Secure Overlay Services is an overlay network that makes use of several existing crypto and routing techniques to protect communication between the participants against denial of service attacks.
Suppose, SOS is set up to protect a server offering information to a number of clients. From a high level, the clients form the overlay using a certaing enrollment procedure, each one keeping a list of some of its overlay neighbors. The server blocks all traffic except that coming from a certain previously chosen overlay member called a secret servlet (with blocking being more effective if done by routers neighboring the server). The secret servlet appears to the rest of the world (other overlay nodes, the attacker, etc) simply just as a regular member of the overlay, no-one is aware that the traffic from its IP address is accepted by the server, except for itself and the server.
If a legitimate subscriber decides to communicate with the server, it needs to access an overlay node (the "secure overlay access point") which may use some mechanism (e.g., user-password or a CAPTCHA test) to decide whether such communication is allowed. Then, distributed hash tables and Chord overlay techniques are used to route traffic inside the overlay to the secret servlet without revealing the fact that this IP address is a secret servlet. Several shortcuts are introduced for improved routing, such as a beacon node, which is the only other node that knows the IP of a secret servlet. The possibility of multiple secret servlets are considered in the SOS studies. Also, the claim is that peer-to-peer communication can also be protected against availability attacks by SOS.
In order to be able to talk to the server and attack it with a large amount of traffic, the attacker now has to guess the IP address of the secret servlet, or bring down the majority of the overlay nodes to interrupt the operation of SOS. Thus, the bigger and the more geographically distributed the overlay is, the more effective DoS protection it provides. The SOS studies report specific numbers for overlay efficiency, and judging by those numbers, SOS can be made efficient relatively easily.
SOS is recognized as one of the more effective overlay research concepts in part due to a very specific scope of the work -- protection agains (D)DOS. The popularity of the original work has been thoroughly enjoyed by its authors, who proceded to streching out the original study over a whole series of publications that continue to this day.
Reference:
A. Keromytis, V. Misra, and D. Rubenstein. “SOS: Secure Overlay Services.” Proceedings of ACM SIGCOMM'02, Pittsburgh, PA, August 2002.
|
