A survivable DoS-resistant overlay network

Abstract

Denial of Service (DoS) attacks pose significant threats. For mission-critical applications such as disaster recovery and battlefield coordination, any disruption can entail serious consequences. Most of the prior work on countering DoS has taken an offensive approach in that they focus on detecting and blocking the attacks. Such approaches are always in a tight “cat and mouse” race with the attackers. Indeed, more sophisticated and finer-grained distributed DoS attacks may evade detection altogether. We believe a more defensive approach whose primary objective is to survive the attacks by sustaining reasonable performance to legitimate clients should be a key part of a repertoire of tools to counter DoS. In this paper, we present a survivable overlay network architecture called rewire that is purpose-built to resist DoS; it achieves this by dynamically “adapting” the overlay topology to maximize end-to-end connectivity between clients and end servers. The heart of rewire is a novel probing mechanism that is responsive to network state yet scalable. It yields high-performance paths as determined by application-level metrics. We evaluate rewire against recent overlay solutions to DoS, and show that rewire is able to achieve equivalent blocking probability (i.e., similar resistance to DoS attacks) in large network topologies (e.g., 100 overlay nodes over a physical network of 600 nodes) while reducing the probe overhead from the typical O( N) in other schemes to O(log N), where N is the number of overlay nodes.