CDN-on-Demand: Fighting DoS with Untrusted Clouds
We present the design and implementation of CDN-on-Demand, a system that provides low-cost protection for websites against DDoS attacks, without impacting on website operation and expenses under normal operating conditions. CDN-on-Demand is a software package rather than a service, it migrates websites to a scalable infrastructure in case of high-load and serves clients from proxies that it automatically deploys on multiple low cost cloud services. In contrast to current CDN services, CDN-on-Demand protects against rogue service providers and compromised proxies by introducing an object security mechanism; this eliminates the need to trust the host with private keys or certificates. Furthermore, CDN-on-Demand protects the website against economic and degradation of service attacks that exploit the automatic scaling mechanism; we show that popular services are vulnerable to such attacks. We provide an open-source implementation of CDN-on-Demand, which we use to evaluate each component as well as the integrated CDN-on-Demand system.
Joint work with Amir Herzberg and Michael Sudkovich