IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE

Transcription

1 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE Mitigating Distributed Denial of Servie Attaks in Multiparty Appliations in the Presene of Clok Drifts Zhang Fu, Marina Papatriantafilou, and Philippas Tsigas Abstrat etwork-based appliations ommonly open some known ommuniation port(s), making themselves easy targets for (distributed) Denial of Servie (DoS) attaks. Earlier solutions for this problem are based on port-hopping between pairs of proesses whih are synhronous or exhange aknowledgments. However, aknowledgments, if lost, an ause a port to be open for longer time and thus be vulnerable, while time servers an beome targets to DoS attak themselves. Here, we extend port-hopping to support multiparty appliations, by proposing the BIGWHEEL algorithm, for eah appliation server to ommuniate with multiple lients in a port-hopping manner without the need for group synhronization. Furthermore, we present an adaptive algorithm, HOPERAA, for enabling hopping in the presene of bounded asynhrony, namely, when the ommuniating parties have loks with lok drifts. The solutions are simple, based on eah lient interating with the server independently of the other lients, without the need of aknowledgments or time server(s). Further, they do not rely on the appliation having a fixed port open in the beginning, neither do they require the lients to get a first-ontat port from a third party. We show analytially the properties of the algorithms and also study experimentally their suess rates, onfirm the relation with the analytial bounds. Index Terms Clok drift, data ommuniation, denial of servie attak, reliability, appliation. Ç 1 ITRODUCTIO ITERET grows rapidly sine it was reated. Via the Internet infrastruture, hosts an not only share their information, but also omplete tasks ooperatively by ontributing their omputing resoures. Moreover, an end host an easily join the network and ommuniate with any other host by exhanging pakets. These are enouraging features of the Internet, openness and salability. However, attakers an also take these advantages to prevent legitimate users of a servie from using that servie by flooding messages to the orresponding server, whih forms a Denial of Servie (DoS) attak. There are several types of suh attaks. An attaker an possibly launh a DoS attak by studying the flaws of network protools or appliations and then sending malformed pakets whih might ause the orresponding protools or appliations getting into a faulty state. An example of suh attaks is Teardrop attak [2], whih is sending inorret IP fragments to the target. The target mahine may rash if it does not implement TCP/IP fragmentation reassembly ode properly. This kind of attaks an be prevented by fixing the orresponding bugs in the protools or appliations. However, the attaker does not always have to do its best to study the servie if it wants to make it unavailable. It an just flood pakets to keep the server busy with proessing pakets or. The authors are with the Department of Computer Siene and Engineering, Chalmers University of Tehnology, SE Göteborg, Sweden. {zhafu, ptrianta, tsigas}@halmers.se. Manusript reeived 23 Feb. 2011; revised 21 De. 2011; aepted 17 Jan. 2012; published online 26 Jan Reommended for aeptane by X. Wang. For information on obtaining reprints of this artile, please send to: tds@omputer.org, and referene IEEECS Log umber TDSC Digital Objet Identifier no /TDSC ause ongestion in the vitim s network, so that the server might not have the ability to handle the pakets from legitimate hosts or even annot reeive pakets from them. In order to deplete the vitim s key resoures (suh as bandwidth and CPU time), the attaker has to aggregate a big volume of maliious traffi. Most of the time, the attaker ollets many (ould be millions) of zombie mahines or bots to flood pakets simultaneously, whih forms a Distributed Denial of Servie(DDoS) attak. Most of the methods that protet systems from DoS and DDoS attaks fous on mitigating maliious bandwidth onsumption aused by pakets flooding, as that is the most simple and ommon method adopted by attakers. Those methods may mitigate DDoS attaks reatively by identifying the maliious traffi and informing the upstream routers to filter or rate-limit the orresponding traffi [3], [4], [5], [6], [7], [8]; they may also mitigate DDoS attaks by deploying seure overlays [9], [10], [11], [12], or by distinguishing the legitimate traffi with valid network apabilities [13], [14], [15], [16]. These solutions are suitable for filtering bandwidth attaks. However, the attaker may hange its strategy and attak an appliation diretly, espeially when the appliation involves omplex omputations. It ould be easier to exhaust its omputational resoures with small volume of messages. Therefore, the maliious traffi against an appliation has usually small volume and it is diffiult to be deteted [17]. Defense methods mentioned above may help, but they might not be effiient and aurate with respet to a ertain appliation, as they lak appliationrelated information. Considering there are numerous appliations, it would be very expensive and impratial for traffi monitors to keep information for every appliation /12/$31.00 ß 2012 IEEE Published by the IEEE Computer Soiety

2 402 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 A human analogy for the problem is to ontrast defense against a distinguishable rowd, that an be taken are by army or polie fores, versus protetion from sets of seemingly unoordinated legitimate agents, that intend to attak some unknown target, suh as a person, an enterprise, et. The latter may ertainly want to ensure their own protetion. Therefore, one question is worthy of being investigated: How an network-based appliations defend DDoS attaks by themselves? This question gets even more important onsidering the evolution of appliation overlays, peer-to-peer appliations and appliation-layer networking. When onsidering network-based appliations, a partiularly weak point in this ontext is that they ommonly provide some open port(s) for ommuniation, making themselves targets for DoS attaks. Adversaries that have the ability of eavesdropping messages exhanged by the appliation an identify open ports and launh direted attaks to those ports as opposed to blind attaks that an be launhed to arbitrary ports, even by noneavesdropping adversaries. This problem was also posed earlier in the literature and a simple and useful approah was proposed, namely, port-hopping: the appliation parties ommuniate via ports that hange periodially over time, aording to a pattern known by both the sender and reeiver, suh as a (pseudo)random sequene with ommon seed (f. [18] and our setion on related literature). This method was inspired from the well-known frequeny hopping paradigm used in signal ommuniation protools [19]. The fous in that area is to find the hopping sequenes with the optimal Hamming Correlation Properties [20], [21], [22]. One of the ritial issues involved in port-hopping is synhronizing ommuniation parties. Two main kinds of synhronization mehanisms are presented in the previous work, one is aknowledgment-based and the other one depends on synhronized loks (f. setion on related work). Aknowledgment loss an ause a situation where a port may remain open for a time interval long enough for an eavesdropping attaker to identify and launh a direted attak to it. Having synhronized loks may imply need for synhronization server, whih ould be the weak point in the system. Hene, these imply hallenges for investigation to deploy the method in ommon networking systems, espeially when multiple ommuniation parties are involved. With the synhronization issue in mind, our goals in this work are to support port-hopping 1) in the presene of timing unertainty, i.e., lok-rate drifts, implying that lok values an vary arbitrarily muh with time; and 2) in multiparty ommuniation. In order to deal with hopping in the presene of lok-rate drifts, we propose the Hopping-Period-Alignand-Adjust algorithm, or HOPERAA for brevity, whih is an adaptive algorithm, exeuted by eah lient to adjust its hopping period length and align its hopping time with the server. To enable multiparty ommuniation with porthopping, we propose the BIGWHEEL algorithm for a server to support hopping with many lients, without the server needing to keep state for eah lient individually. The basi idea in both algorithms is that eah lient interats independently with the server and onsiders the server s lok as the point of referene; moreover, the server does not need to maintain a state for eah lient, sine the main responsibility for the oordination is assigned to the lient(s). As in, e.g., TCP, a lient of one session an be a server for another (possibly onurrent) session, hene the solution proposed here fits for symmetri use, though the protool is presented in lient-server type. Aording to the properties of our algorithm, there is no need for group synhronization whih would raise salability issues. Our solution is general, beause the mehanisms and algorithms are only based on the lients and server(s). It an be a omplementary mehanism to the ones against bandwidth attaks. By adjusting the hopping period (i.e., roughly the time that ommuniation ports remain open), the situation that the adversary is able to launh a direted attak to the appliation s ports after eavesdropping is limited. Potential message loss due to the hopping period deviation aused by the lok-rate drifts an be ontrolled by adjusting a parameter in the HOPERAA algorithm. The message overhead for setting onnetions between ommuniation parties is bounded and its average overhead is observed to follow an exponential style of deay. The paper is organized as follows: in Setion 2, we give a detailed definition of the problem and the system model. We ontinue with the desription of the HOPERAA and BIGWHEEL algorithms in Setions 3 and 4, respetively. In Setion 5, we give an analysis on properties of the methods. We validate some of our analysis and give omplementary experimental study in Setion 6. In Setion 7, we disuss some implementation issues. Finally, we onlude in Setion Related Work There are many network-based solutions against DDoS attaks. These solutions usually use routers or overlay networks to filter maliious traffi. A good survey about network-based defense mehanisms against DDoS attaks is presented by Peng et al. [23]. In this paper, we fous on appliation-based mitigation. Badishi et al. [18] propose an ak-based port-hopping protool fousing on the ommuniation only between two parties, modeled as sender and reeiver. The reeiver sends bak an aknowledgment for every message reeived from the sender, and the sender uses these aknowledgments as signals to hange the destination port numbers of its messages. Sine this protool is ak-based, time synhronization is not neessary. But note that the aknowledgments an be lost in the network, and this may keep the two parties using a ertain port for longer time. If the attaker gets the port number during this time, then a direted attak an be launhed under whih the ommuniation an hardly survive. Hari and Dohi present an analysis on the sensitivity of this protool to attaks [24]. To ope with that, Badishi et al. [18] also propose a solution that reinitializes the protool. With reinitializing periodially, the sender and reeiver an use new seeds of the pseudorandom funtion to generate different port number sequenes, so that the port number sequene used for ommuniation is hanged periodially. Thus, even though the attaker an launh the direted attak due to the lost of aknowledgment pakets, the sender and reeiver an ontinue the ommuniation by reinitializing the protool. This reinitialization is based on

3 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS an assumption that the differene of lok values of the two ommuniation parties is bounded in order to make the sender and reeiver reinitialize around the same time. In this work, we assume that the differenes of lok values an be arbitrary, but the lok rate of eah ommuniation party is onstant. In [18], Badishi et al. also present a rigorous model and analysis of the problem of possible DoS to appliations (ports) by an adaptive adversary, i.e., one that an eavesdrop, as in this paper, too. The analysis, besides the parts that involve the port-hopping protools proposed in that paper, also inludes a part analyzing the effet of the adversary s different strategies for launhing blind attaks. The goal of the attaker is to derease the probability that a lient s message is reeived by the server (it is alled delivery probability in the paper) as muh as possible. The authors showed a lower bound that the attaker annot derease the delivery probability below that. This lower bound is based on the apaity of a port for reeiving messages and also the adversary s ability to flood messages. As those results hold regardless of the appliations s defense mehanism, they arry over any setting, inluding the methods proposed in this paper. Lee and Thing [25] propose another port-hopping sheme for the lient-server mode. In their mehanism, time is divided into disrete time slots. The lients and the server share a pseudorandom funtion to ompute whih port should be used in a ertain time slot. The authors assume that the time offset plus the message delay is bounded by a onstant value l, so there is no time synhronization mehanism needed. Instead, the valid open time of the ommuniation port for a time slot is prolonged both bakward and forward by 1 2 l. This sheme shows the basi idea of the time-based port hopping, but still it is based on synhronized lok values. Similar as port-hopping, Srivatsa et al. [26] propose a lient-transparent approah. This approah uses JavaSript to embed authentiation ode into the TCP/IP layer of the networking stak, so the messages with invalid authentiation ode will be filtered by the server s firewall. In oder to defend the DoS attaks, the authentiation ode hanges periodially. A hallenge server is deployed whose responsibility is issuing keys, ontrolling the number of lients onneted with the server and synhronizing the lients with the server as well. Sine this approah relies on the hallenge server, the protetion of the hallenge server is quite important. The paper mentions that a ryptographi-based mehanism an be used to protet the hallenge server, although this was not disussed in detail. In our work, we do not use any third party for time synhronization. 2 PROBLEM AD SYSTEM MODEL DEFIITIOS We fous on the problem that an adversary wants to subvert the ommuniation of lient-server appliation by attaking their ommuniation hannels or, for brevity, ports. At eah time point, some port must be open at the server side to reeive the messages sent from legitimate lients. At the server side, the size of port number spae is, meaning that there are ports that the server an use for ommuniation. The server and the legitimate lients share a pseudorandom funtion f to generate the port numbers whih will be used in the ommuniation. We assume that there exists a preeding authentiation proedure whih enables the server to distinguish the messages from the legitimate lients. We also assume that every lient is honest whih means any exeution of the lient is based on the protool and lients will not reveal the random funtion to the adversary. The attaker is modeled as an adaptive adversary whih an eavesdrop and attak a bounded number of ports simultaneously. For the purpose of the analysis, we bound the strength of the adversary by Q, meaning that it an attak arbitrarily at most Q ports of the server simultaneously. We also assume that when the adversary attaks a ertain port of the server then this port annot reeive any message from the lients. As mentioned in the related work setion, Badishi et al. [18] presented an analysis about the effet of adversary s different strategies when it launhes blind attaks that disable open ports only partially. We do not elaborate on this again. The adversary an get the number of the port being used from the lients messages by eavesdropping, however it takes some time to get this information and get ready to launh the direted attak to the port; we model this as the exposure delay and bound it by E time units. So by hanging the ommuniations ports, one an limit the adversary s ability to launh direted attaks effetively (see Lemma 3). Unlike previous work s assumptions about time synhronization, we assume that eah ommuniation party has its loal lok, and the lok rate of eah loal lok is onstant. We use the server s lok as the standard one; eah lient s lok drift is defined as the ratio between its own lok rate and the server s lok rate. We use to denote the lok drift of lient C. We have to emphasize that in this paper every time variable is related to the server s lok unless otherwise stated. If the server s lok value is t, we use h ðtþ to denote the lok value of lient C. Sine our solution mitigates DoS attaks at the appliation layer, it annot defeat the bandwidth-based attaks. So following the assumptions of previous work [18], [26], we also assume that the network is always available meaning that there are no bandwidth-based attaks. However, the network may lose messages. Finally, for the analysis, we assume the maximum delivery lateny for messages is. This an be a onfigurable parameter of the protool, depending on the deployment (see Setion 7 for a disussion of this issue). 3 PROTOCOL FOR SIGLE CLIET CASE We first present the protool for ommuniation between a single lient (denoted by C) and a server (denoted by S). In the subsequent setion, we desribe the BIGWHEEL algorithm that enables multiparty ommuniation. Without loss of generality, one server is onsidered throughout the presentation for readability issues. For the situation of multilient and multiserver, lients and servers follow the algorithms for the lients and servers, respetively. 3.1 Overview Roughly speaking, the whole port hopping mehanism onsists of three parts: the ontat-initiation part, the data transmission part, and the resynhronization/adjustment part whih is ontrolled by the Hopping Period Alignment and Adjustment (HOPERAA) algorithm.

4 404 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 What is ahieved basially by the lient C in the ontatinitiation part is 1) C has sueeded in finding the first port to ontat S, without the need of having S keep some wellknown ports open, nor C relying on a third party to get the port information; and 2) C gets the seed from S for the pseudorandom funtion to ompute the port sequene. After the ontat-initiation part, the appliation data from C to S is sent out to the open ports of S that hange every L time units of S s lok, orresponding to L time units in C s lok (initially L ¼ L). Sine C s lok has a drift related to S s lok, if they have different lok rates, then the lengths of their hopping periods will deviate from eah other. This would result in message loss, due to the fat that C may send messages to some of S s ports whih have been losed or have not been opened yet depending on whether C s lok runs slower or faster than S s lok, respetively. To solve this, C exeutes the HOPERAA algorithm to adjust its hopping period. Roughly speaking, S and C attah timestamps in the ontatinitiation messages during the ontat-initiation part and the Hopping Period Alignment and Adjustment part. C uses the timestamps to estimate its lok drift. Aording to the estimation, C deides the next time to run the HOPERAA algorithm. C also adjust its hopping period aording to the estimation to deal with its lok drift and thus avoid sending messages to losed ports. In the following setions, we desribe in detail all the parts of the protool. Before that, let us give some auxiliary definitions. Definition 1. The open ports in the server side for reeiving the data messages from the lient are alled worker ports. The open ports in the server side for reeiving the ontatinitiation messages from the lient are alled guard ports. 3.2 Contat-Initiation Part To enable C to initiate ontat with S without having S listen at a well-known port and without relying on a third party, we propose the algorithm desribed below. Algorithm 1. Algorithm for lient C in the initiation stage reply false T send, T arrive / T send and T arrive store the sending time and the arrival time of the first ontat-initiation message reeived by the server. One their values are given, they will not be hanged. / - sending ontat-initiation messages: while reply ¼ false do I seletði i ji 2f1; 2;...;kgÞ / randomly selet an interval of port numbers / for all p i 2 I do timestamp Time now sendhinit; timestampi / Send one ontat-initiation message to eah of the ports in the hosen interval. / end for waitð2 þ LÞ end while - reeiving reply message: reeivehremsg; ; ; timestamp; h ðt 1 Þ;t 2 i / timestamp is the sending time of this reply message, whih is t 3 in Formula 1. h ðt 1 Þ is the timestamp of the orresponding ontat-initiation message reeived by the server, and t 2 is the arriving time of the same message. They will be stored later by the lient for estimating its lok drift. See Setion 3.4 and Lemma 4. / if reply ¼ false then reply ¼ true if this is the first time of exeuting ontat-initiation proedure then T send h ðt 1 Þ T arrive t 2 end if exeute the HOPERAA algorithm / The pseudoode for the HOPERAA algorithm is given in Algorithm 4 / start sending data end if The server divides the range of port numbers into k intervals evenly and opens k different guard ports at the same time, one guard port per one interval, and hanges them every time units but still keeps one open guard port in eah interval. Here, we assume that k an divide. ote that k is a parameter in the system, whose value is known by the server and the lient. C sends ontat-initiation messages to all the ports in an interval whih is randomly hosen. When S reeives a ontat-initiation message, it replies with the seed for the pseudorandom funtion f and the index for omputing the next worker port. The server will send this reply message when the next worker port is open whih will happen in at most L time units. Sine the network may lose messages and open ports an be disabled by the adversary, C may not get the reply from S. To save bandwidth, instead of keeping on sending ontat-initiation messages, C will set a timeout for waiting the reply message. The timeout is set to 2 þ L time units, taking into aount the message round trip time and the waiting time by the server to send the reply. If C does not reeive a reply until it reahes the timeout, it will hoose another interval of port numbers and send ontat-initiation messages again until it gets the reply. In Setion 5, we will show the bound of the expetation of how many trials C would make to get the reply from S. The algorithms for C and S in the initiation stage are shown in Algorithms 1 and 2, respetively. Algorithm 2. Algorithm for server S in the initiation stage - reeiving ontat-initiation message: reeivehinit; timestampi h ðt 1 Þ timestamp t 2 Time now wait until next worker port p i opens timestamp Time now sendhremsg; ; ; timestamp; h ðt 1 Þ;t 2 i / t 2 and h ðt 1 Þ are sent bak to the lient to estimate its lok drift. See Setion 3.4 and Lemma 4. / 3.3 Sending the Appliation Data In this stage, C sends data messages to the worker ports of S. After C gets the reply from the server in the ontat-initiation part, C has the seed for the pseudorandom funtion f to generate the sequene of the worker ports. The open interval

5 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS Fig. 1. Worker ports open interval with overlap. of the worker ports is L þ time units, where L>. The new worker port will be opened time units earlier than the losing time of the old one, as shown in Fig. 1. When S reeives the ontat-initiation messages from C, it will send the reply message at the time when the next worker port is opened, and the integer has the value for generating the next worker port. When C gets the integer from S s reply, it will send the data messages immediately to the port omputed from f ð; Þ. C has a timer T whih will be assigned to 0 when C reeives the reply message from S. T inreases at the same rate as the loal lok of C. The destination port number of the data messages will be reomputed when T ¼ il, at every i 2 I. ote that it might be that the worker port ollides with one of the guard ports, and the server an distinguish the ontat initiation messages from data messages. Sine there exists delivery lateny, some messages that are sent to port p i (the ith port in the hopping sequene) may arrive when p i is losed. In our model, if there is no time drift then messages that are sent during the interval ½ði 1ÞL; il Š should arrive at p i when p i is open (otherwise we onsider them being lost). Messages sent in the interval ½iL ; ilš may arrive when p i is losed. So these message will be sent both to p i and p iþ1. Algorithm 3 shows the pseudoode of lient s behaviors in data transmission stage. Algorithm 3. Algorithm for lient C in data transmission stage P old f ð; Þ P new f ð; ð þ 1ÞÞ / P old is the destination port in the urrent period, and P new is the destination port for the next period. / - sending data messages while has more data to send do sendhdata; P old i if il T il then sendhdata; P new i end if end while - hanging the destination port if ft ¼ ilg then P old P new end if P new f ð; ð þ i þ 1ÞÞ Fig. 3. Client s lok is faster than the server, whih means > Adaptive Hopping Period As mentioned in Setion 2, lient C has a onstant lok drift related to the server. It may happen that in the data transmission stage, the hopping time of C will drift apart from the server s. This might ause C to send messages to a port that is already losed or is not opened yet, depending on whether C s lok is slower or faster than S s. Figs. 2 and 3 illustrate the two situations, respetively. In both figures, the server hops the ports every L time units and the lient also hops the destination port number every L time units ounted by its own lok, whih orresponds to L 0 time units in the server s lok. The deviation between L and L 0 in both ases (where > 1 and < 1) isj 1 jl. From Figs. 2 and 3, we an see that the deviation of hopping times in the same period grows linearly with the number of periods. Growth of deviation of hopping times would imply more message loss, so C has to align the hopping time at adaptively hosen time intervals, to ontrol the phenomenon. These are alled the HOPERAA exeution-intervals. In partiular, if the lient s lok is slower than the server s, whih means < 1, and if we want to keep the offset of the losing times ounted by the server and the lient of a worker port within time units, then the HOPERAA exeution interval is 1. If the lient s lok is faster than the server s whih means > 1, and we want to keep the offset of the open times ounted by the server and the lient of a worker port within time units, then the HOPERAA exeution interval is 1. However, the lient has no idea about its lok drift. We suggest a method that exhanges messages (whih are piggybaked) with information about the sending and reeiving times (timestamped with loal lok values) between C and S, to estimate the lok drift. This is illustrated in Fig. 4. The proedure of the HOPERAA algorithm is desribed below, and the pseudoode is given in Algorithm 4.. The HOPERAA exeution interval is initiated to 0. In the ontat-initiation part, every ontat-initiation message and reply message will be attahed with the timestamp of its sending time. The reply message also inludes the timestamp h ðt 1 Þ and the arrival time t 2 of the first ontat-initiation message reeived by the server. When the lient reeives the reply message, it will store h ðt 1 Þ and t 2 and keep their values unhanged. Fig. 2. Client s lok is slower than the server, whih means < 1. Fig. 4. Messages exhange with timestamps and the assoiated time points.

6 406 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE When C exeutes HOPERAA, it will exeute the same operations as in the ontat-initiation part, the server will add a timestamp of the sending time to every reply message, say t 3. The lient will reord the arrival time of the reply, say h ðt 4 Þ. Then, C bounds its lok drift as h ðt 4 Þ h ðt 1 Þ t 3 t 2 þ 2 h ðt 4 Þ h ðt 1 Þ : ð1þ t 3 t 2 We use l and u to denote the lower and upper bound of, respetively. In the analysis setion, Lemma 4 will show the orretness of Formula 1; we will also show that every time C estimates its lok drift, it will get a better bound than the one it got from the previous estimation.. If both the lower bound and the upper bound are greater than one, that is, 1 l u, then adjust L to L l, and the HOPERAA exeution interval is set to ul u l.. If both the lower bound and the upper bound are smaller than one, that is, l u 1, then adjust L to L u, and the HOPERAA exeution interval is set to ul u l.. Otherwise, do not hange L, and the HOPERAA exeution interval is set to minf l 1 l ; u u 1 g. Algorithm 4. The HOPERAA algorithm / This proedure is alled in Algorithm 1, and this pseudoode should be plug in the subroutine reeivehremsg; ; ; timestamp; h ðt 1 Þ;t 2 i in Algorithm 1. / -HOPERAA proedure: t reply u the arrival time of ReMsg t reply T send timestamp T arrive / where timestamp is the timestamp inluded in the ontat-initiation reply message ReMsg / l t reply T send timestamp T arriveþ2 if 1 l u k l u 1 then Interval u l HoPerAA u l if 1 l u then L L l else L L u end if else Interval HoPerAA minf l 1 l ; u g u 1 end if Call Algorithm 1 at time ðtime now þ Interval HoPerAA Þ Before C adjusts L, it has to know whether its lok rate is faster or slower than the server s, otherwise it has no idea whether to shorten L or prolong L. Intuitively, if the lok drift of C is big then it takes few rounds of drift estimation to let C make the adjustment to L, sine the influene of the message delivery lateny is relatively small. If the lok drift is very lose to 1 then it may take more rounds to let C make the deision. Consider an extreme example that the lok drift is equal to 1 meaning that the lient s lok rate is equal to the server s, then the lient an never know whether its lok rate is faster or slower than the server. But sine the bounds of the drift improve monotonially, (f. Setion 5) the HOPERAA exeution interval keeps growing (exponentially, f. Setion 6) with the number of HOPERAA exeutions. This means that the lient does not have to do the alignment of the hopping time (whih is HOPERAA exeution) frequently. The message and time overhead involved in the HOPERAA exeutions will be amortized within the big HOPERAA exeution intervals. 4 SUPPORTIG MULTIPLE CLIETS The extension to multiple lients per server is based on a simple idea: sine eah lient onsiders the server s lok as the referene lok, it an interat with the server independently of the other lients. For salability reasons it is desirable that the server has more than one worker ports open in eah time period (but still a small onstant number of those), so as to balane the load among them. Moreover, by having the same hopping period but different phases in the orresponding hopping sequenes, suh a method an manage to bound better the time it takes for eah lient to initiate ontat with the server. As the name also suggests, the BIGWHEEL algorithm, aiming at meeting the aforementioned goals, funtions as the Big Wheel rides at amusement parks: lients queue for the next available ompartment. Here eah ompartment represents a hopping sequene; ompartments are deployed in a way that aims at balaning the load among them and also at minimizing the lients waiting times to initiate ontat with the server. The proedure is desribed in detail below. Algorithm 5. Algorithm for server S using multiple hopping sequenes. Buffer B stores reply messages that are waiting to be sent. - reeiving ontat-initiation message: reeivehinit; timestampi h ðt 1 Þ timestamp t 2 Time now / p i j is the ith port number in hopping sequene j. Suppose its open time is the losest to the urrent time. / j seed for hopping sequene j the orresponding index value for p i j in hopping sequene j put the reply message ReMsg; j ; ; timestamp; h ðt 1 Þ;t 2 into buffer B - sending reply messages: whenever a new worker port is opened send all the reply messages in buffer B to the orresponding lients Clear B Consider a simple big wheel with one ompartment, whih orresponds to the situation that the server only opens worker ports aording to one hopping sequene. In this setting, sine every lient uses the same pseudorandom funtion to generate the destination port number, one worker port has to reeive the messages from all the ative lients. Moreover, when the server reeives a ontatinitiation message, it will not send its reply (so that the lient starts its periods in-syn with S) until the next worker port is open, whih inreases the lient s waiting time by at most L time units. In order to afford more

7 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS Fig. 6. Arrival duration overs hanging periods of guard ports. Fig. 5. The open intervals of port p i 0, pi 1, and pi 2. lients and also derease the maximum waiting time for a lient, the server will open worker ports aording to multiple hopping sequenes. These sequenes an be generated by the same pseudorandom funtion but with different seeds. For example, sequene i uses seed i. Suppose there are W 2 values for (i.e., we have W ompartments in the big wheel). It means that S supports W hopping sequenes. Let us use p i j to denote the ith worker port in the jth port number sequene, where 0 j W 1. The server will hange the worker ports aording to eah sequene in the following way: if the open time of port p i 0 is t i then the open time of port p i j is t i þ jl W. The open interval of every worker port is still L þ. Fig. 5 shows the situation when W ¼ 3 and the open time of p i 0 is t. Based on this mehanism, when the server reeives a ontat-initiation message from a lient, it will send the reply at the losest opening time of a worker port, inluding the seed for the orresponding sequene. A pseudoode is shown in Algorithm 5. By using multiple port number sequenes, the maximum waiting time for a lient in the ontat-initiation part an be dereased to 2 þ L W time units. 5 AALYSIS OF THE PROTOCOL We start with some auxiliary definitions whih are useful in this setion.. We say a lient gets a suessful aess to the server, when at least one of its ontat-initiation messages is reeived by the server.. A ontat-initiation trial is a trial by a lient to get the server s reply in the ontat-initiation part. It begins when a lient randomly hooses an interval of the port spae and sends a ontat-initiation message to eah of the ports in that interval and ends when the lient reeives a reply message from the server or reahes a time-out of waiting.. We say that the adversary launhes a blind attak if the adversary arbitrarily hooses and attaks Q ports of the server simultaneously.. If the adversary knows the ports that are urrently used by the server, it will send maliious messages to attak those ports diretly. We say that the adversary launhes a direted attak. First, we analyze the ontat-initiation part of the protool. Sine the guard ports annot be fixed, the server has to hop guard ports but in a range smaller than. ote that if we fix this range then the adversary an learn it from the ontat-initiation messages of the lient (beause the lient always send ontat-initiation messages to that range) and then launh a direted attak to the appliation s open port(s). In our protool, we divide the port number spae into k intervals, I i ¼fp j ji k j ði þ 1Þ k 1g, i ¼ 0; 1; 2;...;k 1. Sine a lient has no idea whih port is open as the guard port in I i, it sends ontat-initiation messages to every port in the interval it hooses and expets the server an reeive one of them. In the presene of delivery lateny and guard ports hanging, the ontat-initiation message sent to the urrent guard port of the hosen interval may miss the port. Then, we say this ontat-initiation trial fails. We will show how to bound this probability and give a orresponding experimental result in Setion 6. Lemma 1. If the adversary launhes a blind attak, the probability that it disables the guard port in the interval hosen by the lient in the ontat-initiation part is Q, even if the adversary knows the partition of the ports spae. Proof. Suppose the adversary knows the partition, and it disables q i ports in interval I i, i ¼ 0; 1; 2;...;k 1. Sine we have k intervals, and every interval has =k ports, the probability that the adversary disables the guard port in the interval hosen by the lient, say I 0,is X k 1 i¼0 Pr½I i ¼ I 0 Š¼ Xk 1 1 k q i ¼ i¼0 k P k 1 i¼0 q i : Sine P k 1 i¼0 q i ¼ Q, the probability is Q. If the adversary does not know the partition, then it will attak arbitrary ports, so the probability that the guard port is under attak is Q. tu Based on Lemma 1, we will give a lower bound on the probability that one ontat-initiation trial an lead to suessful aess. Lemma 2. Suppose the adversary launhes a blind attak, and the size of the port spae is, and there is no message loss during the transmission but there exists delivery lateny, then the probability that one ontat-initiation trial an lead to suessful aess is at least 1 ð 1 e ÞF, where F ¼ Q is the fration of nondisabled ports. Proof. Set V be the number of ports in one interval. In one ontat-initiation trial, the lient will send V messages to the interval it hooses, one message to one port in that interval. As shown in Fig. 6, the arrival duration of those V messages may over hanging periods of the guard ports. We use p i, 1 i to denote the guard port for period i, and use v i to denote the number of ontatinitiation messages that arrive at the server side within period i. We assume that eah v i > 0, sine if v i ¼ 0, the probability that p i reeives the message sent to it will be definitely zero. The probability that the server does not reeive any ontat-initiation message is

8 408 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 Pr½trial failsš ¼ i¼1 Pr ½ p idoes not reeive the messageš ¼ i¼1ð Pr d þ Pr l Pr d Pr l Þ; where Pr d is the probability that p i is disabled by the adversary, Pr l is the probability that the message sent to p i does not arrive within period i. So we have Pr½trial failsš ¼ Q i¼1 þ V v i Q V V v i V ¼ i¼1 1 ð QÞv i : V Using the method of Lagrange multipliers, we know that Pr½trial failsš has the maximum value when v 1 ¼ v 2 ¼¼v ¼ V. So we have! Q Pr½trial failsš 1 Q ¼ 1 1 ð QÞ : Q Sine we know that funtion ð1 1 x Þx is a monotonially inreasing but bounded funtion when x>0, and the limit is 1 e when x!þ1, where e is the mathematial onstant and e 2:72. Hene, we have Pr½trial failsš 1 F ; e F ¼ Q ; then it is obvious to see that the probability that one ontat-initiation trial an lead to suessful aess is at least 1 ð 1 e ÞF. tu Corollary 1. The expetation of the number of ontatinitiation trials is at most. The expetation of the 1 1 ð 1 e number of ontat messages used ÞF in the ontat-initiation part by one lient is at most k 1, where k is the 1 ð 1 e number of intervals in the port spae. ÞF Reall the assumption that the adversary an do eavesdropping and launh direted attaks to the open ports, but this takes it E time units from the time it gets a data message from the lient. Our protool aims at keeping the open interval of the worker ports smaller than E. But sine that some lient s lok may be faster than the server, and an send messages to a worker port before it is opened, as a result, the adversary ould get the worker port number before the orresponding port is opened. However, the adversary annot get the port number more than time units earlier than the port s opening time, sine the lients will exeute HOPERAA algorithm to align the hopping period to keep itself not drift apart from the server more than time units. So we get the following. Lemma 3. If E>Lþ þ, then the adversary annot launh a direted attak to an open worker port of the protool in this paper. The next lemma shows the orretness of Formula 1 used in HOPERAA to estimate the lok drift. Lemma 4. Suppose we use server s lok as the referene lok, and onsider that the lient sends message M 1 at time t 1 with the timestamp h ðt 1 Þ and the message is reeived by the server at time t 2. Consider also that the server sends later one message M 2 at time t 3 with timestamp t 3, whih is reeived by the lient at time t 4 orresponds to time h ðt 4 Þ aording to the lient s lok. Then, we have h ðt 4 Þ h ðt 1 Þ t 3 t 2 þ 2 h ðt 4 Þ h ðt 1 Þ t 3 t 2 ; where is the lient s lok drift related to the server s lok, and the maximum of the message delivery lateny. Proof. Consider Fig. 4. Aording to the lok drift definition, we have ¼ðh ðt 4 Þ h ðt 1 ÞÞ=ðt 4 t 1 Þ¼ h ðt 4 Þ h ðt 1 Þ ; t 3 t 2 þ d 1 þ d 2 where d 1 and d 2 are the delivery latenies of M 1 and M 2, respetively. Sine 0 d 1 þ d 2 2, the lemma follows. tu From Lemma 4, we an see that the influene of the message delays on the lok drift estimation will derease when the value of t 3 t 2 is inreased, i.e., as the exeution evolves and the lient C has repeated the HOPERAA algorithm several times. In our protool, the lient keeps h ðt 1 Þ and t 2 unhanged, so t 3 t 2 is equal to the time elapsed from the first initiation. Hene, the value of t 3 t 2 used in every HOPERAA exeution will be greater than the value used in the previous HOPERAA exeution. Hene, the upper and lower bounds of will onverge to the real value of as the exeution progresses. Lemma 5. Using the HOPERAA algorithm, onsider the lient starts sending data messages to port p at time t and hanges the destination port at time t 0. Then, t will not be time units (using the server s lok as the referene lok) earlier than the orresponding opening time of port p by the server, and t 0 will not be time units later than the orresponding losing time of port p by the server. Proof. Suppose the lient s lok drift is. Then, the lient uses 1 time units to ount 1 time unit, i.e. the differene is j1 1 j. So if the lient wants to keep hopping times not drifting time units away from the server s, the HOPE- RAA exeution interval should be whih equals to j1 1 j j1 j. Sine l u, we have j1 j min l j1 l j ; u : j1 u j The lient uses minf l j1 l j ; u j1 u jg as the HOPERAA exeution interval, so the lient s hopping times will not drift away from the server s time units. If the lient knows that its lok drift is bigger than 1, whih means u l 1, it will hange the hopping period to L l, whih is l L time units aording to the server s lok. Then, the differene between the length of the server s hopping period and the length of the lient s hopping period is ð1 l ÞL. So the HOPERAA exeution interval should be l, and the lient uses 1 l u l u l ð1 l ÞL L l whih equals to

9 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS as the HOPERAA exeution interval. Sine u l u l l 1 l the differene of the hopping times of the lient will not drift time units away from the server s. If the lient knows that its lok drift is smaller than 1, whih means 1 u l, it will hange the hopping period to L u. Then, the differene between the length of the server s hopping period and the length of the lient s hopping period is ð u 1ÞL. So the HOPERAA exeution interval should be ð u 1ÞL L u whih equals to u u 1, and the lient uses u l u l as the HOPERAA exeution interval. Sine u l u l u u 1, the differene of the hopping times of the lient will not drift time units away from the server s. tu ext, we fous on the analysis of the BIGWHEEL algorithm. We give bounds of the expetation of the number of worker ports being open at the same time, and show the probability that at least one of them is under attak when the adversary launhes a blind attak. Lemma 6. If we have W port hopping sequenes in the system, and let w denote the number of worker ports being open at the same time, then the expetation of w an be bounded by the following formula: 1 1 W E½wŠ 1 1 2W ; where is the size of the port spae. Proof. Given a speifi time point, the probability that port p i is opened by a speifi hopping sequene is 1. Sine eah sequene opens ports independently, the probability that port p i is not opened by any hopping sequene is ð1 1 ÞW. Let A i, i 2f0; 1;...; 1g denote the event that port p i is open at a speifi time point. The expetation of the number of worker ports being open at the same time is E½wŠ ¼ X 1 Pr½A i Š¼ 1 1 W : i¼0 Remember that the open intervals of the old worker port and the new worker port in a sequene have an overlap, hene the number of sequenes for whih server opens worker ports an be regarded as at least W and at most 2W. Hene, we have 1 1 W E½wŠ 1 1 2W : ut Lemma 7. Suppose the adversary launhes a blind attak, and it an disable Q ports simultaneously. If w worker ports are open at the same time, then the probability that at least one of the worker ports is under attak is, 1 ð w Q Þ ð Q Þ ; where is the size of the port number spae. Proof. Sine the probability that none of the worker ports are under attak is ð w Q Þ=ð QÞ, the lemma follows. tu In the BIGWHEEL algorithm, one ommuniation port might be kept open ontinuously by different hopping sequenes or even by the same sequene. We study the situation that a speifi port is kept open ontinuously by multiple hopping sequenes. For the sake of the simpliity of analysis, we assume that there is no overlap between the open intervals of two neighbor work ports in the same hopping sequene, and the open interval of eah worker port is L time units. Suppose at time t ¼ 0 one sequene opens port p as the worker port. Aording to the BIGWHEEL algorithm, for every time t ¼ i L W ;i2 Zþ, there is one sequene opens a worker port. It is observed that in order to keep port p ontinuously open as a worker port, at least one of the worker ports that open at time t ¼ i L W ;i2f1; 2;...;Wg, should be p. Based on this observation, if a speifi port is open as a worker port, then we an ompute the probability that this port is kept open ontinuously for a given length of time. Lemma 8. In the BIGWHEEL algorithm, suppose that a speifi port, say port p, is open as a worker port, the probability that p is open ontinuously for IL time units, IL >Lor more, is at most RðW;b WIL L ; 1 Þ, where Rðx; y; zþ is the following reursive funtion (where x and y are positive integers and z 2ð0; 1Þ) 8 < 1; y < x; Rx;y;z ð Þ ¼ : z Xx i¼1 Rx;y ð iþð1 zþ i 1 ; y x: We all the result of RðW;b WIL L ; 1 Þ Continuous Open Probability. Proof. Without loss of generality, suppose port p is open as a worker port at time t ¼ 0, in order to prevent p from being kept open ontinuously longer than L time units, all the worker ports that open at time t ¼ i L W ; i 2f1; 2;...;Wg, should not be p. During IL time units, there are b IL L¼b WIL W L worker ports open. We an order these worker ports aording to their open times and form a sequene ( ) S ¼ p L ;p2l W W ;...;p : WIL L L W In order to keep port p open for IL time units, there must not exit onseutive W ports that are not p in sequene S; in other words, p annot be open for IL time units, iff in sequene S there exist at least W ports that are not p. ow, the omputation of the orresponding probability is the same as the omputation of the reliability of a onseutive-k-out-of-n:f system. A onseutive-k-out-of-n:f system onsists of n linearly ordered omponents and the system fails if and only if at least k onseutive omponents fail. The reliability of a suh system an be ð2þ

10 410 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 TABLE 1 Continuous Open Probability omputed using a reursive funtion Rðk; n; pþ [27] defined as Funtion 2, where p is the probability that a omponent does not fail (assuming that every omponent fails independently and they have the same fail probability). Here, p is the probability that a worker port is port p, whih is 1. In Funtion 2, we use x; y; z as the parameters to prevent reusing of the terms. tu Sine Funtion 2 is a reursive funtion, it is not obvious to see the relation between the result and the parameters. In Table 1, we show the values of ontinuous open probability under different settings of parameters. We hoose ¼ 10;000, meaning the probability that a sequene open 1 a speifi port as the worker port is 10;000. Table 1 shows that bigger ontinuous open time IL leads to smaller ontinuous open probability; also having more hopping sequenes leads to higher ontinuous open probability for a speifi IL, but the probability is still with very small. 5.1 Overhead Indued by the Mehanism The overhead of the proposed method onsists of message and time omplexity in the ontat-initiation part, time spent for exeuting HOPERAA, pakets lost due to lok drift. These three kinds of overhead will be studied in three experiments in Setion 6. The first two types of overhead have been studied in this setion. When a lient exeutes the HOPERAA algorithm, it performs the same operations as in the ontat-initiation part. Hene, following Corollary 1 the expeted message overhead of HOPERAA is also k 1 1 ð 1 e messages for every time that it is exeuted. In Setion 6, we ÞF will see that the HOPERAA exeution interval beomes signifiantly longer as the exeution evolves. Hene, the amortized overhead beomes smaller in the ourse of the exeution. 6 EXPERIMETAL STUDY To further study the properties of our protool, we basially ondut three experiments. These experiments validate some of the analytial results and give omplementary measures that are not inluded in the analytial evaluation due to the subtle and omplex relations of different parameters. In partiular, we show. The average number of ontat-initiation trails that a lient has to do under different parameter settings, whih onforms to the estimation given in the analysis setion.. The growth of HOPERAA exeution interval, whih onforms to the algorithm for estimating the lient s lok drift.. The message overhead for initializing the ommuniation an be amortized within a long time sale due to the growth of the HOPERAA exeution interval. Fig. 7. The average number of ontat-initiation trials in one ontat initiation part, where ¼ f1;000; 5;000g milliseonds, and lient sending rate is 1 message per milliseond. The messages lost due to the lok drifts an be ontrolled by adjusting parameters in the protool. In the experiments, we assume that the appliation that uses the proposed port hopping mehanism uses UDP as transmission protool. On setting up the experiments, we follow the system model desribed in Setion 2. The first set of experiments simulate the ontat-initiation part. The experiment is done using two 3 GHz Intel Pentium 4 mahines, one ats as the server, and the other one ats as the lient. There is no paket loss in the network during transmission. We hoose ¼ 65;536, and k ¼ 64, whih translates to 64 intervals in the port spae, eah interval having 1,024 ports that an be used. We vary the strength of the adversary from Q ¼ 10;000 to Q ¼ 50; The hanging period of the guard ports is assigned to 1,000 and 5,000 milliseonds, meaning that ¼f1;000; 5;000g. For eah parameters setting of Q and, we let the lient perform 50 repetitions of the ontat-initiation part, and then reord the number of trials of eah ontat-initiation part. We ompute the average number of trials that a lient has to perform over all these ontat-initiation phases. Fig. 7 shows both the experimental outome and the upper bound of the expetation omputed in Corollary 1. It is observed that the average number of trials grows with Q, but we an see that even for Q ¼ 50;000, the average number of trials during the ontat-initiation part is still not high (4.2 trials when ¼ 1;000 milliseonds). Regarding the average time spent in the ontat-initiation part, we take the situation of Q ¼ 20;000 as an example, where the average number of trials is around 1.5. Sine the lient needs about one seond to send the ontat-initiation messages in eah trial, and then waits 2 þ L ¼ 1;200 ms for the reply, the average time spent in this part is about 3.3 seonds. In our experiment, in eah trial the lient sends 1,024 ontat-initiation messages, eah having 40 bytes, so the average bandwidth onsumed by the lient is about 145 kbps. 1. In our experiments, the inoming bandwidth of the server is 10 Mbps. In order to simulate that the adversary an disable, e.g., 50,000 ports ompletely without ongesting the network, we modify Iptables (it is like a firewall) of the server, and drop the legitimate pakets to the ports of, e.g., from 1 to 50,000. So only the legitimate pakets with the destination port numbers that are not overed by the filtering rules of Iptables an be delivered to the appliation layer.

11 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS Fig. 8. The length of HOPERAA exeution interval grows with the number of HOPERAA exeutions. In the seond set of experiments we study how the HOPERAA exeution interval grows (i.e., the protool overhead dereases) with the number of exeutions of the HOPERAA algorithm under different values of lok drift. In the experiment, ¼ 0:3L and 2f0:7; 0:9; 1:1; 1:3g. As shown in Fig. 8, in most ases, the lient will know whether its lok rate is faster or slower than the server s after exeuting HOPERAA three times, then it will adjust its hopping period. In Fig. 8, we an see that the HOPERAA exeution interval grows exponentially with the number of HOPERAA exeutions. In partiular, after eight exeutions the lient an keep sending data messages for more than five minutes, and after 10 exeutions the lient an keep sending data messages for almost half an hour. So the message overhead for initializing ommuniations and aligning hopping periods is amortized within this long time sale. The last set of experiments study the effetiveness of HOPERAA with respet to the reeiving perentage whih is the perentage of data messages reeived by the server during data transmission parts. We hoose Q ¼ 0 (i.e., the reeiving perentage is only affeted by HOPERAA); the lok drift of the lient is 2f0:6; 0:7; 0:8; 0:9; 1:1; 1:3; 1:5g; and are hosen as 2f0:1L; 0:2L; 0:3Lg and ¼ f100; 40g ms. For eah value ombination of and, we let the lient exeute 10 times the HOPERAA algorithm and we reord the perentage of the messages reeived by the server. The results of this experiment are shown in Figs. 9 Fig. 10. The reeiving perentage of the server; is set to 40 milliseonds. and 10. We an see that the perentage of messages reeived is very high (above 95 perent) when < 1 and ¼ 100 ms; when > 1 and ¼ 40 ms, the perentage of messages reeived is also very high (around 95 perent). The lowest reeiving perentage in Fig. 9 is lose to 90 perent, while the reeiving perentage for all the ases in Fig. 10 is above 90 perent. It is observed that the reeiving perentage is dereased when is inreased. This beause bigger means to bigger deviation between the hopping times of the lient and the server, whih leads to more lost messages during transmission. Atually, the expeted reeiving perentage is ð1 2L Þ, e.g., if ¼ 0:3L, then the expeted reeiving perentage is 85 perent. From Figs. 9 and 10, we an see the experiment result is better than what is expeted. The reason for getting better performane is that the lient uses l u u l as the HOPERAA exeution interval. From the proof of Lemma 5, it is shown that this value is smaller than the expeted one whih is l l for > 1 and u u for < 1. This means that the lient will pause the message sending proess (in order to exeute the HOPERAA algorithm) before the hopping time offset reahes time units. As shown in Fig. 9, when < 1 the above phenomenon is even more prominent. This is beause the lient uses Formula 1 to ompute the upper and lower bounds of its lok drift and the results are influened by the message delivery lateny bound. In the experiment, the message delivery lateny bound is muh bigger than the atual message delivery lateny (the latter is approximately 25 ms in these experiments reall that was set to 100 ms), whih results in that u is loser to than l does. Hene, the ratio between the HOPERAA exeution interval lu u l and u u is smaller than that between lu u l and l l, whih auses the reeiving perentage for < 1 to be higher than the respetive one for > 1. As shown in Fig. 10, when is set to 40 ms whih is lose to the atual deliver lateny, then the reeiving perentage for > 1 is higher than that for < 1. This is beause l is loser to than u when they are omputed using Formula 1. Fig. 9. The reeiving perentage of the server; is set to 100 milliseonds. 7 DISCUSSIO When the proposed method is deployed in the Internet, several pratial issues have to be addressed. First, hoosing

12 412 IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 the value of is not easy, sine the network lateny may vary a lot for different soures and destinations. Aording to the study on Internet round trip time, suh as by CAIDA [28], in the implementation, the value of that an dominate most ases is approximate 500 ms. However, the value of may vary for different appliations. For example, the server may almost always serve the lients in the same autonomous system, or in a situation of ontent distribution network, the servers may serve nearby lients. In suh situations, the appliation an hoose a better value (whih is smaller than 500 ms) for. The value of an also be hanged dynamially. For example, if our method is used with TCP, then the estimated RTT for TCP an be diretly used for setting the value of. In the paper, to keep the presentation more foused, we do not inlude this option. ote that, in some situations (suh as flash rowd) the network lateny might be bigger than the upper bound, however, the orresponding influene on the lok drift estimation will keep dereasing as mentioned in the analysis. When the proposed method is used with TCP, the throughput an be affeted by the ongestion ontrol mehanism in TCP. When the lient resumes data transmission after exeuting HOPERAA, unlike UDP, the TCP transmission will begin with the slow start phase, meaning the ongestion window size of TCP will again inrease from 1MSS. However, the influene to throughput is largely amortized, sine the frequeny of HOPERAA exeutions drops dramatially, due to the quik onvergene of the lok drift estimation. If it is desired to ahieve even higher throughput, a deployment option would be to let TCP keep the ongestion window size unhanged when the lient resynhronizes with the server, i.e., when HOPERAA is invoked. 8 COCLUSIOS In this work, we investigate appliation-level protetion against DoS attaks. More speifially, supporting porthopping is investigated in the presene of timing unertainty and for enabling multiparty ommuniations. We present an adaptive algorithm for dealing with port hopping in the presene of lok-rate drifts (suh a drift implies that the peer s lok values may differ arbitrarily with time). For enabling multiparty ommuniations with port-hopping, an algorithm is presented for a server to support port hopping with many lients, without the server needing to keep state for eah lient individually. A main onlusion is that it is possible to employ the porthopping method in multiparty appliations in a salable way. The method does not indue any need for group synhronization whih would have raised salability issues, but instead employs a simple interfae of the server with eah lient. The options for the adversary to launh a direted attak to the appliation s ports after eavesdropping is minimal, sine the port hopping period of the protool is fixed. Another main onlusion is that the adaptive method an work under timing unertainty and speifially fixed lok drifts. An interesting issue to investigate further is to address variable lok drifts and variable hopping frequenies as well. 9 LIST OF OTATIOS. C: Client C.. h ðtþ: lok value of lient C, when server s lok value is t.. E: the exposure delay. The time it takes for the adversary to get open ports information and get ready to launh the direted attak to the ports.. f : the pseudorandom funtion to generate the hopping sequene(s).. L: is the length of the server s hopping period.. : size of the port number spae.. I: port interval in the port number spae.. k: number of intervals in the port number spae.. Q: the maximum number of ports that the adversary an attak simultaneously.. : is maximum allowed value of the deviation between the hopping times of the server and the lient.. : the maximum message delivery lateny.. : the length of the hanging period of the guard ports.. L : the length of the hopping period of lient C.. : lok drift of lient C.. l : the lower bound of the lient s lok drift.. u : the upper bound of the lient s lok drift.. : the seed used by the pseudorandom funtion to generate the hopping sequene.. : the integer used by the pseudorandom funtion to generate a port number of a speifi index in the hopping sequene.. W: number of hopping sequenes used in the BIGWHEEL mehanism.. w: number of worker ports open simultaneously in the BIGWHEEL mehanism. ACKOWLEDGMETS A preliminary version of this paper was published in the proeedings of 27th IEEE International Symposium on Reliable Distributed Systems (SRDS), 2008 [1]. The researh leading to these results has reeived funding from the Swedish Civil Contingenies Ageny (MSB) and from European Union Seventh Framework Programme (FP7/ ) under grant agreement o REFERECES [1] Z. Fu, M. Papatriantafilou, and P. Tsigas, Mitigating Distributed Denial of Servie Attaks in Multiparty Appliations in the Presene of Clok Drifts, Pro. IEEE Int l Symp. Reliable Distributed Systems (SRDS), Ot [2] CERT Advisory CA IP Denial-of-Servie Attaks, [3] K. Argyraki and D.R. Cheriton, Ative Internet Traffi Filtering: Real-Time Response to Denial-of-Servie Attaks, Pro. Ann. Conf. USEIX Ann. Tehnial Conf. (ATEC 05), p. 10, [4] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling High Bandwidth Aggregates in the etwork, ACM SIGCOMM Computer Comm. Rev., vol. 32, no. 3, pp , [5] D. Dean, M. Franklin, and A. Stubblefield, An Algebrai Approah to IP Traebak, ACM Trans. Information and System Seurity, vol. 5, no. 2, pp , [6] D.X. Song and A. Perrig, Advaned and Authentiated Marking Shemes for IP Traebak, Pro. IEEE IFOCOM, vol. 2, pp , 2001.

13 FU ET AL.: MITIGATIG DISTRIBUTED DEIAL OF SERVICE ATTACKS [7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Pratial etwork Support for IP Traebak, ACM SIGCOMM Computer Comm. Rev., vol. 30, no. 4, pp , [8] X. Liu, X. Yang, and Y. Lu, To Filter or to Authorize: etwork- Layer DoS Defense against Multimillion-node Botnets, Pro. SIGCOMM, pp , [9] A.D. Keromytis, V. Misra, and D. Rubenstein, SOS: Seure Overlay Servies, ACM SIGCOMM Computer Comm. Rev., vol. 32, no. 4, pp , [10] D.G. Andersen, Mayday: Distributed Filtering for Internet Servies, Pro. Fourth Conf. USEIX Symp. Internet Tehnologies and Systems (USITS 03), p. 3, [11] X. Fu and J. Crowroft, GOE: An Infrastruture Overlay for Resilient DoS-Limiting etworking, Pro. Int l Workshop etwork and Operating Systems Support for Digital Audio and Video (OSSDAV), [12] A. Stavrou and A.D. Keromytis, Countering Dos Attaks with Stateless Multipath Overlays, Pro. 12th ACM Conf. Computer and Comm. Seurity (CCS), pp , [13] T. Anderson, T. Rosoe, and D. Wetherall, Preventing Internet Denial of Servie with Capabilities, Pro. Workshop Hot Topis in etworks (Hotets-II), ov [14] A. Yaar, A. Perrig, and D. Song, SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attaks, Pro. IEEE Symp. Seurity and Privay, pp , [15] X. Yang, D. Wetherall, and T. Anderson, A DoS-Limiting etwork Arhiteture, Pro. ACM SIGCOMM, Aug [16] X. Liu, X. Yang, and Y. Xia, etfene: Preventing Internet Denial of Servie from Inside Out, Pro. SIGCOMM, pp , [17] J. Mirkovi and P. Reiher, A Taxonomy of DDoS Attak and DDoS Defense Mehanisms, ACM SIGCOMM Computer Comm. Rev., vol. 34, no. 2, pp , [18] G. Badishi, A. Herzberg, and I. Keidar, Keeping Denial-of-Servie Attakers in the Dark, IEEE Trans. Dependable and Seure Computing, vol. 4, no. 3, pp , July-Sept [19] Spread Spetrum Sene, [20] A. Lempel and H. Greenberger, Families of Sequenes with Optimal Hamming Correlation Properties, IEEE Trans. Information Theory, vol. IT-20, no. 1, pp , Jan [21] G. Ge, R. Fuji-Hara, and Y. Miao, Further Combinatorial Construtions for Optimal Frequeny-Hopping Sequenes, J. Combinatorial Theory Series A, vol. 113, no. 8, pp , [22] Y.M. Ryoh Fuji-Hara and M. Mishima, Optimal Frequeny Hopping Sequenes: A Combinatorial Approah, IEEE Trans. Information Theory, vol. 50, no. 10, pp , Ot [23] T. Peng, C. Lekie, and K. Ramamohanarao, Survey of etwork- Based Defense Mehanisms Countering the DoS and DDoS Problems, ACM Computing Survey, vol. 39, no. 1, p. 3, [24] K. Hari and T. Dohi, Sensitivity Analysis of Random Port Hopping, Pro. Seventh Int l Conf. Ubiquitous Intelligene Computing and Seventh Int l Conf. Autonomi and Trusted Computing (UIC/ ATC), pp , Ot [25] H. Lee and V. Thing, Port Hopping for Resilient etworks, Pro. IEEE 60th Vehiular Tehnology Conf. (VTC2004-Fall), vol. 5, pp , [26] M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, A Client-Transparent Approah to Defend against Denial of Servie Attaks, Pro. IEEE 25th Symp. Reliable Distributed Systems (SRDS 06), pp , [27] F. Hwang, Fast Solutions for Conseutive-k-out-of-n: F System, IEEE Trans. Reliability, vol. R-31, no. 5, pp , De [28] B. Huffak, D. Plummer, D. Moore, and k. Claffy, Topology Disovery by Ative Probing, Pro. Symp. Appliations and the Internet Workshops (SAIT), fm?id= , pp , Zhang Fu reeived the BS degree in omputer siene from BeiHang University, China, and the MS degree from Royal Institute of Tehnology, Sweden, in 2005 and 2007, respetively. Currently, he is working toward the PhD degree in the Department of Computer Siene and Engineering at Chalmers University of Tehnology. His researh topi onerns with seure and robust ommuniation protools. His researh interests also inlude online algorithms and distributed algorithms. Marina Papatriantafilou reeived the PhD degree from the Department of Computer Engineering and Informatis, University of Patras, Greee. Currently, she is working as an assoiate professor at the Department of Computer Siene and Engineering, Chalmers University of Tehnology, Sweden. She has also worked at the ational Researh Institute for Mathematis and Computer Siene in the etherlands (CWI), Amsterdam and at the Max- Plank Institute for Computer Siene (MPII) Saarbrueken, Germany. Her researh interests inlude distributed and multiproessor omputing, inluding synhronization, ommuniation/oordination, with emphasis in robustness, fault-tolerane and dynami aspets, as well as appliations in ommuniation, transportation, eletriity networks adaptiveness, robustness and seurity. Philippas Tsigas reeived the BS degree in mathematis from the University of Patras, Greee, and the PhD degree in omputer engineering and informatis from the same University, in Currently, he is working as a professor in the Department of Computer Siene and Engineering at Chalmers University of Tehnology. From 1993 to 1994, he was with the ational Researh Institute for Mathematis and Computer Siene in the etherlands (CWI), Amsterdam. From 1995 to 1997, he was with the Max-Plank Institute for Computer Siene, Saarbruken, Germany. He joined Chalmers University of Tehnology in He is the ofounder and the head of the Distributed Computing and Systems researh group at Chalmers. He is the initiator and one of the designers of OBLE, a library of nonbloking data strutures. His researh interests inlude parallel and distributed omputing, parallel and distributed systems, and information visualization.. For more information on this or any other omputing topi, please visit our Digital Library at