Mitigating Browser-based DDoS Attacks using CORP

被引：2

作者：

Agrawall, Akash ^{[1
]}

Chaitanya, Krishna ^{[2
]}

Agrawal, Arnav Kumar ^{[3
]}

Choppella, Venkatesh ^{[1
]}

机构：

[1] IIIT Hyderabad, Hyderabad, India

[2] Microsoft India, Hyderabad, India

[3] Carnegie Mellon Univ, Pittsburgh, PA 15213 USA

来源：

PROCEEDINGS OF THE 10TH INNOVATIONS IN SOFTWARE ENGINEERING CONFERENCE | 2017年

关键词：

DDoS; Browser-based DDoS; Browser; !text type='Java']Java[!/text]script; Cross-origin requests; MITM (Man in the middle);

D O I：

10.1145/3021460.3021477

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

On March 27, 2015, Github witnessed a massive DDoS attack, the largest in Github's history till date. In this incident, browsers and users were used as vectors to launch the attack. In this paper, we analyse such browser-based DDoS attacks and simulate them in a lab environment. Existing browser security policies like Same Origin Policy (SOP), Content Security Policy (CSP) do not mitigate these attacks by design. In this paper we observe that CORP (Cross Origin Request Policy), a browser security policy, can be used to mitigate these attacks. CORP enables a server to control cross-origin interactions initiated by a browser. The browser intercepts the cross-origin requests and blocks unwanted requests by the server. This takes the load off the server to mitigate the attack.

引用

页码：137 / 146

页数：10

共 50 条

[1] Cashing out the great cannon? On browser-based DDoS attacks and economics
Saarland University, Germany
不详
不详
USENIX Workshop Offensive Technol., WOOT, 1600,
[2] Browser-based attacks on Tor
Abbott, Timothy G.
Lai, Katherine J.
Lieberman, Michael R.
Price, Eric C.
PRIVACY ENHANCING TECHNOLOGIES, 2007, 4776 : 184 - 199
[3] Ramping up the response to browser-based attacks
McVey T.
Network Security, 2023, 2023 (09)
[4] iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices
Kim, Jason
van Schaik, Stephan
Genkin, Daniel
Yarom, Yuval
PROCEEDINGS OF THE 2023 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, CCS 2023, 2023, : 2038 - 2052
[5] Mitigating DDoS Attacks Using OpenFlow-Based Software Defined Networking
Jonker, Mattijs
Sperotto, Anna
INTELLIGENT MECHANISMS FOR NETWORK CONFIGURATION AND SECURITY, 2015, 9122 : 129 - 133
[6] Browser-Based CPU Fingerprinting
Trampert, Leon
Rossow, Christian
Schwarz, Michael
COMPUTER SECURITY - ESORICS 2022, PT III, 2022, 13556 : 87 - 105
[7] CORP: A Browser Policy to Mitigate Web Infiltration Attacks
Telikicherla, Krishna Chaitanya
Choppella, Venkatesh
Bezawada, Bruhadeshwar
INFORMATION SYSTEMS SECURITY (ICISS 2014), 2014, 8880 : 277 - 297
[8] SOS: An architecture for mitigating DDoS attacks
Keromytis, AD
Misra, V
Rubenstein, D
IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, 2004, 22 (01) : 176 - 188
[9] A novel scheme for mitigating botnet-based DDoS attacks
Al-Duwairi, Basheer
Al-Qudah, Zakaria
Govindarasu, Manimaran
Journal of Networks, 2013, 8 (02) : 297 - 306
[10] NGS: Mitigating DDoS Attacks using SDN-based Network Gate Shield
Dalati, Mohamad Suhel
Meng, Weizhi
Chiu, Wei-Yang
2021 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), 2021,

← 1 2 3 4 5 →