|overview||-||What is Kill-Bots??|
|in the news||-||Press Articles|
Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compromised machines. The DDoS business is thriving; increasingly aggressive worms infect about 30,000 new machines per day, which are rented over IRC and used in DDoS attacks. Such botnets are powerful resources that an attacker tries to protect. To circumvent detection, attackers are increasingly moving away from pure bandwidth floods to attacks that mimic the Web browsing behavior of a large number of clients. They profile the victim server and mimic legitimate Web browsing behavior of a large number of clients; thereby targetting expensive higher-layer resources such as CPU, database and disk bandwidth.
The resulting attacks are hard to defend against using standard techniques as the malicious requests differ from the legitimate ones in intent but not in content. The malicious requests arrive from a large number of geographically distributed machines; thus they cannot be filtered on the IP prefix. Also, many sites do not use passwords or login information, and even when they do, passwords could be easily stolen off the hard disk of a compromised machine. Further, checking the site specific password requires establishing a connection and allowing unauthenticated clients to access socket buffers, TCBs, and worker processes, making it easy to mount an attack on the authentication mechanism itself. Defending against CyberSlam using computational puzzles, which require the client to perform heavy computation before accessing the site, is not effective because computing power is usually abundant in a Botnet.
Kill-Bots is a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds. Kill-Bots provides authentication using graphical tests but is different from other systems that use graphical tests. First, instead of authenticating clients based on whether they solve the graphical test, Kill-Bots uses the test to quickly identify the IP addresses of the attack machines. This allows it to block the malicious requests while allowing access to legitimate users who are unable or unwilling to solve graphical tests. Second, Kill-Bots sends a test and checks the client's answer without allowing unauthenticated clients access to sockets, TCBs, worker processes, etc. This protects the authentication mechanism from being DDoSed. Third, Kill-Bots combines authentication with admission control. As a result, it improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd. This makes Kill-Bots the first system to address both DDoS and Flash Crowds within a single framework. We have implemented Kill-Bots in the Linux kernel and evaluated it in the wide-area Internet using PlanetLab.
M. I. T. Computer Science and Artificial Intelligence Laboratory 200 Technology Square · Cambridge, MA 02139 USA