TY - JOUR
T1 - Pollution attacks and defenses for Internet caching systems
AU - Deng, Leiwen
AU - Gao, Yan
AU - Chen, Yan
AU - Kuzmanovic, Aleksandar
N1 - Funding Information:
This work is supported by the National Science Foundation, award no. CNS-0627715. Also, we would like to thank the following Northwestern undergraduate and graduate students, who took part in the early phase of this project: Chi Yin Cheung, J. Scott Miller, Justin Moles, and Sausan Yazji. Finally, we are grateful to John Kristoff for his help in understanding the feasibility of DNS-targeted attacks.
PY - 2008/4/10
Y1 - 2008/4/10
N2 - Proxy caching servers are widely deployed in today's Internet. While cooperation among proxy caches can significantly improve a network's resilience to denial-of-service (DoS) attacks, lack of cooperation can transform such servers into viable DoS targets. In this paper, we investigate a class of pollution attacks that aim to degrade a proxy's caching capabilities, either by ruining the cache file locality, or by inducing false file locality. Using simulations, we propose and evaluate the effects of pollution attacks both in Web and peer-to-peer (p2p) scenarios, and reveal dramatic variability in resilience to pollution among several cache replacement policies. We develop efficient methods to detect both false-locality and locality-disruption attacks, as well as a combination of the two. To achieve high scalability for a large number of clients/requests without sacrificing the detection accuracy, we leverage streaming computation techniques, i.e., bloom filters and probabilistic counting. Evaluation results from large-scale simulations show that these mechanisms are effective and efficient in detecting and mitigating such attacks. Furthermore, a Squid-based implementation demonstrates that our protection mechanism forces the attacker to launch extremely large distributed attacks in order to succeed.
AB - Proxy caching servers are widely deployed in today's Internet. While cooperation among proxy caches can significantly improve a network's resilience to denial-of-service (DoS) attacks, lack of cooperation can transform such servers into viable DoS targets. In this paper, we investigate a class of pollution attacks that aim to degrade a proxy's caching capabilities, either by ruining the cache file locality, or by inducing false file locality. Using simulations, we propose and evaluate the effects of pollution attacks both in Web and peer-to-peer (p2p) scenarios, and reveal dramatic variability in resilience to pollution among several cache replacement policies. We develop efficient methods to detect both false-locality and locality-disruption attacks, as well as a combination of the two. To achieve high scalability for a large number of clients/requests without sacrificing the detection accuracy, we leverage streaming computation techniques, i.e., bloom filters and probabilistic counting. Evaluation results from large-scale simulations show that these mechanisms are effective and efficient in detecting and mitigating such attacks. Furthermore, a Squid-based implementation demonstrates that our protection mechanism forces the attacker to launch extremely large distributed attacks in order to succeed.
KW - False-locality
KW - Locality-disruption
KW - Proxy-cache-targeted
UR - http://www.scopus.com/inward/record.url?scp=39749157863&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=39749157863&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2007.11.019
DO - 10.1016/j.comnet.2007.11.019
M3 - Article
AN - SCOPUS:39749157863
SN - 1389-1286
VL - 52
SP - 935
EP - 956
JO - Computer Networks
JF - Computer Networks
IS - 5
ER -