resistance to penetration attacks and proxy depletion attacks.
Based on the framework and stochastic model, we combined analysis and Monte
Carlo simulation techniques to quantitatively characterize a proxy networks resistance
to penetration attacks. We have proved that proactive defenses, such as proxy network
reconfiguration and proxy migration, are critical for effective resistance. Without such
mechanisms, a proxy network is vulnerable to penetration attacks an attacker can
penetrate the proxy network within a short period of time, which is linear to the proxy
network depth. This allows the attacker to easily expose the application to direct
attacks. In contrast, with proxy migration, a proxy network can resist penetration
attacks effectively the time to penetrate a proxy network grows exponentially with its
depth, so that a proxy network of moderate depths can be impenetrable in practice. For
example, in realistic settings, penetrating a proxy network of depth five can take
hundreds of years on average, and a proxy network of depth six would take thousands of
years on average. Practically, this means a proxy network of a modest size can be made
effectively impenetrable.
Furthermore, we have explored a proxy networks ability to resist penetration
attacks in systems with correlated host vulnerabilities. We have shown that correlated
host vulnerabilities can make a proxy network vulnerable to penetration attacks.
However, by exploiting the host (OS/software) diversity and intelligent proxy network
153

construction, a proxy network can mitigate the negative impact of correlated host
vulnerabilities, and thus resist penetration attacks effectively.
Based on the framework and stochastic model, we have also quantified a proxy
networks resistance to proxy depletion attacks. Specifically, we have proven two
theorems which characterize the circumstances when a proxy network can provide
stable defense against proxy depletion attacks, and when it cannot. One theorem shows
that, when the eigenvalue of a proxy networks topology is lower than the ratio between
the defense speed and the attack speed, the proxy network can recover all the
compromised proxies, regardless of how many proxies are compromised initially. The
other theorem shows that, when a function of the Laplacian spectrum of a proxy
networks topology is higher than the ratio between the defense speed and the attack
speed, compromised proxies will linger, making the proxy network vulnerable to proxy
depletion attacks.
From these results, we have developed a set of design guidelines for proxy
networks: proxy network topologies with low vertex degrees and balanced distribution
of connectivity (no tightly connected sub-graphs) are favorable for supporting effective
defense against proxy depletion attacks; topologies with high vertex degrees or large
clusters of tightly connected vertices are unfavorable for supporting effective defense
against proxy depletion attacks. Furthermore, using the theoretical results, we have
conducted a case study on popular proxy network topologies. From the case study, we
discovered that the Chord topology, a widely-used proxy network topology, is in fact
154

unfavorable for resisting proxy depletion attacks; in contrast, 2D-CAN and binary de
Bruijn graphs are favorable topologies to support effective resistance.
Moreover, we have conducted a detailed quantitative study of proxy networks
resistance to DoS attacks at an unprecedented scale and realism. Our experiments used
real applications and real attack programs in a large-scale network environment
simulated by a large-scale online packet-level simulator MicroGrid. The simulated
network has 10,000 routers and 40 ASes. These network sizes are comparable to a Tier-
1 ISP network. We also built a DoS attack network, comparable to one that has 10,000
hosts with DSL connections, producing attack traffic intensities up to 6.4 Gbps. This
approach enables study of detailed network and application dynamics such as packet
drops, router queues, real temporal and feedback behavior of network and application
protocols, which are critical to application and proxy network performance under DoS
attacks. Therefore, this approach enables accurate modeling of the full complexity of
network and application behavior needed to reproduce DoS dynamics, and to
characterize application and proxy network performance in varied attack scenarios.
Using this infrastructure, we have quantified the impact of DoS attacks on
application performance, and have shown that proxy networks can provide both
effective and scalable defense for applications against large-scale DoS attacks. Our
experiments have demonstrated that a 192-node proxy network with 64 edge proxies
(each connected by a 100Mbps uplink) can successfully resist a range of large-scale
distributed DoS attacks with up to 6.0Gbps aggregated traffic and different attack load
distribution; the majority (>90%) of the users do not experience significant performance
155

degradation under these attacks. Furthermore, we have also shown that proxy networks
have scalable resilience to DoS attacks resilience that can be scaled up to meet the size
of the attack, enabling the application performance to be protected. We have
demonstrated that the attack load that a given proxy network can resist, while preserving
a particular level of application performance, grows almost linearly with the proxy
network size.
8.2 IMPLICATIONS AND IMPACTS
The main implication of our research is that the proxy network-based DoS defense
is a fundamentally sound scheme that can protect Internet service applications from
infrastructure-level DoS attacks. First, we have shown that a proxy network can hide an
applications IP address from penetration attacks, and thus prevent direct DoS attacks on
the application. Specifically, our results prove that the time to penetrate a proxy
network can grow exponentially with the proxy network depth, and therefore a modest
depth can make a proxy network effectively impenetrable. For example, with realistic
assumptions, penetrating a proxy network of modest depths (e.g. five or six) can take
over thousands of years on average, eliminating penetration attacks as a practical
concern. Second, we have shown that a proxy network can provide stable defense under
proxy depletion attacks. Specifically, our results prove that a proxy network with an
appropriate topology can effectively resist proxy depletion attacks by recovering all the
compromised proxies regardless of how many proxies are compromised initially; this
enables a proxy network to remove the effect of any attack progress, thereby providing
stable defense. Last, we have shown that a proxy network can effectively resist
156

infrastructure-level DoS attacks by dispersing attack traffic among a distributed front-
end, diffusing the impact of DoS attacks, and thus enabling continued application
service. Specifically, our results demonstrate that a proxy network can successfully
resist a range of large-scale distributed DoS attacks in a large-scale Internet-like network
environment; the majority (>90%) of the users do not experience significant
performance degradation under these attacks. Furthermore, we have also shown that
proxy networks have scalable resilience to DoS attacks the attack load that a given
proxy network can resist, while preserving a particular level of application performance,
grows almost linearly with the proxy network size.
A second implication is that proactive defense schemes are required for a proxy
network-based DoS defense to be effective. Specifically, our results show that, without
proactive proxy network reconfigurations, a proxy network can be penetrated quickly,
thereby providing little defense for the application; in contrast, proactive defense
schemes, such as proxy migration, enable a proxy network to resist penetration attacks
effectively, and thus to protect the application from direct DoS attacks.
A third implication is that an appropriate topology is required for a proxy network-
based DoS defense to be effective. Specifically, our results show that a proxy network
with an unfavorable topology allows compromised proxies to linger; therefore such a
system is not recoverable under proxy depletion attacks, and thus cannot provide a
stable defense to protect applications from DoS attacks. In contrast, a favorable
topology can enable a proxy network to recover all the compromised proxies, regardless
of how many proxies are compromised initially, thereby providing a stable defense.
157

In addition, our results also show that existing implementations of the proxy
network-based DoS defense (SOS and i3) cannot provide effective defense, because
they do not use proactive proxy network reconfiguration schemes, and because they use
an unfavorable proxy network topology (Chord).
Our research has two folds of impacts. First, our research provides a foundation for
the use of proxy networks in practice for protecting Internet service applications from
DoS attacks. Such defense schemes have not been widely used in practice primarily
because they were not well understood, and it is unclear how they should be designed.
Our study solves these fundamental problems, paving the way for the large-scale use of
such schemes in practice.
Second, our research builds a general framework that can be leveraged to explore
related problems in this area. On one hand, our generic framework and stochastic model
provide a theoretical foundation for researchers to explore the characteristics of general
proxy networks (e.g. proxy networks used for content delivery or multicast) under
malicious attacks. On the other hand, our simulation infrastructure for the study of
large-scale DoS attacks not only provides a convenient environment for researchers to
explore a proxy networks resilience to DoS attacks, but also enables them to study
other properties of proxy networks, such as the impact of various system parameters on
system performance.
8.3 DEPLOYMENT ISSUES
In this dissertation, we studied the security aspects of proxy network-based DoS
defense systems extensively. In order to deploy proxy network-based systems in large-
158

scale, we also need to understand their deployment and management issues. The key
challenges are management and maintenance, performance management, and diagnosis
of million-node proxy network systems.
The management and maintenance problems include installation and update of
software packages and system configuration management for all the hosts in the system.
These problems have been studied extensively [126-130]. And, several proposed
solutions, such as the Akamai Configuration and Management System (ACMS) [126],
have shown great scalability and are used daily in real systems. For example, the
ACMS system has demonstrated scalable and lightweight management on the Akamai
system, which has 15,000 servers deployed in over 1200 different ISP networks in over
60 countries. Systems such as ACMS demonstrate that scalable and lightweight
management of large-scale proxy network systems is feasible.
Performance management is the problem of how to deploy a large proxy network
system in a dynamic Internet environment to deliver good, predictable application
performance. This problem has also been studied extensively [81, 86, 87, 131-135],
providing a basic understanding of overlay network performance in a wide variety of
Internet environments. These studies also provide insight on how to design and deploy
overlay networks which adapt to the dynamic Internet environment effectively, and
thereby achieve robust, good performance. For example, [81] and [131] provide a set of
overlay construction algorithms which can automatically adapt overlay structure based
on performance of the underlying network, and thereby achieve good performance
between overlay nodes. [87] and [135] provide a set of simple heuristics for deploying a
159

general overlay network on a large set of Internet hosts, in order to optimize the latency
between overlay nodes. Their results demonstrate the feasibility of performance tuning
for large overlay network systems which have tens of thousands of hosts. The rich
collection of results [81, 86, 87, 131-135] provides a basis for the performance tuning of
proxy network-based systems in an Internet-scale deployment.
Diagnosis is the problem of how to detect and identify the cause(s) of performance
anomalies as well as failures in a large proxy network system. This is an important open
problem for all large-scale distributed systems. While this is a difficult problem in
general, many efforts are underway, including [79, 136-139]. These efforts monitor the
performance behavior of Internet-scale overlay networks (tens of thousands nodes
dispersed in the Internet), and diagnose performance and connectivity anomalies caused
by underlying network dynamics, such as congestion and routing failures. These efforts
show the promise in building a scalable diagnosis framework which supports large-scale
deployment of proxy network-based systems.
In summary, the key deployment issues of proxy network-based systems have been
studied extensively. Although there are significant open challenges in this area, the
wealth of work has already shown promising results, and many large-scale proxy
networks provide useful network services every day. Of course, there are more research
efforts devoted to tackle these remaining issues. Therefore, we believe large-scale
deployment of proxy network-based systems is realistic in the near future.
160

8.4 FUTURE WORK
The research described in this dissertation focused primarily on demonstrating the
viability of the proxy network-based DoS defense as a system-level defense which can
protect Internet service applications from infrastructure-level DoS attacks. While we
believe that we were successful in meeting this goal, more advances can be made to
improve the fidelity of the study, to cover a wider range of attack scenarios, to explore
multiple dimensions of the design space (e.g. attack resistance, performance, and fault
tolerance), and to investigate the use of proxy networks for defense against application-
level DoS attacks. We briefly discuss these directions for future work as follows.
8.4.1 Further Studies
A) Extension of Analytic Study
Since little was understood about the basic properties of the proxy network-based
DoS defense, our analytic study has employed simple models. This is both for
tractability and to obtain broad results. An interesting direction of future work is to
extend the analytic model to allow for a more detailed exploration of the problem.
Specifically, several aspects of the model can be extended, including models for attacks
and defenses.
The current model uses two states, intact and compromised, to describe the
impact of attacks and defenses on a host. In practice, however, attacks and defenses
may have several stages, each of which has a different impact on the host. A finer-
grained model that captures each stage of the attack and defense progress can enable us
to study the system dynamics in greater details, and thus provides a deeper
161

understanding of the problem. A more sophisticated model similar in spirit to those
used for IDS system state modeling [140] may be a good starting point. A key
challenge, however, is to keep the analysis tractable in spite of the extra complexity
introduced in the more detailed model.
B) Extension of Empirical Study
Due to technological and practical constraints, our empirical study on DoS attacks
has used synthetic network structures to represent large realistic networks. Though
considered a good approximation, these generated networks cannot capture all the
characteristics of realistic networks. A natural extension of our work is to use
information from real ISP networks in our simulated network. With advances in the
understanding of Internet topology and link capacity distribution, a future work can also
incorporate these improved understandings to build more realistic simulated networks.
8.4.2 Covering a Wider Range of Attacks
In this dissertation, we have explored a proxy networks ability to resist penetration
attacks, proxy depletion attacks, and DoS attacks respectively. An interesting extension
is to study the properties of a proxy network under a combination of these attacks.
Though our research provides a basis for this study, the interactions among different
attacks and the corresponding defense mechanisms brings new challenges.
Further, an important direction of future work is to study the attacks that may
invalidate our assumptions. For example, in our research, we assume attackers do not
target the entire resource pool. However, there are such attacks in practice, including
the spread of worms among hosts in the resource pool, exploits of Internet routing
162

protocols (such as BGP), and attacks on key Internet infrastructure (such as core
routers). Such attacks can disable the entire resource pool, thereby threatening all
systems built on top of it. Important questions are whether it is possible for proxy
networks to tolerate such attacks, and if so, how proxy networks should be designed.
8.4.3 Exploring Multiple Dimensions of the Design Space
In this dissertation, we have primarily focused on the security aspect of a proxy
network-based system. Specifically, we have studied the properties of a proxy network
under a variety of attack scenarios, and have investigated how a proxy network should
be designed for better resistance to these attacks. However, when designing a proxy
network-based DoS defense, we need to consider other important design goals, such as
improving performance and tolerance to random proxy failures. These design goals
may have fundamental tradeoffs among them. For example, rich connectivity may
undermine a proxy networks resistance to proxy depletion attacks, but it may improve a
proxy networks ability to tolerate random proxy failures; a larger proxy network depth
allows a better penetration resistance, but it may induce a larger performance overhead.
An important problem is how to quantify these tradeoffs and explore all these
dimensions together. A solution to this problem will provide a more comprehensive
understanding of proxy network-based DoS defense.
8.4.4 Supporting a Wider Range of Applications
Our research focuses on Internet service applications. An interesting direction for
future work is to extend proxy network-based DoS defense to protect a wider range of
applications, such as real-time applications. The real-time requirement can
163

fundamentally affect the design of a proxy network. The defense system will need a
structure to predict the application performance in a highly dynamic environment with
attacks and defenses (especially when proxies can migrate), and react to such
predictions in a timely manner. How to design such a structure is an important research
challenge.
8.4.5 Resisting Application-level DoS Attacks
In this dissertation, we have discussed the use of proxy networks as a system-level
defense against infrastructure-level DoS attacks. A direction of future work is to extend
the current proxy network approach to address application-level DoS attacks. Since
defending against such attacks is an application-specific problem, to provide a feasible
solution, we need to combine proxy networks with an application-specific defense
mechanism. For example, using application-specific knowledge, a proxy network can
filter malicious application requests, and thus prevent them from reaching the
application.
The advantage of using a proxy network is the fact that it is inherently distributed
and there is no fundamental resource limitation as opposed to a localized solution. For
instance, a distributed filtering scheme implemented on a proxy network can potentially
have a much larger capacity than any localized filters, and thus resist larger attacks.
Future research may explore these potentials, and extend the proxy network-based DoS
defense to a comprehensive architecture that can be used for defense against both
infrastructure-level and application-level DoS attacks.


164
APPENDIX: BASIC FACTS ON THE SPECTRA OF
GRAPHS
Eigenvalues or the spectrums are very useful for controlling many graph properties.
It has a rich history in the literatures (see [114, 141-145]). The eigenvalues of many
classes of graphs have been computed. For example, for random graph G(n,p), the
largest eigenvalue of its adjacency matrix is (1+o(1))np while the rest of eigenvalues are
bounded by np o 2 )) 1 ( 1 ( + for ) 1 ( O = np . The distribution of the eigenvalues of
G(n,p) follows Wigner's semi-circle Law. Recently, Chung, Lu, and Vu [146] examined
the eigenvalues of a random power law graph and proved that the Laplacian eigenvalues
of the random power law graph also follows Wigner's semi-circle Law.
We will begin with some basic definitions. Let G be a connected (undirected)
graph. The adjacency matrix A of the graph G is defined as A(x,y)=1 if x is adjacent to y,
and 0 otherwise. The eigenvalues of A is denoted by o
1
, o
2
,, o
n
in the decreasing
order. Here o
1
is the largest eigenvalue of G. For d-regular graph, o
1
is just d. In
general,
max 1 max
d d s o , where d
max
denotes the maximum degree of G. We remark
that the lower bound of o
1
is achieved by a star of d
max
+1 vertices.
The Laplacian eigenvalues (or the spectrum) are also widely used in the spectral
graph theory. It is defined as follows. Let d
v
denote the degree of the vertex v, and T
denote the diagonal matrix with (v,v)-th entry having value d
v
. The Laplacian of G is
defined to be the matrix
2
1
2
1
AT T I L

= .
165

Here I is an identity nn matrix. The Laplacian eigenvalues of G are defined as the
eigenvalues of L. They are often written in an increasing order:
0
s
1
s s
n-1
. For
connected graph G,
0
=0,
1
>0, and
n-1
s 2.
For example, the Laplacian eigenvalues of a cycle C
n
are
n
kt 2
cos 1 for k=0,,
n-1. The laplacian eigenvalues of a path P
n
are
1
cos 1

n
kt
for k=0,, n-1. Let G
1
and
G
2
are two graphs of size n
1
and n
2
. The cartesian product G
1
G
2
of G
1
and G
2
is
defined as a graph on n
1
n
2
vertices. The edges are added to the pair (u
1
, u
2
) and (v
1
, v
2
)
if and only if u
1
= v
1
and ) (
2 2 2
G E v u e or u
2
= v
2
and ) (
1 1 1
G E v u e . The spectrum of
G=G
1
G
2
can be computed as follows. We have
)). ( ) ( ( ) (
)} ( ), ( min{ ) (
2 1 1 1
2
1
1
2 1 1 1
2
1
1
2 1 2 1
G G G
G G G
n n n n
+ =
=



In particular, for the d-dimensional Torus graph
d
n
C , the 1 = if n is even,
otherwise } cos 1 , max{cos
2 1 1
n d d n
t t
+ = .
If G is d-regular graph, the Laplacian becomes A I L
d
1
= . Thus,
i n
d
i
= o
1
1
for 0s is n-1. In general, the spectrum of the graph G can be very different from the
eigenvalues of the adjacency matrix. Laplacian eigenvalues control the expansion rate
of the neighborhoods for any subset S.

166
REFERENCES
1. Fallows, D., Search Engine Users, 2005, PEW Internet & American Life
Project,1615 L Street NW, Washington DC,
http://www.pewtrusts.org/pdf/PIP_Searchengine_users.pdf.
2. Fallows, D., The Internet and Daily Life, 2004, PEW Internet & American Life
Project,1615 L Street NW, Washington DC, http://www.pewtrusts.org/.
3. eMarketer, Online Travel Marketing and Selling, 2004, eMarketer,75 Broad
Street, New York, NY, http://www.emarketer.com/Report.aspx?travel_nov04.
4. eMarketer, Online Selling and eCRM, 2004, eMarketer,75 Broad Street, New
York, NY, http://www.emarketer.com/Report.aspx?crm_aug04.
5. Fox, S., Online Banking Jump 47% in Two Years, 2005, PEW Internet &
American Life Project,1615 L Street NW, Washington DC,
http://www.pewtrusts.org/.
6. Commerce, U.D.o., Quarterly Retail E-Commerce Sales 4th Quarter 2004, 2005,
US Department of Commerce,1401 Constitution Avenue, NW, Washington DC,
http://www.census.gov/mrts/www/data/html/04Q4.html.
7. CERT, CERT Coordination Center Annual Reports, 2004, Pittsburgh, PA.
8. Dittrich, D., The DoS Project's "trinoo" distributed denial of service attack tool,
1999, University of Washington,
http://staff.washington.edu/dittrich/misc/trinoo.analysis.
9. Dittrich, D., et al., The "mstream" distributed denial of service attack tool, 2000,
http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.
10. Dittrich, D., The "Tribe Flood Network" distributed denial of service attack tool,
1999, University of Washington,
http://staff.washington.edu/dittrich/misc/tfn.analysis.txt.
11. CERT, "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service
DLL, 2001, Pittsburgh, PA, http://www.cert.org/incident_notes/IN-2001-
08.html.
12. CERT, "Code Red II:" Another Worm Exploiting Buffer Overflow In IIS
Indexing Service DLL, 2001, Pittsburgh, PA,
http://www.cert.org/incident_notes/IN-2001-09.html.
167

13. Moore, D., et al., The Spread of the Sapphire/Slammer Worm. 2003, CAIDA,
UCSD, ICIR & LBNL, Silicon Defense, UC Berkeley
14. Hines, E.S., MyDoom.B Worm Analysis, 2004, Applied Watch Technologies,
Inc., http://isc.sans.org/presentations/MyDoom_B_Analysis.pdf.
15. Williams, M., EBay, Amazon, Buy.com hit by attacks, 2000,
http://www.nwfusion.com/news/2000/0209attack.html.
16. Fonseca, B., Yahoo outage raises Web concerns, 2000,
http://www.nwfusion.com/news/2000/0209yahoo2.html.
17. CSI/FBI, Cyber Attacks Continue, but Financial Losses are Down, 2003,
http://www.gocsi.com/press/20030528.jhtml?_requestid=335314.
18. Moore, D., G.M. Voelker, and S. Savage. Inferring Internet Denial-of-Service
Activity. in proceedings of the 2001 USENIX Security Symposium. 2001.
19. Ferguson, P. and D. Senie, Network Ingress Filtering: Defeating Denial of
Service Attacks which employ IP Source Address Spoofing. The Internet
Society, 1998.
20. Cisco, Defining Strategies to Protect Against TCP SYN Denial of Service
Attacks, http://cio.cisco.com/warp/public/707/4.html.
21. Cisco, Using CAR During DOS Attacks,
http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html.
22. Song, D.X. and A. Perrig. Advanced and authenticated marking schemes for IP
traceback. in 20th Annual Joint Conference of the IEEE Computer and
Communications Societies. 2001. Anchorage, AK, United States: Proceedings -
IEEE INFOCOM. v 2 2001.
23. Snoeren, A.C., et al. Hash-based IP traceback. in ACM Special Interest Group
on Data Communications (SIGCOMM). 2001. San Diego, CA, United States:
Computer Communication Review. v 31 n 4 2001.
24. Savage, S., et al., Practical network support for IP traceback. Computer
Communication Review, 2000. 30(4): p. 295-306.
25. Stavrou, A., et al., WebSOS: An Overlay-based System For Protecting Web
Servers From Denial of Service Attacks. Elsevier Journal of Computer
Networks, special issue on Web and Network Security, 2005.
26. Keromytis, A.D., V. Misra, and D. Rubenstein. SOS: Secure Overlay Services.
in ACM Special Interest Group on Data Communications (SIGCOMM). 2002.
Pittsburgh, PA: ACM.
168

27. Andersen, D.G. Mayday: Distributed Filtering for Internet Services. in 4th
Usenix Symposium on Internet Technologies and Systems. 2003. Seattle,
Washington.
28. Adkins, D., et al., Towards a More Functional and Secure Network
Infrastructure. 2003, Computer Science Division, UC Berkeley: Berkeley
29. Adkins, D., et al. Taming IP Packet Flooding Attacks. in HotNets-II. 2003.
30. Keromytis, A.D., V. Misra, and D. Rubenstein. Using Overlays to Improve
Network Security. in the ITCom Conference, special track on Scalability and
Traffic Control in IP Networks. 2002.
31. Keromytis, A., V. Misra, and D. Rubenstein, SOS: An Architecture For
Mitigating DDoS Attacks. IEEE Journal on Selected Areas of Communications
(JSAC), 2004. 21(1): p. 176-188.
32. Ioannidis, S., et al. Implementing a Distributed Firewall. in the 7th ACM
International Conference on Computer and Communications Security (CCS).
2000.
33. Xuan, D., S. Chellappan, and X. Wang. Analyzing the Secure Overlay Services
Architecture under Intelligent DDoS Attacks. in 24th International Conference
on Distributed Computing Systems (ICDCS'04). 2004.
34. Lakshminarayanan, K., et al. Towards a Secure Indirection Infrastructure. in
ACM Symposium on Principles of Distributed Computing. 2004.
35. Stoica, I., et al. Internet Indirection Infrastructure. in ACM Special Interest
Group on Data Communications (SIGCOMM). 2002.
36. Akamai, Akamai Technology Overview,
http://www.akamai.com/en/html/technology/overview.html.
37. Liu, X. and A.A. Chien. Realistic Large-Scale Online Network Simulation. in
SuperComputing'04. 2004. Pittsburgh, PA.
38. Stoica, I., et al. Chord: A Scalable Peer-to-peer Lookup Service for Internet
Applications. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2001.
39. Ratnasamy, S., et al. A Scalable Content-Addressable Network. in ACM Special
Interest Group on Data Communications (SIGCOMM). 2001.
40. Leighton, F.T., Introduction to Parallel Algorithms and Architectures: Arrays,
Trees, Hypercubes. 1991: Morgan Kaufmann Pub.
169

41. Liu, X., H. Xia, and A.A. Chien, Validating and Scaling the MicroGrid: A
Scientific Instrument for Grid Dynamics. Journal of Grid Computing, 2003.
42. Liu, X. and A. Chien. Traffic-based Load Balance for Scalable Network
Emulation. in SuperComputing 2003. Noverber 2003. Phoenix, Arizona: the
Proceedings of the ACM Conference on High Performance Computing and
Networking.
43. Peng, T., C. Leckie, and R. Kotagiri. Protection from Distributed Denial of
Service Attacks Using History-based IP Filtering. in the IEEE International
Conference on Communications (ICC 2003). 2003.
44. Burch, H. and B. Cheswick. Tracing Anonymous Packets to Their Approximate
Source. in USENIX The Large Installation Systems Administration Conference
(LISA). 2000. New Orleans, LA: usenix.org.
45. Gil, T.M. and M. Poletto. MULTOPS: A Data-Structure for Bandwidth Attack
Detection. in the 10th USENIX Security Symposium. 2001.
46. Dean, D., M. Franklin, and A. Stubblefield, An Algebraic Approach to IP
Traceback. Information and System Security, 2002. 5(2): p. 119-137.
47. Wang, H., D. Zhang, and K. Shin. Detecting SYN flooding attacks. in The 21st
Conference of the IEEE Communications Society (INFOCOM02). 2002.
48. Ioannidis, J. and S.M. Bellovin. Implementing Pushback: Router-Based Defense
Against DDoS Attacks. in Network and Distributed System Security Symposium.
2002.
49. Cisco, Remote Monitoring Specification (RMON),
http://www.cisco.com/warp/public/614/4.html.
50. cisco, Netflow Services and Applications,
http://www.cisco.com/warp/public/732/netflow/.
51. Estan, C., et al. Building a Better NetFlow. in ACM Special Interest Group on
Data Communications (SIGCOMM). 2004.
52. Fergusson, P. and D. Seine, Network Ingress Filtering: Defeating Denial-of-
Service Attacks Which Employ IP Source Address Spoofing (RFC 2827), in
RFC 2827. 2000
53. Mirkovic, J., G. Prier, and P. Reiher. Attacking DDoS at the Source. in the 10th
IEEE International Conference on Network Protocols (ICNP02). 2002.
170

54. Mirkovic, J., D-WARD: Source-End Defense Against Distributed Denial-of-
Service Attacks, in Computer Science. 2003, University of California, Los
Angeles
55. Jin, C., H. Wang, and K. Shin. Hop-Count Filtering: An Effective Defense
Against Spoofed DoS Traffic. in Conference on Computer and Communications
Security. 2003.
56. Mankin, A., et al. On Design and Evaluation of Intention-Driven ICMP
Traceback. in 10th IEEE International Conference on Computer
Communications and Networks. 2001.
57. Stone, R. CenterTrack: An IP Overlay Network for Tracking DoS Floods. in the
9th USENIX Security Symposium. 2000.
58. Sripanidkulchai, K., et al. The Feasability of Supporting Large-Scale Live
Streaming Applications with Dynamic Application End-Points. in ACM Special
Interest Group on Data Communications (SIGCOMM). 2004.
59. Pappas, V., et al. Fault-Tolerant Data Delivery for Multicast Overlay Networks.
in the 24th IEEE International Conference on Distributed Computing Systems
(ICDCS 04). 2004.
60. Jannotti, J., et al. Overcast: Reliable Multicasting with an Overlay Network. in
The 2nd Symposium on Operating Systems Design and Implementation
(USENIX OSDI 2000). 2000.
61. Castro, M., et al., Scribe: A large-scale and decentralized application-level
multicast infrastructure. IEEE Journal on Selected Areas in Communications,
2002.
62. Kwon, M. and S. Fahmy. Topology-aware Overlay Networks for Group
Communication. in the 12th International Workshop on Network and Operating
Systems Support for Digital Audio and Video (NOSSDAV02). 2002.
63. Ratnasamy, S., et al., Application-level Multicast using Content-Addressable
Network. Networked Group Communication, 2001.
64. Banerjee, S., B. Bhattacharjee, and C. Kommareddy. Scalable Application Layer
Multicast. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2002.
65. Chu, Y.H., S. Rao, and H. Zhang. A Case for End System Multicast. in
International Conference on Measurement and Modeling of Computer Systems
(ACM SIGMETRICS). 2000.
171

66. Jain, S., et al., Scalable Self Organizing Overlays. 2002, Technical Report of
Department of Computer Science, University of Washington
67. Zhao, B.Y., et al. Rapid Mobility via Type Indirection. in the Third International
Workshop on Peer-to-Peer Systems (IPTPS'04). 2004.
68. Czerwinsky, S., et al. An Architecture for a Secure Service Discovery Service. in
ACM/Balzer Mobile Networking and Applications (MONET). 2002.
69. Zhuang, S.Q., et al. Host Mobility using an Internet Indirection Infrastructure. in
First International Conference on Mobile Systems, Applications, and Services
(ACM/USENIX Mobisys). 2003.
70. Gnutella, Gnutella: Distributed Information Sharing, 2000,
http://gnutella.wego.com/.
71. Zhuang, S.Q., et al. Bayeux: An Architecture for Scalable and Fault-tolerant
Wide-area Data Dissemination. in Eleventh International Workshop on Network
and Operating Systems Support for Digital Audio and Video (NOSSDAV01).
2001.
72. Druschel, P. and A. Rowstron. PAST: Persistent and Anonymous Storage in a
Peer-to-Peer Networking Environment. in the 8th Workshop on Hot Topics in
Operating Systems (USENIX HotOS VIII). 2001.
73. Kubiatowicz, J., et al. OceanStore: An Architecture for Global-scale Persistent
Storage. in the Ninth International Conference on Architectural Support for
Programming Languages and Operating Systems (ASPLOS 2000). 2000.
74. Clarke, I., et al., Freenet: A Distributed Anonymous Information Storage and
Retrieval System. Design Issues in Anonymity and Unobservability, 2000.
75. Rhea, S., et al. Pond: The OceanStore Prototype. in the 2nd USENIX Conference
on File and Storage Technologies (FAST'03). 2003.
76. Y. Chen, R.H.K., J. D. Kubiatowicz. SCAN: a Dynamic Scalable and Efficient
Content Distribution Network. in International Conference on Pervasive
Computing. 2002.
77. Andersen, D.G., et al. Resilient Overlay Networks. in Symposium on Operating
Systems Principles (ACM SOSP). 2001.
78. Andersen, D.G., et al. The Case for Resilient Overlay Networks. in The 8th
Workshop on Hot Topics in Operating Systems (USENIX HotOS VIII). 2001.
172

79. Feamster, N., et al. Measuring the Effects of Internet Path Faults on Reactive
Routing. in International Conference on Measurement and Modeling of
Computer Systems (ACM SIGMETRICS). 2003.
80. Amir, Y. and C. Danilov. Reliable Communication in Overlay Networks. in the
IEEE International Conference on Dependable Systems and Networks (DSN03).
2003.
81. Zhao, B.Y., et al., Tapestry: A Resilient Global-scale Overlay for Service
Deployment. IEEE Journal on Selected Areas in Communications, 2004. 22(1):
p. 41-53.
82. Zhao, B.Y., et al. Exploiting Routing Redundancy via Structured Peer-to-Peer
Overlays. in the 11th IEEE International Conference on Network Protocols
(ICNP03). 2003.
83. Subramanian, L., et al. OverQoS: An Overlay based Architecture for Enhancing
Internet QoS. in First Symposium on Networked Systems Design and
Implementation (NSDI'04). 2004.
84. Zhou, F., et al. Approximate Object Location and Spam Filtering on Peer-to-
Peer Systems. in ACM/IFIP/USENIX International Middleware Conference
(Middleware 2003). 2003.
85. Awerbuch, B. and C. Scheideler. Group Spreading: A protocol for provably
secure distributed name service. in 31st Int. Colloquium on Automata,
Languages, and Programming (ICALP). 2004.
86. Loguinov, D., et al. Graph-Theoretic Analysis of Structured Peer-to-Peer
Systems: Routing Distances and Fault Resilience. in ACM Special Interest
Group on Data Communications (SIGCOMM). 2003. Karlsruhe, Germany:
ACM.
87. Jain, S., R. Mahajan, and D. Wetherall. A Study of the Performance Potential of
DHT-based Overlays. in the 4th Usenix Symposium on Internet Technologies
and Systems (USITS). 2003. Seattle, WA.
88. Hinrikus, T., Skype Application Programming Interface, 2004,
http://www.skype.com/community/devzone/Skype%20API%20description%20
1.2.pdf.
89. Cohen, B., Incentives Build Robustness in BitTorrent, 2003,
http://www.bittorrent.com/bittorrentecon.pdf.
90. Garfinkel, S., G. Spafford, and A. Schwartz, Practical Unix & Internet Security,
3rd Edition. 2003: O'Reilly.
173

91. One, A., Smashing The Stack For Fun And Profit, 1997, BugTraq, r00t, and
Underground.Org, http://downloads.securityfocus.com/library/P49-14.txt.
92. Sidiroglou, S. and A. Keromytis, Countering Network Worms Through
Automatic Patch Generation. 2005, Columbia University
93. Sidiroglou, S., et al. Building a Reactive Immune System for Software Services.
in the USENIX Annual Technical Conference. 2005.
94. Cowan, C., et al. StackGuard: Automatic Adaptive Detection and Prevention of
Buffer-Overflow Attacks. in Proceedings of the 7th USENIX Security
Conference. 1997.
95. Prasad, M. and T. Chiueh. A Binary Rewriting Defense Against Stack-based
Buffer Overflow Attacks. in the USENIX Annual Technical Conference. 2003.
96. DuVarney, D.C., V.N. Venkatakrishnan, and S. Bhatkar. SELF: a Transparent
Security Extension for ELF Binaries. in New Security Pardigms Workshop.
2003.
97. Baratloo, A., N. Singh, and T. Tsai. Transparent Run-Time Defense Against
Stack Smashing Attacks. in the USENIX Annual Technical Conference. 2000.
98. Vigna, G. and R.A. Kemmerer, NetSTAT: a network-based intrusion detection
system. Journal of Computer Security, 1999. 7(1): p. 37-71.
99. Porras, P.A. and P.G. Neumann. EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances. in 1997 National Information
Systems Security Conference. 1997.
100. Kumar, S. and E.H. Spafford. A Pattern Matching Model For Misuse Intrusion
Detection. in Proceedings of the 17th National Computer Security Conference.
1994.
101. Axelsson, S., Intrusion Detection Systems: A Survey and Taxonomy. 2000,
Chalmers University of Technology: Goteborg, Sweden
102. Paxson, V., Bro: A System for Detecting Network Intruders in Real-Time.
Computer Networks, 1999. 31(23-24): p. 2435-2463.
103. Handley, M., C. Kreibich, and V. Paxson. Network Intrusion Detection:
Evasion, Traffic Normalization, and End-to-End Protocol Semantics. in USENIX
Security Symposium 2001. 2001.
104. Zhang, Y. and V. Paxson. Detecting Stepping Stones. in the 9th USENIX
Security Symposium. 2000.
174

105. Zhang, Y. and V. Paxson. Detecting Backdoors. in 9th USENIX Security
Symposium. 2000.
106. Lee, W. and S. Stolfo. Data Mining Approaches for Intrusion Detection. in the
7th USENIX Security Symposium. 1998.
107. Kruegel, C., et al. Stateful Intrusion Detection for High-Speed Networks. in the
IEEE Symposium on Research on Security and Privacy. 2002.
108. Ertoz, L., et al., The MINDS - Minnesota Intrusion Detection System, in Next
Generation Data Mining. 2004, MIT Press.
109. Chun, B., et al., PlanetLab: An Overlay Testbed for Broad-Coverage Services.
ACM Computer Communications Review, a special issue on tools and
technologies for networking research and education, 2003. 33(3).
110. Microsoft, Microsoft Security Bulletin, 2004, Microsoft Corporation,
http://www.microsoft.com/technet/.
111. Arbaugh, W.A., W.L. Fithen, and J. McHugh, Windows of Vulnerability: A
Case Study Analysis". IEEE Computer, 2000. 33: p. 52-59.
112. Browne, H.K., et al., A Trend Analysis of Exploitations. Proceedings of the
2001 IEEE Symposium on Security and Privacy, 2001.
113. CERT, CERT Advisory CA-2003-04 MS-SQL Server Worm, 2003,
Pittsburgh, PA, http://www.cert.org/advisories/CA-2003-04.html.
114. Chung, F., Spectral Graph Theory. 1997: AMS Publications.
115. apache, Apache HTTP Server Version 2.0 Documentation, www.apache.org.
116. JoeDog.org, Siege - An HTTP Regression Tester & Benchmarking Utility, 2003,
http://www.joedog.org/siege/index.php.
117. Medina, A., et al. BRITE: An Approach to Universal Topology Generation. in
the International Workshop on Modeling, Analysis and Simulation of Computer
and Telecommunications Systems- MASCOTS '01. 2001. Cincinnati, Ohio.
118. Lougheed, K. and Y. Rekhter, RFC 1106: Border Gateway Protocol (BGP).
1990
119. Moy, J., RFC 2178: OSPF Version 2. 1998
120. Socolofsky, T. and C. Kale, RFC 1180 - TCP/IP tutorial. 1991
121. Postel, J., RFC 792 - Internet Control Message Protocol. 1981
175

122. Faloutsos, M., P. Faloutsos, and C. Faloutsos. On Power-Law Relationships of
the Internet Topology. in ACM Special Interest Group on Data Communications
(SIGCOMM). 1999.
123. Swany, D.M. and R. Wolski. Data Logistics in Network Computing: The
Logistical Session Layer. in IEEE Network Computing and Applications
(NCA'01). 2001.
124. Nielsen, J., Usability Engineering. 1994, San Francisco: Morgan Kaufmann.
125. King, A.B., Speed Up Your Site: Web Site Optimization. First ed. 2003: Pearson
Education. 528.
126. Sherman, A., et al. ACMS: The Akamai Configuration Management System. in
the 2nd Symposium on Networked Systems Design & Implementation (USENIX
NSDI05). 2005.
127. Anderson, P., P. Goldsack, and J. Paterson. SmartFrog Meets LCFG:
Autonomous Reconfiguration with Central Policy Control. in USENIX The
Large Installation Systems Administration Conference (LISA03). 2003.
128. Anderson, P. and A. Scobie. LCFG - The Next Generation. in the UK Unix and
Open Systems User Group (UKUUG) Winter Conference. 2002.
129. Microsoft Windows Update, http://windowsupdate.microsoft.com.
130. HP Open View - Computer and Network Management,
http://www.managementsoftware.hp.com/.
131. Castro, M., et al. Exploiting network proximity in peer-to-peer overlay networks.
in the International Workshop on Future Directions in Distributed Computing
(FuDiCo). 2002. Bertinoro, Italy.
132. Shen, K. Structure Management for Scalable Overlay Service Construction. in
Symposium on Networked Systems Design & Implementation (USENIX NSDI).
2004.
133. Gummadi, K., et al. The Impact of DHT Routing Geometry on Resilience and
Proximity. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2003.
134. Chawathe, Y., et al. Making Gnutella-like P2P Systems Scalable. in ACM
Special Interest Group on Data Communications (SIGCOMM). 2003.
135. Ratnasamy, S., et al. Topologically-Aware Overlay Construction and Server
Selection. in The 21st Conference of the IEEE Communications Society
(INFOCOM02). 2002.
176

136. Chen, Y., D. Bindel, and R.H. Katz. Tomography-based Overlay Network
Monitoring. in ACM Internet Measurement Conference (IMC). 2004.
137. Chen, Y., C. Overton, and R.H. Katz, Internet Iso-bar: A Scalable Overlay
Distance Monitoring System. Journal of Computer Resource Management,
2002.
138. Zhang, M., et al. PlanetSeer: Internet Path Failure Monitoring and
Characterization in Wide-Area Services. in In Proceedings of the Sixth
Symposium on Operating Systems Design and Implementation (OSDI '04). 2004.
139. Akamai Network Operations Command Center, Akamai Technologies Inc.,
http://www.akamai.com/en/html/technology/nocc.html.
140. K.Goseva-Popstojanova, et al. Characterizing intrusion tolerant systems using a
state transition model. in DARPA Information Survivability Conference and
Exposition (DISCEX II). 2001.
141. Wigner, E.P., On the distribution of the roots of certain symmetric matrices. The
Annals of Mathematics, 1958. 67: p. 325-327.
142. Goh, K.-I., B. Kahng, and D. Kim, Spectra and eigenvectors of scale-free
networks. Phy. Rev. E, 2001. 64(051903).
143. Furedi, Z. and J. Komlos, The eigenvalues of random symmetric matrices.
Combinatorica, 1981. 1(3): p. 233--241.
144. Farkas, I.J., et al., Spectra of "Real-World" graphs: Beyond the semi-circle law.
Phy. Rev. E, 2001. 64(026704).
145. ErdHos, P. and A. Renyi, On random graphs. Publ. Math. Debrecen, 1959. 6: p.
290-291.
146. Chung, F., L. Lu, and V. Vu, Eigenvalues of random power law graphs. Annals
of Combinatorics, 2003.