Dan Rubenstein's DDoS Prevention Research

Return to main research page

Secure Overlay Systems (also described here) was designed to proactively thwart DDoS attacks. The fundamental idea was to utilize network overlays to route traffic. The server to be protected would select a subset of overlay nodes from whom it would receive traffic. Traffic from any other source would be dropped. The key idea was to keep the identities of these nodes secret from the general (potential attacker) public. The overlay would be used to route packets to these secret nodes, where other overlay nodes would verify traffic as being legitimate before forwarding it within the overlay. Hence, the burden of authenticating traffic could be distributed anywhere within the large-scale network.

The original idea was formulated and analyzed in [KMR02], a refined version later appeared in [KMR04]. We also applied/extended SOS for specific environments, such as web-hosting services [MSCKMR03] (extended in [[SCMKMR05]) and to electronic payment environments [SIKMR04].



Return to main research page