Kill the Bots!
Software thwarts malicious hackers

Context: The malicious computer programs known as "worms" infect more than 30,000 new computers every day. Unbeknownst to their owners, the compromised machines follow orders to send spam, say, or to access particular websites. If enough of these so-called zombie machines simultaneously contact a particular Web server, they can knock it out of commission. Professional hackers have used the threat of such "distributed denial-of-service attacks" to extort money from businesses. Last year, one company's business manager was indicted for paying hackers to use zombies to take down competitors' websites. The zombies dodge a Web server's defenses by disguising themselves as legitimate users and then block access to the server by overloading not only its network bandwidth, but also its CPU, memory, disk space, and database resources. Now, led by Dina Katabi, researchers from MIT, Princeton University, and Akamai Technologies have developed Kill-Bots, a clever, simple, and cheap means of distinguishing friend from foe. Unlike other products, it allocates a server's system resources only after a user is confirmed as legitimate.

Methods and Results: Kill-Bots, a software modification to a server's operating system, kicks in whenever a website is in danger of being overwhelmed by traffic. The software asks requesters to solve a simple graphical puzzle before it grants access to server resources like buffer space. Humans can solve these puzzles easily; zombies cannot do so at all. Addresses that repeatedly request site access without solving the puzzle are blacklisted automatically. When the load on the Web server decreases, it stops issuing puzzles and accepts requests from nonblacklisted addresses, so even real users who did not solve the puzzle can gain access.
In experiments, a Kill-Bots-protected Web server successfully endured five times as many hits as an unprotected Web server. Not only did the Web server stay online, but protected websites also maintained speedy response times, even during the height of the attack.

Why it Matters: Worries over dis­tributed denial-of-service attacks are spreading. Most Web server defenses use authentication procedures that are easily outwitted and depend on replicated content, mul­tiple CPUs, and extra bandwidth, all of which cost money. Kill-Bots is much cheaper and can be easily deployed; it requires no changes in users' Web browsers and works with the very large number of Web servers running Linux. Although Kill-Bots occasionally misclassifies legitimate users as zombies, it allows websites under attack to remain available and so promises to keep the Web open for business, while barring the way for thieves and vandals.

Source: Kandula, S., et al. 2005. Botz-4-Sale: surviving organized DDoS attacks that mimic flash crowds. Paper presented at 2nd Symposium on Networked Systems Design and Implementation. May 2–4. Boston, MA.