When the response from Google or Yahoo! is slow, you may think, “What a busy day it is!” But the actual truth may be that these Web sites are being attacked using the denial of service (DoS) tactic. A DoS attack is an attempt to make a service unavailable to its intended users. In the real world, a terrorist may attack a place to make it unavailable. In the networked world, the means to carry out and the motives for DoS attacks vary. However, the goal is always the same: to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

This paper proposes an architecture that includes admission-control and congestion-control mechanisms to thwart DoS attacks. Extensive experiments show that this approach has low performance overhead and is resilient to DoS attacks.

Preventing DoS attacks is difficult, if not impossible. First of all, it is hard to differentiate between real user traffic and DoS attack traffic. Second, the frontier machine, meant to defend from the DoS attack, is itself under attack; there is nothing to protect it. In this paper, the doorkeeper machine uses a challenge-response strategy to determine if a client is legitimate. To prevent the challenge-response server from being drowned by DoS attack packets, the paper ensures that calculating the response is several orders of magnitude costlier than the challenge. However, it still does not solve the distributed DoS (DDoS) problem. If the response is 1,000 times more difficult than the challenge, perhaps 1,000,000 zombie clients will swamp the challenge server.

This paper is quite long (49 pages); therefore, you know it’s meticulous. As a result, the reader will learn a lot about DoS.