Characterization of a Large Web Site Population with Implications for Content Delivery

This paper presents a systematic study of the properties of a large number of Web sites hosted by a major ISP. To our knowledge, ours is the first comprehensive study of a large server farm that contains thousands of commercial Web sites. We also perform a simulation analysis to estimate potential performance benefits of content delivery networks (CDNs) for these Web sites, and validate our analysis for several sites by replaying our trace through a real cache. We make several interesting observations about the current usage of Web technologies and Web site performance characteristics. First, compared with previous client workload studies, the Web server farm workload contains a much higher degree of uncacheable responses and responses that require mandatory cache validations. A significant reason for this is that cookie use is prevalent among our population, especially among more popular sites. We found an indication of widespread indiscriminate usage of cookies, which unnecessarily impedes the use of many content delivery optimizations. We also found that most Web sites do not utilize the cache-control features of the HTTP 1.1 protocol, resulting in suboptimal performance. Moreover, the implicit expiration time in client caches for responses is strongly constrained by the maximum values allowed in the Squid proxy. Thus, supplying explicit expiration information would significantly improve Web sites’ cacheability. Finally, our simulation results indicate that while most Web sites benefit from the use of a CDN, the amount of the benefit varies widely among the sites, which underscores the need for workload analysis tools. Bent, Rabinovich, and Xiao performed this work while at AT&T Labs-Research.     

Prefetching in Content Distribution Networks via Web Communities Identification and Outsourcing

Content distribution networks (CDNs) improve scalability and reliability, by replicating content to the “edge” of the Internet. Apart from the pure networking issues of the CDNs relevant to the establishment of the infrastructure, some very crucial data management issues must be resolved to exploit the full potential of CDNs to reduce the “last mile” latencies. A very important issue is the selection of the content to be prefetched to the CDN servers. All the approaches developed so far, assume the existence of adequate content popularity statistics to drive the prefetch decisions. Such information though, is not always available, or it is extremely volatile, turning such methods problematic. To address this issue, we develop self-adaptive techniques to select the outsourced content in a CDN infrastructure, which requires no apriori knowledge of request statistics. We identify clusters of “correlated” Web pages in a site, called Web site communities, and make these communities the basic outsourcing unit. Through a detailed simulation environment, using both real and synthetic data, we show that the proposed techniques are very robust and effective in reducing the user-perceived latency, performing very close to an unfeasible, off-line policy, which has full knowledge of the content popularity.     

Web服务中基于流量监控的DDoS攻击防范机制

提出一种基于流量监控的针对Web服务的DDoS攻击防范机制。使用Linux内核的安全选项、Linux虚拟服务器、iptables防火墙以及基于类的排队等技术搭建防范DDoS攻击的Web服务器系统环境,设计、实现了流量监控器和分析工具来检测可能发生的DDoS攻击,并降低其危害。实际测试表明,该机制能有效检测和防范常见的针对Web服务的DDoS攻击。     

Content delivery networks: status and trends

CDNs improve network performance and offer fast and reliable applications and services by distributing content to cache servers located close to users. The Web's growth has transformed communications and business services such that speed, accuracy, and availability of network-delivered content has become absolutely critical - both on their own terms and in terms of measuring Web performance. Proxy servers partially address the need for rapid content delivery by providing multiple clients with a shared cache location. In this context, if a requested object exists in a cache (and the cached version has not expired), clients get a cached copy, which typically reduces delivery time. CDNs act as trusted overlay networks that offer high-performance delivery of common Web objects, static data, and rich multimedia content by distributing content load among servers that are close to the clients. CDN benefits include reduced origin server load, reduced latency for end users, and increased throughput. CDNs can also improve Web scalability and disperse flash-crowd events. Here we offer an overview of the CDN architecture and popular CDN service providers.     

防御DDoS攻击算法

目前,对商业服务器攻击方式主要有两种,包括拒绝服务（DoS）攻击和分布式拒绝服务（DDoS）攻击。这种攻击类型属于命中一运行类型。DoS／DDoS攻击因为不够灵敏而不能绕过防火墙等防御．即DoS／DDoS攻击向受害主机发送大量看似合法的网络包．从而造成网络阻塞或服务器资源耗尽而导致拒绝服务。虽然数据没有被损坏。但是服务器最终被摧毁．并且还会引发一系列其他的问题．对于一个电子商务服务器．其最重要的为服务器的停机时间。研究对分布式拒绝服务（DDoS）防御原则。     

Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks

The paper proposes a scheme, referred to as proactive server roaming, to mitigate the effects of denial of service (DoS) attacks. The scheme is based on the concept of “replicated elusive service”, which through server roaming, causes the service to physically migrate from one physical location to another. Furthermore, the proactiveness of the scheme makes it difficult for attackers to guess when or where servers roam. The combined effect of elusive service replication and proactive roaming makes the scheme resilient to DoS attacks, thereby ensuring a high-level of quality of service. The paper describes the basic components of the scheme and discusses a simulation study to assess the performance of the scheme for different types of DoS attacks. The details of the NS2-based design and implementation of the server roaming strategy to mitigate the DoS attacks are provided, along with a thorough discussion and analysis of the simulation results.     

一种基于网络对称性的DDOS主动防御算法DSDA

在分析典型的基于流量控制的DDOS防御机制Pushback的基础上,提出了一个源端基于网络流量对称性检测DDOS攻击,结合目标端基于拥塞控制机制的DDOS防御算法DSDA。仿真实验的结果表明,DSDA算法是一种在网络范围较大时具有明显优势的DDOS动态防御算法。     

基于流量行为特征的DoS&DDoS攻击检测与异常流识别

针对现有方法仅分析粗粒度的网络流量特征参数,无法在保证检测实时性的前提下识别出拒绝服务(DoS)和分布式拒绝服务(DDoS)的攻击流这一问题,提出一种骨干网络DoS&DDoS攻击检测与异常流识别方法。首先,通过粗粒度的流量行为特征参数确定流量异常行为发生的时间点;然后,在每个流量异常行为发生的时间点对细粒度的流量行为特征参数进行分析,以找出异常行为对应的目的IP地址;最后,提取出与异常行为相关的流量进行综合分析,以判断异常行为是否为DoS攻击或者DDoS攻击。仿真实验的结果表明,基于流量行为特征的DoS&DDoS攻击检测与异常流识别方法能有效检测出骨干网络中的DoS攻击和DDoS攻击,并且在保证检测实时性的同时,准确地识别出与攻击相关的网络流量     

Defense techniques for low-rate DoS attacks against application servers

Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack.Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors.We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system.     

Supporting high-quality video streaming with SDN-based CDNs

Videos and other multimedia contents become increasing popular among users of the Internet nowadays. With the improvement of underlying infrastructure of the Internet, users are allowed to enjoy video contents with much higher quality than last decade. Content delivery networks (CDNs) are a type of content hosting solution that widely used across the Internet. Content providers offload the task of content hosting to CDN providers and redirect users’ requests to CDNs. Video contents, especially high quality videos at real-time has occupying a major part of the Internet traffic. It is challenging to handle such workloads even for a large- scale CDN. Load balancing algorithms are critical to address this issue. However, traditional load balancing algorithms such as round-robin and randomization are unaware of user side requirements. Therefore, it is not uncommon that requests for high-quality videos at real-time are not satisfied. In this paper, we try to fulfill such requests by integrating software-defined networking technology with CDN infrastructure. We also propose revised load balancing algorithms and develop simulations to verify our approaches. The results show that the proposed algorithms achieve much higher user satisfaction in bandwidth-idle environments.     

利用路由器自适应限流防御分布拒绝服务攻击

提出一种自适应路由器限流算法防御分布拒绝服务攻击的机制.该算法的关键是由被攻击者要求经挑选的相距k跳(hop)的上游路由器对目的为被攻击者的数据流进行限流,从而将被攻击者的服务支援在各数据流之间达到一种类最大-最小公平的流量分配.还在一个实际的因特网拓扑上针对攻击数据流和合法数据流的不同分布和流量模型考察了算法的效果.结果表明这种以服务器为中心的路由器限流是对抗分布拒绝服务攻击的一种很有前途的方法.     

Pollution attacks and defenses for Internet caching systems

Proxy caching servers are widely deployed in today’s Internet. While cooperation among proxy caches can significantly improve a network’s resilience to denial-of-service (DoS) attacks, lack of cooperation can transform such servers into viable DoS targets. In this paper, we investigate a class of pollution attacks that aim to degrade a proxy’s caching capabilities, either by ruining the cache file locality, or by inducing false file locality. Using simulations, we propose and evaluate the effects of pollution attacks both in Web and peer-to-peer (p2p) scenarios, and reveal dramatic variability in resilience to pollution among several cache replacement policies.We develop efficient methods to detect both false-locality and locality-disruption attacks, as well as a combination of the two. To achieve high scalability for a large number of clients/requests without sacrificing the detection accuracy, we leverage streaming computation techniques, i.e., bloom filters and probabilistic counting. Evaluation results from large-scale simulations show that these mechanisms are effective and efficient in detecting and mitigating such attacks. Furthermore, a Squid-based implementation demonstrates that our protection mechanism forces the attacker to launch extremely large distributed attacks in order to succeed.     

基于仿真技术的拒绝服务攻击及防御研究

拒绝服务（DOS）或分布式拒绝服务（DDoS）攻击是网络面临的主要安全威胁之一,已造成了巨大的经济损失,针对该类攻击的防御技术和手段日益活跃和多样化。主要研究网络仿真技术及其在DoS／DDoS防御研究中的应用,着重研究运用当前应用最广泛的网络仿真器-NS-2进行仿真的关键技术,有效遏制DoS／DDoS攻击的发生,为网络防御研究打下基础。     

应用层洪泛攻击的异常检测

从近年的发展趋势看, 分布式拒绝服务攻击已经从原来的低层逐渐向应用层发展, 它比传统的攻击更加有效且更具隐蔽性. 为检测利用合法应用层HTTP请求发动的洪泛攻击, 本文把应用层洪泛攻击视为一种异常的用户访问行为, 从用户浏览行为的角度实现攻击检测. 基于实际网络流的试验表明,该模型可以有效测量Web用户的访问行为正常度并实现应用层的DDoS洪泛攻击检测.     

DoS/DDoS拒绝服务攻击分析及防范对策

拒绝服务攻击已经成为威胁互联网安全的重要攻击手段,本文从分析DoS拒绝攻击服务的原理入手,然后对分布式拒绝服务攻击(DDoS)的原理进行了解析,最后从主机和网络两个层面分析如何去防范DoS攻击。     

DoS/DDoS拒绝服务攻击分析及防范对策

拒绝服务攻击已经成为威胁互联网安全的重要攻击手段，本文从分析DoS拒绝攻击服务的原理入手．然后对分布式拒绝服务攻击（DDoS）的原理进行了解析，最后从主机和网络两个层面分析如何去防范DoS攻击。     

流媒体服务DoS及DDoS攻击分析

针对流媒体RTSP的交互过程,指出流媒体服务具有遭受DoS及DDoS攻击的可能,通过实验验证该结论。提出一个基于位置隐藏和负载均衡的针对流媒体服务DoS及DDoS攻击的防御方案,对目前广为流行的视频点播、IPTV等流媒体应用具有普遍的借鉴意义。     

一种基于Web 群体外联行为的应用层DDoS 检测方法

由于攻击者采用各种技术手段隐藏攻击行为,DDoS攻击变得越发难以发现,应用层DDoS成为Web服务器所面临的最主要威胁之一。从通信群体的层面分析 Web 通信的外联行为特征的稳定性,并提出了一种应用层DDoS检测方法。该方法用CUSUM算法检测Web群体外联行为参数的偏移,据此来判断DDoS攻击行为的发生。由于外联行为模型刻画的是Web通信群体与外界的交互,并非用户个体行为,所以攻击者难以通过模仿正常访问行为规避检测。该方法不仅能够发现用户群体访问行为的异常,而且能够有效区分突发访问和应用层DDoS攻击。模拟实验结果表明,该方法能够有效检测针对Web 服务器的不同类型的DDoS攻击。     

Building a peer-to-peer content distribution network with high performance,scalability and robustness

Content distribution networks (CDN) are fundamental, yet expensive technologies for distributing the content of web-servers to large audiences. The P2P model is a perfect match to build a low-cost and scalable CDN infrastructure for popular websites by exploiting the underutilized resources of their user communities. However, building a P2P-based CDN is not a straightforward endeavor. In contrast to traditional CDNs, peers are autonomous and volunteer participants with their own heterogeneous interests that should be taken into account in the design of the P2P system. Moreover, churn rate is much higher than in dedicated CDN infrastructures, which can easily destabilize the system and severely degrade the performance. Finally and foremostly, while many P2P systems abstract any topological information about the underlying network, a top priority of a CDN is to incorporate locality-awareness in query routing in order to locate close-by content. This paper aims at building a P2P CDN with high performance, scalability and robustness. Our proposed protocols combine DHT efficiency with gossip robustness and take into account the interests and localities of peers. In short, Flower-CDN provides a hybrid and locality-aware routing infrastructure for user queries. PetalUp-CDN is a highly scalable version of Flower-CDN that dynamically adapts to variable rates of participation and prevent overload situations. In addition, we ensure the robustness of our P2P CDN via low-cost maintenance protocols that can detect and recover from churn and dynamicity. Our extensive performance evaluation shows that our protocols yield high performance gains under both static and highly dynamic environments. Furthermore, they incur acceptable and tunable overhead. Finally we provide main guidelines to deploy Flower-CDN for the public use.     

Honeypot back-propagation for mitigating spoofing distributed Denial-of-Service attacks

The Denial-of-Service (DoS) attack is a challenging problem in the current Internet. Many schemes have been proposed to trace spoofed (forged) attack packets back to their sources. Among them, hop-by-hop schemes are less vulnerable to router compromise than packet marking schemes, but they require accurate attack signatures, high storage or bandwidth overhead, and cooperation of many ISPs.In this paper, we propose honeypot back-propagation, an efficient hop-by-hop traceback mechanism, in which accurate attack signatures are obtained by a novel leverage of the roaming honeypots scheme. The reception of attack packets by a roaming honeypot (a decoy machine camouflaged within a server pool) triggers the activation of a tree of honeypot sessions rooted at the honeypot under attack toward attack sources. The tree is formed hierarchically, first at Autonomous system (AS) level and then at router level. Honeypot back-propagation supports incremental deployment by providing incentives for ISPs even with partial deployment.Against low-rate attackers, most traceback schemes would take a long time to collect the needed number of packets. To address this problem, we also propose progressive back-propagation to handle low-rate attacks, such as on-off attacks with short bursts. Analytical and simulation results demonstrate the effectiveness of the proposed schemes under a variety of DDoS attack scenarios.