Zakaria Al-Qudah

A co-simulation platform for actuator networks

Actuator networks will enable an unprecedented degree of distributed control of physical environments, and further progress will critically depend on the availability of a simulation platform that can capture both the physical and the communication dynamics.

Content delivery networks: protection or threat?

Content Delivery Networks (CDNs) are commonly believed to offer their customers protection against application-level denial of service (DoS) attacks. Indeed, a typical CDN with its vast resources can absorb these attacks without noticeable effect. This paper uncovers a vulnerability which not only allows an attacker to penetrate CDNs protection, but to actually use a content delivery network to amplify the attack against a customer Web site. We show that leading commercial CDNs - Akamai and Limelight - and an influential research CDN - Coral - can be recruited for this attack. By mounting an attack against our own Web site, we demonstrate an order of magnitude attack amplification though leveraging the Coral CDN. We present measures that both content providers and CDNs can take to defend against our attack. We believe it is important that CDN operators and their customers be aware of this attack so that they could protect themselves accordingly.

Anycast-aware transport for content delivery networks

Anycast-based content delivery networks (CDNs) have many properties that make them ideal for the large scale distribution of content on the Internet. However, because routing changes can result in a change of the endpoint that terminates the TCP session, TCP session disruption remains a concern for anycast CDNs, especially for large file downloads. In this paper we demonstrate that this problem does not require any complex solutions. In particular, we present the design of a simple, yet efficient, mechanism to handle session disruptions due to endpoint changes. With our mechanism, a client can continue the download of the content from the point at which it was before the endpoint change. Furthermore, CDN servers purge the TCP connection state quickly to handle frequent switching with low system overhead. We demonstrate experimentally the effectiveness of our proposed mechanism and show that more complex mechanisms are not required. Specifically, we find that our mechanism maintains high download throughput even with a reasonably high rate of endpoint switching, which is attractive for load balancing scenarios. Moreover, our results show that edge servers can purge TCP connection state after a single timeout-triggered retransmission without any tangible impact on ongoing connections. Besides improving server performance, this behavior improves the resiliency of the CDN to certain denial of service attacks.

Fast and compact binary-to-BCD conversion circuits for decimal multiplication

Decimal arithmetic has received considerable attention recently due to its suitability for many financial and commercial applications. In particular, numerous algorithms have been recently proposed for decimal multiplication. A major approach to decimal multiplication shaped by these proposals is based on performing the decimal digit-by-digit multiplication in binary, converting the binary partial product back to decimal, and then adding the decimal partial products as appropriate to form the final product in decimal. With this approach, the efficiency of binary-to-BCD partial product conversion is critical for the efficiency of the overall multiplication process. A recently proposed algorithm for this conversion is based on splitting the binary partial product into two parts (i.e., two groups of bits), and then computing the contributions of the two parts to the partial BCD result in parallel. This paper proposes two new algorithms (Three-Four split and Four-Three split) based on this principle. We present our proposed architectures that implement these algorithms and compare them to existing algorithms. The synthesis results show that the Three-Four split algorithm runs 15%faster and occupies 26.1%less area than the best performing equivalent circuit found in the literature. Furthermore, the Four-Three split algorithm occupies 37.5% less area than the state of the art equivalent circuit.

Web timeouts and their implications

Timeouts play a fundamental role in network protocols, controlling numerous aspects of host behavior at different layers of the protocol stack. Previous work has documented a class of Denial of Service (DoS) attacks that leverage timeouts to force a host to preserve state with a bare minimum level of interactivity with the attacker. This paper considers the vulnerability of operational Web servers to such attacks by comparing timeouts implemented in servers with the normal Web activity that informs our understanding as to the necessary length of timeouts. We then use these two results--which generally show that the timeouts in wide use are long relative to normal Web transactions--to devise a framework to augment static timeouts with both measurements of the system and particular policy decisions in times of high load.

Bringing Local DNS Servers Close to Their Clients

This paper provides an indication that the distance between clients and their local DNS servers (LDNS) can have a significant negative impact on the performance of content delivery networks (CDNs). Consequently, we propose a novel peer-topeer client-side DNS mechanism that moves LDNS close to their clients while still allowing nearby clients to share the common DNS cache. Through trace-driven simulations and prototype testing, we show that our approach holds significant promise of facilitating better server selection by CDNs.

Efficient application placement in a dynamic hosting platform

Web hosting providers are increasingly looking into dynamic hosting to reduce costs and improve the performance of their platforms. Instead of provisioning fixed resources to each customer, dynamic hosting maintains a variable number of application instances to satisfy current demand. While existing research in this area has mostly focused on the algorithms that decide on the number and location of application instances, we address the problem of efficient enactment of these decisions once they are made. We propose a new approach to application placement and experimentally show that it dramatically reduces the cost of application placement, which in turn improves the end-to-end agility of the hosting platform in reacting to demand changes.

DDoS protection as a service: hiding behind the giants

Distributed denial of service DDoS attacks constitute an ever growing threat to the internet due to the scale of these attacks and the difficulty of mitigating them. In this paper, we propose a CDN-based DDoS protection service to counter attacks targeting application layer of web servers. These attacks mimic flash crowd events by using large size botnets to generate high volume requests to get certain objects from the target. The proposed scheme, called Hideme, leverages the already-deployed, highly available, and distributed massive infrastructure of CDNs to provide protection against DDoS attacks. A website subscribing to this service can hide behind the DDoS protection provider when it becomes under attack. To achieve this goal, Hideme combines the idea of using CAPTCHA by CDN edge servers to distinguish humans from bots and the idea of migration to a secret IP address during the attack period. We evaluate the proposed scheme through extensive experiments over Planetlab. Our results show that the proposed scheme exhibits better performance in terms of effective download throughput while blocking malicious requests.

A Novel Scheme for Mitigating Botnet-Based DDoS Attacks

Botnet-based distributed denial of service (DDoS) attacks represent an emerging and sophisticated threat for today’s Internet. Attackers are now able to mimic the behavior of legitimate users to a great extent, making the issue of countering these attacks very challenging. This paper proposes a novel scheme to mitigate botnet-based DDoS attacks. The proposed scheme, called JUST-Google, utilizes Google’s strategic position as an entrance for today’s Internet to distinguish between legitimate traffic and attack traffic. The main idea of JUST-Google is to let ISP’s edge routers allow traffic originating from sources that are approved by Google and destined to a victim within that ISP to pass while filtering all other traffic destined to the same victim. In this context, we propose that GoogleTM can offer a paid service to identify legitimate sources by directing users who want to access a web site under attack to a group of nodes that will perform authentication in which users are required to solve a reverse Turing test to obtain access to the web server. We evaluate the proposed scheme through a combination of theoretical analysis and experimental studies. Our studies show that JUST-Google provides a great chance for legitimate clients to access a web site that is under a botnet-based DDoS attack without imposing a significant overhead.

High performance FPGA-based decimal-to-binary conversion schemes for decimal arithmetic

Abstract Despite that it has been recognized that decimal arithmetic is more suitable than binary arithmetic for human-centric applications, binary arithmetic is still predominant in today’s computers. One approach to bridging this gap involves converting the decimal operands to binary, performing arithmetic in binary, and converting the result back to decimal. Based on this approach, this paper presents novel high-performance decimal-to-binary conversion circuits to support decimal arithmetic over different FPGAs families. Our circuits are based on a simple, yet effective idea. Bits of the BCD inputs are grouped into a number of groups. The contribution of each group to the overall binary result is computed separately. Then these contributions are added to form the final binary result. The performance evaluation presented in this paper indicates that the proposed circuits perform significantly better than existing BCD-to-binary conversion circuits. Furthermore, for a given FPGA family, the comparison reveals that certain bit-grouping may perform better than others. In addition, we have studied the growth in area and time for each bit-grouping scheme with respect to the number of digits in the BCD input.