WebSOS: an overlay-based system for protecting web servers from denial of service attacks

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable applets. We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system, by using reverse Graphic Turing Tests. Furthermore, our system makes it easy for service providers to charge users, providing incentives to a commercial offering of the service. Users can dynamically decide whether to use the WebSOS overlay, based on the prevailing network conditions. Our prototype requires no modifications to either servers or browsers, and makes use of Graphical Turing Tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We then extend this system with a credential-based micropayment scheme that combines access control and payment authorization in one operation. Turing tests ensure that malicious code, such as a worm, cannot abuse a user's micropayment wallet. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a test-bed for experimentation with network overlays. We determine the end-to-end latency using both a chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results. (c) 2005 Elsevier B.V. All rights reserved.