1. SOS: An Architecture For Mitigating DDoS Attacks Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Published: ACM SIGCOMM 2002 Presenter: Jerome Harrington

2. Overview The main purpose of the paper is to propose a system which can be used to thwart Distributed Denial-of-Service attacks in a proactive manner

3. What’s a DDoS? Focuses on specific target or targets Floods targets with bogus traffic from many hosts which are likely to be compromised nodes Are generally quite difficult to defend against

4. Why so hard to defend? Large number of zombie nodes can exhaust resources in a very short amount of time, making quick detection difficult Source IP address on attack packets are often spoofed, making it impractical or impossible to block traffic from the source Backtracing to the origin of the attack requires cooperation from many ISPs and is too time consuming to be effective

5. What’s the basis for SOS? Be proactive, rather than reactive Use a distributed, self-healing system to limit the effects of DDoS attacks against the system itself Eliminate communication “pinch-points” because they are attractive DDoS targets

6. SOS High Level Architecture Somewhat similar to tor Top-Level Schematic

7. SOS Architecture Components Secure Overlay Access Points (SOAPs) Beacons Secret Servlets Any physical system can contain any combination of these components

8. SOS Architecture Process A SOAP receives traffic from an external source and verifies the traffic as legitimate using an arbitrary means of verification The SOAP routes traffic to an easily reachable beacon within the SOS The beacon then forwards the packet to a secret servlet node whose identity is known to only a few members of SOS The secret servlet forwards the packet to the target

9. SOS Architecture Process A filter is placed around the target that only allows traffic from a specific set of secret servlets Ideally, the filter should be at the network edge where core routers can handle massive amounts of traffic easily Needed filtering rules are minimal and therefore not resource-intensive

10. Routing through SOS The system uses a hash-based routing method to provide information on the next hop within the overlay to route traffic to the appropriate beacon and associated secret servlet(s) The authors used Chord (from a 2001 ACM SIGCOMM paper) in their implementation

11. Experimental Results Amazingly effective in experimentation! Attacks that target approximately 50% of the nodes in the overlay have about a 1 in 1000 chance of causing an actual Denial-of-Service Even better as the overlay scales

12. Performance Issues The base system takes a considerable performance hit as the system scales up A modified system was implemented such that SOAPs do a lookup through the beacon for the address of the secret servlet, cache its location and forward traffic directly to the secret servlet This leads to a latency hit around factor 2 If a node is actually downed, the system can heal itself within 10 seconds

13. Contributions & Strengths An intriguing and effective proactive means of defense against DDoS attacks Built on lots of previous work avoiding “reinventing the wheel” Written plainly and succinctly; an easy read

14. Weaknesses Testing was done in a clean-room environment, it would be interesting to see this in the wild Tradeoff in performance versus security regarding caching the location of secret servlets at the SOAP layer