Protecting Electronic Commerce From DistributedDenial-of-Service AttacksJos´e Carlos BrustoloniNetworking Software Research DepartmentBell Laboratories, Lucent Technologies101 Crawfords Corner Rd., Holmdel, NJ 07733 — [email protected] is widely recognized that distributed denial-of-service(DDoS) attacks can disrupt electronic commerce and causelarge revenue losses. However, effective defenses continue tobe mostly unavailable. We describe and evaluate VIPnet, anovel value-added network service for protecting e-commerceand other transaction-based sites from DDoS attacks. InVIPnet, e-merchants pay Internet Service Providers (ISPs)to carry the packets of the e-merchants’ best clients (calledVIPs) in a privileged class of service (CoS), protected fromcongestion, whether malicious or not, in the regular CoS.VIPnet rewards VIPs with not only better quality of service,but also greater availability. Because VIP rights are client-and server-specific, cannot be forged, are usage-limited, andare only replenished after successful client transactions (e.g.,purchases), it is impractical for attackers to mount and sus-tain DDoS attacks against an e-merchant’s VIPs. VIPnetcan be deployed incrementally and does not require univer-sal adoption. Experiments demonstrate VIPnet’s benefits.Categories and Subject DescriptorsC.2.0 [Computer-Communication Networks]: Gener-al—security and protection; C.2.1 [Computer-Communi-cation Networks]: Network Architecture and Design—packet networks; J.1 [Computer Applications]: Admin-istrative Data Processing—business,financialGeneral TermsSecurity, Reliability, Performance, Algorithms, Experimen-tationKeywordsDenial of Service, Quality of Service, Electronic Commerce1. INTRODUCTIONIn a denial-of-service (DoS) attack, a malicious client(called the attacker) performs operations designed to par-tially or completely prevent legitimate clients from gainingservice from a server (called the victim).DoS attacks are common and can cause significant losses.Measurements by CAIDA/UCSD detected more than 12,000attacks against more than 5,000 victims during a 3-weekCopyright is held by the author/owner(s).WWW2002, May 7–11, 2002, Honolulu, Hawaii, USA.ACM 1-58113-449-5/02/0005.study in February of 2001 [22]. In a CSI/FBI study in Marchof 2001, 38% of the security professionals surveyed declaredthat their sites had been the object of at least one DoS attackin the previous year [15]. Well-known e-merchants, includingAmazon, buy.com, E*Trade, and eBay, are among recentvictims. DoS attacks can harm e-merchants in two ways.First, when an e-merchant cannot serve its clients, the e-merchant loses advertising and sales revenues. Second, the e-merchant’s clients, advertisers, and investors are frustratedand may therefore seek competing alternatives.Among DoS attacks, congestive ones are the most diffi-cult to defend against. In a congestive attack, an attackersends to a victim packets that exhaust the network’s orthe victim’s resources, making the victim unable to receive, process, or respond to legitimate requests. Such attacksare easily enabled by the Internet, whose service model isnon-authenticated, connectionless, and best-effort. Exist-ing defenses against such attacks are weak and not widelydeployed.This paper contributes a novel DoS defense architecturethat robustly and scalably limits the effects of congestiveattacks against e-merchants, is consistent with existing In-ternet design principles, and compensates Internet ServiceProviders (ISPs) for the necessary investment.Our solution, VIPnet, allows an e-merchant to request anISP to carry the packets of certain clients in an elite classof service (CoS), called VIP. An e-merchant may grant VIPrights, e.g., to those clients that bring in a majority of the e-merchant’s revenues. For this service, the e-merchant paysthe ISP a fee. Quality of service (QoS) mechanisms com-monly found in routers, such as differentiated services (diff-serv) [1], priority-based, or weighted fair queueing (WFQ), distinguish the VIP CoS from the regular best-effort CoS,which is used for other packets. Because VIP traffic is car-ried in its own CoS, it is insulated from congestion and DoSattacks that may occur in the regular CoS.VIP rights are term- and usage-limited, i.e., each VIPright expires after a certain time or after the respectiveclient has sent a certain amount of data using it. To obtaina new VIP right, a client must perform transactions (e.g., purchases) of sufficient value. Therefore, no host (with orwithout VIP rights, compromised or not) can sustain indefi-nitely a congestive DoS attack against an e-merchant’s VIPCoS (unlike the regular CoS).VIPnet is effective even if deployed only by select ISPs.ISPs that serve clients that have been granted VIP rightsneed to install a device called VIP Gate (VIPG) in the553ISP’s access gateways, i.e., those nodes that terminate ISPcustomer layer-2 links and authenticated tunnels. VIPGsmonitor packets coming in from access links, mark for theVIP CoS those packets whose destination is a VIPnet e-merchant and whose source has an active VIP right for thedestination (or vice-versa), and mark for the regular CoSany other packets. Each VIPG also locally maintains a listof VIP rights, authenticates clients, and allows clients to ac-tivate or deactivate the respective VIP rights. On the otherhand, intermediate ISPs on the paths between clients withVIP rights and the e-merchants who granted them need tosupport the VIP CoS, but need not deploy VIPGs. Finally, the rest of the Internet need not support or be aware of VIP-net at all. In peering points between ISPs that do and donot support VIPnet, a VIPnet ISP simply maps from VIPto regular the CoS markings (if any) in packets arriving fromnon-VIPnet ISPs.Because VIPnet generates new ISP revenue streams, manyISPs may decide to support it. An intermediate ISP’s com-pensation for carrying VIP packets received from anotherISP can be negotiated between the ISPs much like any otherform of peering. The mechanisms used by various ISPs todifferentiate the VIP and regular CoS need not be the same.Furthermore, as long as work-conserving scheduling mecha-nisms are used, such as the ones cited above, VIPnet supportdoes not reduce a network’s total capacity, even if no VIPtraffic is present. Resources that would be used for the VIPCoS, if VIP traffic were present, can be automatically usedfor the regular CoS, when VIP