a taxonomy for denial of service attacks in content-based...

A Taxonomy for Denial of Service Attacks inContent-based Publish/Subscribe Systems

Alex Wun†

[email protected] Cheung†

[email protected] Jacobsen†‡

[email protected]† Department of Electrical and Computer Engineering

‡ Department of Computer ScienceUniversity of Toronto

ABSTRACTDenial of Service (DoS) attacks continue to affect the avail-ability of critical systems on the Internet. The existing DoSproblem is enough to merit significant research dedicated toanalyzing and classifying DoS attacks in the Internet con-text. However, no such research exists for DoS attacks in thedomain of Content-based Publish/Subscribe (CPS) systemsdespite CPS being at the forefront of business process execu-tion, application integration, and event processing applica-tions. This can be attributed to the lack of structure and un-derstanding of key issues in the area of DoS in CPS systems.In this paper, we propose to address these problems by pre-senting a taxonomy for classifying DoS characteristics andconcerns new to CPS systems. Our taxonomy is motivatedby a number of experimental results that were obtained us-ing our CPS middleware implementation and that highlightfundamental DoS concerns in this domain. Finally, we dis-cuss some example DoS attacks in detail with respect to ourtaxonomy and experimental results. We find that localiza-tion, message content complexity, and filter statefulness arethe key CPS characteristics to consider when designing DoSresilient CPS systems.

Categories and Subject DescriptorsH.4.m [Information Systems Applications]: Miscella-neous

General TermsSecurity, Reliability

KeywordsPublish/Subscribe, Denial of Service, Security

1. INTRODUCTIONDenial of Service (DoS) attacks remain disturbingly promi-

nent in the Internet despite continuous defensive efforts.

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.DEBS ’07 , June 20-22, 2007 Toronto, Ontario, CanadaCopyright 2007 ACM 978-1-59593-665-3/07/03 ...$10.00.

This is primarily because the Internet was designed for effi-cient packet forwarding rather than for security. Due to theInternet’s design, an ongoing issue persists in which supple-mentary security solutions are typically used to compensatefor the lack of secure networking services and to protectagainst malicious attacks. As a consequence of this ongo-ing issue, organizations are reluctant to deploy new tech-nologies that are not either secure by design or compatiblewith existing security frameworks. As a novel technology,Content-based Publish/Subscribe (CPS) systems are poisedto provide expressive, loosely-coupled, event-based messag-ing services in many enterprise applications. In particular,CPS and related technologies are at the forefront of busi-ness process execution, application integration, and eventprocessing networks [1, 2]. But despite the many advancesmade in CPS research and the importance of CPS technol-ogy, adoption will be slow unless the DoS resilience charac-teristics of this new paradigm are well understood. A majorstep towards this goal is to identify DoS vulnerabilities newto CPS systems and how CPS systems are impacted by suchvulnerabilities. As part of this step, we propose a taxonomyfor classifying DoS attacks in CPS systems. We hope thatstructuring the domain of DoS attacks will facilitate furtherresearch and discussion in the area.

Motivating our proposed taxonomy are several experimen-tal results that illustrate some fundamental DoS concernsthat are new to CPS systems. In particular, we find thatsome CPS entities are inherently more resilient to DoS at-tacks due to localization effects, a measure of message com-plexity will be needed to maintain control over performance,and the stateful nature of CPS systems has cumulative ef-fects on DoS attacks. These new concerns imply new tech-niques for achieving DoS attack detection, prevention, andrecovery if CPS systems are to be highly available.

Finally, we also include detailed discussions of specific DoSattack instances to provide further insight into the implica-tions of CPS state on DoS vulnerabilities.

The contributions of this paper are: (1) Experimental re-sults that highlight fundamental DoS concerns new to CPSsystems, (2) A taxonomy for classifying DoS attacks uniqueto CPS systems, and (3) a discussion of specific DoS attackinstances providing insight to CPS vulnerabilities and theimportance of a taxonomy.

The remaining sections of this paper are organized as fol-lows: Section 2 provides background information on CPSsystems, Section 3 presents our experimental analysis, Sec-tion 4 presents our proposed taxonomy, Section 5 presents adiscussion of specific DoS attacks with respect to our taxon-

omy and experimental results, Section 6 discusses the relatedwork, and Section 7 is our conclusion.

2. BACKGROUNDPublish/Subscribe is an event-based messaging model in

which event notifications are delivered to clients based ontheir prior expressed interests. Content-based Publish/Sub-scribe (CPS) systems in particular, allow clients to expressfine-grained interest using filters (subscriptions) consistingof predicates over potential publication content.CPS systems generally distinguish between brokers and

clients. Brokers are typically the entities that perform mes-sage matching and forwarding while clients issue publicationand subscription messages (advertisement messages as wellto define event schema when applicable). With respect to acertain event schema (an advertisement tree or message typefor example), we can further distinguish edge brokers frominternal brokers as well as publisher clients from subscriberclients.Edge brokers are brokers hosting clients that publish or

subscribe to an event schema while internal brokers onlyparticipate in matching or routing messages. That is, edgebrokers are the proxy through which clients issue messages.In Figure 6(a), brokers 𝐵𝑆 and 𝐵𝑃 are edge brokers whilebroker 𝐵0 is an internal broker.Publisher and subscriber clients are those that exclusively

issue publications and subscriptions, respectively. Typicallyhowever, a single client will likely take on both publisherand subscriber roles (possibly to different event schemas).

3. DENIAL OF SERVICE EFFECTSWith the goal of developing a taxonomy, we identified

several important CPS system characteristics based on ourresearch experience. To investigate the DoS implicationsof these characteristics, we performed experiments using ageneral-purpose, Java-based CPS middleware platform de-veloped by our research group1. In all experiments, eachbroker ran on a dedicated Dual-Core Intel Xeon system run-ning Linux with 2GB of memory. DoS workloads were pro-duced by clients also running on their own dedicated system.The results from these experiments support the DoS effectsdescribed and classified in our taxonomy. Specifically, theresults highlight new DoS concerns that arise in CPS sys-tems due to the use of distributed brokerage, content-basedrouting, and stateful message filtering. It is important tonote that although the experiments were performed usingour CPS middleware implementation, the results are basedon concepts applicable to CPS systems in general. Morespecifically, regardless of the actual algorithms used in ourimplementation, the matching times in our experiments arecomparable to the millisecond ranges reported by other CPSimplementations in the literature [4, 9].

3.1 Localization EffectsIn a distributed CPS system, the effects of a DoS attack

will propagate differently depending on factors such as mes-sage content and volume. In particular, heavy workloadstend to create bottlenecks in the system that interfere withmessage propagation. We performed some experiments toillustrate this fundamental point with three brokers. In our

1http://padres.msrg.utoronto.ca

setup, there are two edge brokers and one internal brokerbetween the edge brokers. Publication-based attack work-load streams are injected at Broker A and subscribed tofrom Broker C. Each stream injects 10-tuple publicationsat a rate of 100 publications per second and we graduallyadd publication streams as time progresses. At each broker,we use another publication stream to measure the responsetime of delivering notifications at that broker. Although thesame attack workload passes through all three brokers, Fig-ure 1(a) shows that the response times at each broker differsignificantly. The response times at Broker A (the broker be-ing directly targeted by the publication flood) quickly growto unacceptable levels under heavy DoS load. However, in-ternal Broker B maintains good response times. Broker Csuffers from unacceptable response times as well despite notbeing directly targeted by the publication flood. In fact,Broker C shows even worse response times than Broker A.This phenomenon is explained in Figure 1(c), which showsthe input and output queueing delays at each broker. Sincematching delays were insignificant at all three brokers, plotsfor the matching delays have been omitted. Internal BrokerB experiences low delays while Broker A experiences veryhigh input queueing delays due to the direct flood of publi-cations. Broker C suffers from both high input and outputqueueing delays due to the extra processing required to de-liver notifications to each stream subscriber. Note that theprocessing delays are plotted using a log scale y-axis. If Bro-ker C does not host a large number of subscribers, then itsprocessing delays are comparable to that of Broker B. Fig-ure 1(b) further shows that the internal broker is the leastloaded out of the three brokers, both in terms of systemmemory and input queueing2.

This experiment illustrates two key characteristics of DoSattacks that are new in the area of CPS systems. First,heavy load causes bottlenecks in the system that can preventeffective propagation of DoS attacks. In this case, internalbrokers do not feel the impact of the publication floodingattack. We refer to this as localization of a DoS attack’seffects. Second, it is possible for an attack to induce effectsat distant brokers without affecting all brokers along thepath of propagation. We refer to this as transmission of aDoS attack’s effects. In this experiment, the effects of theDoS attack are transmitted to Broker C by the workloadsource without affecting Broker B.

The first characteristic is a benefit of distributed CPSsystems, since DoS counter-measures can take advantage oflocalization to achieve high availability. However, the sec-ond characteristic is something that systems must carefullyguard against since transmission enables dangerous remoteattacks from potentially arbitrary points in the network.For instance, an adversary can conceivably craft a maliciousstream of publications to match all subscriber interests atsome remote broker. As we show, this malicious traffic doesnot necessarily affect intermediate brokers en route to theremotely targeted broker. Consequently, early detection oftransmitted DoS attacks is much more difficult.

3.2 Workload Complexity EffectsIn contrast to the fixed packet formats used in lower-

level network layers, CPS messages are highly flexible incontent. However, the key benefit of flexible and expres-

2Note that the input queue size has been scaled down forgraphing with free memory against the same axes.

0 100 200 300 400 500 6000

100

200

300

400

500

600

Notification Number (sequential)

Res

pons

e T

ime

(s)

Broker ABroker BBroker C

(a) Response Times

0 20 40 60 80 100 120 140 160 180 2000

100

200

300

400

500

600

700

800

900

1000

2 Second Time Intervals

Broker A FreeMem (MB)Broker A QueueSize (x100)Broker B FreeMem (MB)Broker B QueueSize (x100)Broker C FreeMem (MB)Broker C QueueSize (x100)

(b) Broker Performance

0 20 40 60 80 100 120 140 160 180 2000

10

110

210

310

410

510

610


Del

ay (

ms)

Broker A Queueing

Broker A Delivery

Broker B Queueing

Broker B Delivery

Broker C Queueing

Broker C Delivery

(c) Processing Delays

Figure 1: Localization of DoS effects in distributed CPS systems.

0 50 100 150 200 250 300 350 400 450 5000

50

100

150

200

250

300


Res

pons

e T

ime

(s)

Broker A

(a) Response Time

0 50 100 150 200 2500

100

200

300

400

500

600

700

800


Broker A FreeMem (MB)Broker A QueueSize (x100)


0 50 100 150 200 250−1

10

010

110

210

310

410

510


Broker A Queueing Delay (ms)Broker A Processing Delay (ms)Broker A Processing Rate (msg/s)

(c) Processing Delays

Figure 2: System recovery characteristics under low complexity DoS attack workloads.

sive messaging also leads to DoS concerns since processingrequirements can vary wildly from one attack workload toanother. Message complexity will significantly affect how asystem recovers from DoS attacks and includes characteris-tics such as message size, the types of filtering operationsinvolved, and message structure (e.g., number of predicates,integer/string comparisons versus arbitrary Boolean func-tions, and attribute/value pairs versus XML, respectively).We performed some experiments to illustrate the fundamen-tal effects of message complexity in a DoS attack. In oursetup, a single broker is loaded with streams publishing ata rate of 100 publications per second. We gradually addstreams as time progresses to overload the broker and thenstop all DoS traffic to observe how the system recovers. Fig-ures 2(b) and 3(b) show the memory consumption and inputqueue sizes of the broker for low complexity (10-tuple) andhigh complexity (100-tuple) attack workloads, respectively.Clearly, higher complexity messages require more process-ing and cause the broker to become overloaded faster andrecover more slowly. Figures 2(c) and 3(c) show the pro-cessing delays for low and high complexity attack workloads,respectively. As expected, we can see that processing delaysare greater under high complexity attack workloads, lead-ing to lower processing rates. Consequently, the processingof malicious messages through the broker drastically slowsdown the recovery of queueing delay. In this experiment,the same stream of publications used in the propagation ex-periments to measure response times were used here as well.Figures 2(a) and 3(a) show the response times under lowand high complexity message workloads, respectively. Asexpected, the response times are much worse and take longer

to recover when the broker is being attacked with high com-plexity message floods. An important observation is thatthe peaks in the response time graphs do not correspond tothe input queue peaks in Figure 2. Response times do notbegin recovering immediately after the DoS attack stops be-cause malicious messages are queued up and continue to loadthe broker. In fact, response times do not start recoveringuntil queueing delays begin to recover. Consequently, re-sponse times at the broker continue to become worse evenas queued messages are processed through the broker. InFigure 2(a), notification message #150 corresponds to thepoint in time when the DoS attack stops. At this point,there is a noticeable change in the response time curve. InFigure 3(a), notification message #60 corresponds to thissame point. Notice that the attack based on high complex-ity messages caused response times to continue growing formuch longer after the actual attack has ended.

This experiment demonstrates that the performance ofCPS systems can vary significantly with workload complex-ity. This implies that DoS resilient systems must have somemeasure of message and workload complexity in order tomaintain predictable control over performance and responsetimes. In current systems, tuple and predicate counts arelikely a reliable measure of complexity. However, as filter-ing expressiveness becomes more sophisticated and movesbeyond numeric and string comparisons, the cost of per-forming any given filtering operation will have a significantimpact as well.

3.3 Message State EffectsCPS systems must necessarily maintain state for perform-

0 100 200 300 400 500 600 700 8000

100

200

300

400

500

600


Res

pons

e T

ime

(s)

Broker A

(a) Response Time

0 50 100 150 200 250 300 350 4000

100

200

300

400

500

600

700

800




0 50 100 150 200 250 300 350 400−1

10

110

310

510

710


Broker A Queueing Delay (ms)Broker A Processing Delay (ms)Broker A Processing Rate (msg/s)

(c) Processing Performance

Figure 3: System recovery characteristics under high complexity DoS attack workloads.

0 10 20 30 40 50 60 70 80 90 1000

100

200

300

400

500

600

700

800

900


Res

pons

e T

ime

(s)

Broker A

(a) Response Time

0 100 200 300 400 500 6000

100

200

300

400

500

600

700

800




0 100 200 300 400 500 6000

10

110

210

310

410

510

610


Del

ay (

ms)

Broker A Queueing

Broker A Matching

Broker A Processing

(c) Processing Performance

Figure 4: System recovery characteristics under stateful DoS attack workloads.

ing publication filtering or event correlation. State allowsCPS systems to provide powerful event-driven services, butalso opens up new avenues of attack for adversaries. Inthis experiment, we demonstrate the fundamental severityof stateful DoS attacks. The setup and experimental ap-proach are the same as used in the workload complexity ex-periments. However, we now use malicious workload streamsconsisting of low complexity (10-predicate) subscriptions ra-ther than publications. The rate also remains the same at100 subscriptions per second. Figure 4(b) shows the effectsof this subscription flooding attack on the broker. Compar-ing this subscription based attack to the publication basedattack in Figure 2(b), we see a significant difference despitethe equivalent message sizes and workload message rates.The increased severity of the attack results from additionalstate maintenance during subscription insertions. Most im-portantly, the effects of this attack are cumulative since eachinserted subscription impacts the processing of subsequentsubscriptions. In fact, Figure 4(c) shows that the process-ing time for inserting subscriptions into the matching enginedata structure alone increases almost an order of magnitudeover the course of the experiment. Overall processing timefor subscriptions increases almost two orders of magnitude.As a result, the rate of processing messages from the queuebecomes similar to the rate of incoming publications used tomeasure response time. This is reflected by the nearly flatinput queue size in Figure 4(b). In this particular experi-ment, the broker was unable to recover and eventually ranout of memory. Figure 4(a) shows how the correspondingresponse time grows exponentially and never recovers.This experiment demonstrates the impact of stateful DoS

attacks caused by state management overheads and the cu-mulative effects of message state. This is a severe problemfor CPS systems which target large-scale applications involv-ing millions of subscribers. Often, state management tech-niques such as message expiry, event lifetimes, and messageconsumption policies are used to manage exploding state.However, these techniques manage legitimate state and willlikely fail under malicious stateful attacks. DoS resilientsystems will need mechanisms to control and manage mali-cious state which may require the development of intrusiondetection techniques unique to CPS systems.

4. TAXONOMY SUMMARYMotivated by the results of our DoS experiments, our tax-

onomy provides a coarse-grained summary of important DoSattack characteristics in the CPS domain. This classifica-tion reflects both entirely novel attack characteristics andnew considerations for existing attack characteristics in thisdomain. To the best of our knowledge, there have not beenany previous efforts to come up with a classification schemefor DoS attacks in CPS systems. Each class we propose isimportant because different defence mechanisms will be re-quired depending on the classification of the attack. Theclasses used in our taxonomy are also independent of oneanother so that an attack can be characterized under one ormore classes. Our taxonomy is summarized graphically inFigure 5 and applied to a few examples attacks in Section5.

4.1 Exploitation Type

Figure 5: Taxonomy tree for Denial of Service attacks in CPS systems.

For completeness, we first observe that an attack can ex-ploit different weaknesses in a system in order to achieveDoS. Although the end result of an attack always preventslegitimate access to system services, different exploitationtypes imply entirely different attack strategies by the adver-sary and therefore, different defence mechanisms are neededby the system.This class is similar to the load-based versus logic-based

classification widely used in existing DoS work [12, 13]. How-ever, we include this class because there are new implicationsfor the exploitation of CPS systems that are not addressedin existing classifications. We propose this classification anddiscuss how there are new implications specific to the do-main of CPS.

Resource Limitations (R)The strategy of targeting resource limitations is very familiarfrom existing DoS attacks. However, there are unique waysfor an adversary to target resource limitations in a CPSsystem, as we showed in our experiments. Primarily, theneed to perform content-based matching and state mainte-nance in a CPS system leads to new DoS attack strategies forinducing abnormal network, processing, and memory over-heads. Since there has been significant research in optimiz-ing matching performance in CPS system, blindly floodinglarge volumes of messages may no longer be the most effec-tive method of achieving DoS. Lower volumes of carefullyengineered messages may actually be more effective in CPSsystems than blind flooding.Generally, resource attacks are the most difficult to defend

against and typically involve heuristic defensive approaches.

Semantic Weaknesses (S)Alternatively, a DoS attack may instead target semanticweaknesses that are inherent in a system due to conceptualand theoretical design flaws. These flaws can be exploitedto achieve DoS without abnormally consuming resources orviolating correct behaviour according to design. Semantic

weaknesses typically result when systems are designed withfeatures and functionality in mind before security and somust be dealt with by revisiting the theory behind the de-sign itself. Most often, security is considered an orthogonalissue and a separate security layer is designed on top of theexisting system. In such cases, the original system withoutthe security layer is still considered to suffer from exploitablesemantic weaknesses. Even a well-defined implementationspecification can still suffer from semantic weaknesses.

For example, message covering is a common optimizationtechnique used in CPS systems. However, there is no stan-dard semantic for uncovering. Depending on whether un-covering occurs using a filter or per-message basis, differentstate maintenance overheads will be incurred. As such, thesemantics of uncovering will have DoS consequences regard-less of how the actual system is implemented.

Implementation Flaws (I)Finally, a DoS attack may also target implementation flawsthat are specific to a particular realization of a system. Tra-ditionally, semantic and implementation weaknesses havebeen lumped together as logic-based DoS attacks but we feelthat there is motivation for a more fine-grained classification.Implementation weaknesses refer to errors in implementa-tion that can be fixed by patching the realized system with-out revisiting any concepts or theories. Essentially, theseare implementation “bugs”. Because there has yet to be asingle universally accepted semantic for the CPS paradigm,systems tend to be in the prototypical stages. Therefore, itis important to distinguish DoS attacks targeting semanticweaknesses (concepts applicable to different systems usingthe same semantic) from implementation weaknesses (spe-cific to a certain realization). Admittedly, the line betweenconcept and implementation is up to a system designer un-less a specification is being followed.

Using the covering example again, two systems may usethe same uncovering semantic, but one may be an ineffi-cient implementation that exaggerates the overhead of state

maintenance.

4.2 Attack Source(s)The source(s) of an attack are one or more entities under

the control of an adversary. The adversary may activelysend messages from these entities or use them passively tocorrupt existing messages. In CPS systems, attacks can besourced from clients, brokers, or some combination of both ifmultiple entities are needed. It is important to classify theentities from which an attack originates because differentattacks are more suitably mounted from different sourcesand will again require different defence mechanisms.Most existing DoS attacks originate from a network of

distributed clients in the form of Distributed DoS (DDoS)attacks. Rarely do attacks originate from within the net-working infrastructure. In CPS systems however, we cannotignore the possibility of open or cooperative infrastructureswhere trusted brokers operate alongside untrusted brokers.Furthermore, CPS systems are deployed on overlay networksrunning at the edge of the Internet infrastructure and aretherefore more vulnerable than conventional routers.

Client-Sourced (C)In most cases, client-sourced attacks will be easier to mountthan broker-sourced attacks since clients are essentially theend-users of the system and not unlikely to be less strictlyregulated. That is, an adversary is more likely to be allowedlegitimate client access to a CPS system than broker access.We can also reasonably expect that there will be orders ofmagnitude more clients than brokers and that the systemsthey reside on may be less secure. This means that dis-tributed attacks relying on scale (i.e., DDoS) are more likelyto be client-sourced and that there is greater potential forcompromising these clients. However, attacks sourced fromclients are at a disadvantage in that clients can only attackby issuing messages to the system. This implies that re-source attacks based on message volume are more likely tobe client-sourced.

Broker-Sourced (B)Generally, it will be more difficult for an adversary to getmalicious brokers into a system3 so CPS system designersshould be more wary of client-sourced attacks in this respect.On the other hand, broker-sourced attacks (if successful) canbe more severe since brokers have more control over systembehaviour. In addition to attacking by issuing messages,brokers can interfere with matching and routing as well.Brokers also have access to system state information andmessage content that clients do not have. However, broker-sourced attacks may not be on the same distributed scale asclient-sourced attacks. This implies that broker-sourced at-tacks are more suitable for attacks with a malicious routingcomponent, especially if colluding brokers are involved.We expect that broker-sourced attacks will be easier to

defend against than client-sourced attacks since brokers canbe more strictly regulated within the system.

4.3 Attack Target(s)Depending on the specific nature of a DoS attack, an ad-

versary can target brokers, clients, or both. If an attack

3The exception to this would be a more open peer-to-peerstyle system allowing end-users to connect their own brokers.

interferes with an entity receiving messages that would nor-mally be delivered directly to it, we say that the attacktargets that entity. Note that there is a difference betweenthe entities targeted and affected (victimized) by an attack.Typically, subscribers will always be affected by DoS attacks(since notification delivery will always be disrupted regard-less of the DoS attack details) but subscribers are not alwaysdirectly targeted by attacks. Because of this, we use this cat-egory to distinguish the target(s) of an attack and do notconsider the victim(s).

Existing DoS attacks have generally used client resourcesto target servers, such as the web servers of CNN or Yahoo.To the best of our knowledge, existing DoS attacks do notisolate and target end-point clients (users) out on the In-ternet. However, this will likely change in the CPS domainbecause the system is a messaging infrastructure on top ofwhich applications are built. Clients in the CPS domaincould easily be “traditional” servers from different organiza-tions communicating over the messaging infrastructure. Forinstance, the web servers of CNN and Yahoo may becomeclients to the CPS messaging infrastructure. Therefore, thesame motivations driving adversaries to target servers withexisting DoS attacks will drive them to target clients in CPSsystems.

Client-Targeted (C)Figure 6 shows the typical entities and messages used in abaseline CPS system. Note that although we include adver-tisements in our baseline model, all discussions and resultsin this paper are relevant to CPS systems based only onsubscriptions and publications as well unless advertisementsare specifically mentioned. From our definition of an attacktarget, there is only one way to target subscribers: by in-terfering with delivery of notification messages (𝑁) at thefinal broker to client hop. Depending on the attack, thiscould be achieved by intercepting the notification, crashingthe subscriber itself, or even corrupting subscription stateat the subscriber hosting edge broker. Targeting a clientdoes not necessarily mean the client itself must be directlyattacked. Attacking a client hosting edge broker also targetsany clients hosted by it.

Notice also that in a baseline CPS system, no messagesare delivered to the publisher at the CPS level so it is notpossible for an attack to target publishers in sense that wehave defined an attack target. Crashing a publisher pre-vents an edge broker from receiving publications, so suchan attack is actually targeting the publisher hosting edgebroker. However, if a system were to develop extensionswhere publishers also received messages (perhaps subscrip-tions or publication exceptions) then they would becomepossible DoS attack targets. In practice though, clients willgenerally take on the roles of both publisher and subscriberin an application scenario.

Targeting clients is the most direct and fine-grained methodfor achieving DoS since the adversary can selectively targetspecific clients. However, it depends on the adversary hav-ing knowledge of specific client identities or possibly networktopology as well.

Client-targeted attacks are easier to defend against sincewe only need to secure the final hop (by our definition) as-suming routing within the network is secure.

(a) The messages shown here are advertisements (𝐴𝑥), publica-tions (𝑃𝑥), subscriptions (𝑆𝑥), and notifications (𝑁) being deliv-ered to different entities in the system

𝐴𝑃 𝐴𝐼 𝐴𝐸 𝑃𝑃 𝑃𝐼 𝑃𝐸 𝑆𝑆 𝑆𝐼 𝑆𝐸 𝑁 Target𝑋 𝑆

𝑋 𝑋 𝑋 𝐵𝑆

𝑋 𝑋 𝑋 𝐵0

𝑋 𝑋 𝑋 𝐵𝑃

(b) The target of an attack depends on which messages deliveriesare being interfered with

Figure 6: Classifying the target of a Denial of Service attack.

Broker-Targeted (B)Broker-targeted attacks are much less restrictive than client-targeted attacks. Since a broker is part of the routing infras-tructure, it is possible to affect a much larger number of en-tities by targeting brokers. However, the adversary has lessfine-grained control over which entities are attacked. Thismay not matter if the intended victims of an adversary arecoarse-grained to begin with (an organization managing sev-eral brokers perhaps).For example, an attack that interferes with the receipt

of messages 𝑆𝑆 , 𝐴𝐸 , or 𝑃𝐸 by broker 𝐵𝑆 in Figure 6(a) istargeting the edge broker 𝐵𝑆 even though it ultimately in-terferes with notification delivery to the subscriber. Table6(b) summarizes the entity considered to be the target ofan attack depending on which message deliveries are beingdisrupted. In general, targeting a broker can be accom-plished by intercepting messages, misrouting messages, orcorrupting state. Targeting internal brokers can mean af-fecting their ability to perform matching or routing whileattacks targeting edge brokers can additionally affect theirability to host clients or properly serve hosted clients.Broker-targeted attacks will be more difficult to defend

against since a solution must be robust under many varia-tions of message loss during routing.

Rendezvous-Targeted (R)Specifically for CPS systems built on structured overlays [15,7, 3], we can also distinguish rendezvous points. Althoughrendezvous points may or may not be brokers themselves,we will use the term rendezvous point and rendezvous bro-ker synonymously from here on. In rendezvous routing ap-proaches, messages route towards rendezvous brokers basedon the result of some hash function of the messages. Al-though this approach avoids the necessity for flooding ad-vertisements, the rendezvous brokers have become the globalpoints of reference not unlike the root DNS servers and aretherefore vulnerable as targets of DoS attacks. As targets,rendezvous brokers are a special case of brokers that performrouting tasks.Note that while rendezvous brokers exist to guarantee

avoidance of false-negative notifications, a successful DoS at-tack is not guaranteed by successfully attacking rendezvousbrokers because matching can still occur at other non-rendez-vous brokers.

4.4 Attack PropagationExisting DoS attacks have typically been point-to-point

from malicious clients to targeted server. At most, attackpackets are reflected off a third party server or router4. How-ever, the need to replicate subscription state in CPS systems

4Although worms may cause isolated DoS effects when

implies that malicious messages can be distributed or routedalong with legitimate messages. Since the underlying mes-sage distribution paradigm is a major distinguishing featureof CPS systems, the propagation of messages throughout asystem behaves very differently depending on whether a con-trolled flooding [8, 5, 14], rendezvous [15, 7, 3], scoped [10],or multicast [6] paradigm is being used.

As far as we are aware, there have not been any previousefforts to classify DoS attacks according to message routingcharacteristics. We propose this new classification in thecontext of distributed CPS.

Localized (L)An attack is localized if malicious messages do not propa-gate beyond the initial entry point broker. For instance,a basic flooding attack consisting of random publicationsthat do not match any subscriptions would not propagatebeyond the first edge broker receiving those publications.Note however, that the resulting effects of a localized at-tack may not be limited in the same way. In Figure 7 weillustrate a scenario in which a malicious unsubscription isinjected at an edge broker hosting the publisher (at the pub-lication source). Depending on the propagation semantics ofunsubscriptions, the malicious unsubscription message maynever be disseminated to any other broker so the attack islocalized. However, notifications to the owner of the re-moved subscription will be stopped, so the effects may notbe localized. Note also that DoS attacks on centralized pub-lish/subscribe systems are necessarily localized.

Single-Hop (S)In some systems, attack propagation may be restricted to asingle-hop when message distribution occurs over only twobrokers (the entry point broker and the next hop broker).The breadth of an attack will depend on the fan-out of a

spreading aggressively, the true attacks are typically coordi-nated floods from hosts compromised by the worms [11].

Figure 7: Localized propagation of malicious mes-sages via unsubscription attacks.

given broadcasted message and is equally a concern for bothresource and semantic attacks.Attack propagation may be restricted to single-hop by the

distribution mechanism used. For instance, brokers in a sys-tem may leverage IP multicast rather than perform overlayrouting. An attack may also be limited to single-hop due tothe routing state or topology of the network. However, anattack is most likely to be restricted to a single-hop as partof some security scheme [16, 10].

Multi-Hop (M)More generally, malicious messages can propagate throughan arbitrary number of brokers beyond the initial entry bro-ker in multi-hop attacks. These attacks require more careto mount than localized attacks since the filtering featuresof a CPS system must be avoided by the adversary.Multi-hop propagation can be achieved by crafting attack

messages that successfully match routing state. Generally,subscriptions propagate when they match advertisementsand publications propagate when they match subscriptions.So attacks using subscription messages can potentially prop-agate back to a publishing broker, affecting all brokers alongthe path for instance. In this way, an adversary can use thenatural propagation of messages in the system to target apublishing broker by content only. In unstructured over-lay CPS systems, messages are either dropped or remainon edge brokers if no matches occur. In structured overlayCPS systems however, the propagation semantics are dif-ferent due to the use of rendezvous brokers. Messages willinstead propagate towards one or more rendezvous brokersunconditionally. Consequently, malicious traffic in a struc-tured overlay CPS system cannot be localized unless themalicious traffic is injected directly at a rendezvous broker.In addition to breadth, it is possible to further characterize

specific multi-hop attack instances by depth. An attack thatpropagates along more hops has more depth. The potentialdepth of an attack will again depend on both message con-tent and whether the CPS system is built on an unstructuredor structured overlay. In structured overlays, subscriptionsare guaranteed to route through a certain number of brokersen route to rendezvous broker(s) regardless of whether anintersecting advertisement exists. Since rendezvous brokersare also typically replicated, this has the effect of guarantee-ing a certain propagation breadth as well.We also note that in general, attacks using low rate traffic

are expected to propagate more effectively than high rateattacks. This is because a heavily loaded broker will in-herently traffic shape outbound malicious messages beingpropagated due to processing limitations5. The effects of ahigh rate attack will be more severe at the entry point ofthe attack, while brokers deeper in the network will be lessaffected by the high traffic rate. In other words, high-rateand volume attack messages are much more likely to becomebottlenecked.Also recall that multi-hop attacks are a significant danger

because they can potentially transmit DoS effects to remotebrokers as we demonstrated in our experiments.

5It is not unlikely that the effects of a bottlenecked appli-cation propagate down to the network layer triggering flowcontrol mechanisms as well.

Global (G)Finally, global attacks occur when malicious traffic is prop-agated to every broker in the system. Systems that supportglobal message flooding are obviously vulnerable to theseattacks, but it is also possible to mount global attacks ifmalicious messages are engineered to match global interests.For instance, if there is at least one subscriber at every bro-ker subscribing to some common publication space, then apublication falling into that space would propagate to everybroker in the system. CPS systems generally try to avoidglobal message propagation in normal situations, but we areunaware of any systems in which globally propagating at-tacks are impossible by design.

While a rendezvous approach avoids the need to flood mes-sages, it introduces globally known points of reference thatare themselves vulnerable as targets of DoS attacks. How-ever, attacking all rendezvous brokers in a structured over-lay does not necessarily constitute a globally propagatingattack.

In theory, global attacks should be as difficult to defendas multi-hop attacks. However, this may not be the casein practice since a CPS infrastructure may span multipleorganizations. Spanning multiple administrative domainswill likely complicate global security mechanisms makingglobally propagating attacks much more difficult to defendagainst.

4.5 Content DependenceA major feature in CPS systems is the routing of messages

according to their content. Since content determines howmessages are processed and delivered, an adversary can dras-tically change how an attack behaves by changing the con-tent of malicious attack messages. Propagation and targetedentities are examples of attack characteristics controlled byhost addresses in existing DoS attacks that are now con-trolled by message content in CPS systems. Whether anattack leverages content or not, and the exact nature of ma-licious message content being used will determine whetherexisting defence mechanisms are applicable.

Independent (I)Attacks such as message dropping or malicious filter removaldo not depend on the content of messages injected by an ad-versary. Although the adversary may choose to drop or re-move certain messages, the adversary does not need to craftmalicious messages with specific content to either mount theattack or make the attack more severe6.

Because no content crafting occurs on the part of the ad-versary, traditional security techniques based on authentica-tion and authorization may be the most appropriate.

Proportional (P)If the effectiveness of an attack depends on the adversarycrafting message content, the attack can either be propor-tional or inversely proportional to some measure of messagecontent complexity. For current CPS systems, the num-ber of predicates or tuples in a message is a good reflectionof message complexity. However, future CPS systems sup-porting filtering expressiveness beyond basic numeric and

6Malicious unsubscriptions and unadvertisements are excep-tions if the CPS system uses filter-based message removalsemantics rather than ID-based.

string comparisons may need different measures of contentcomplexity that better reflect supported filtering operations.Regardless, an attack is proportionally dependent on contentcomplexity if the severity of the attack increases when theadversary uses malicious workloads of greater complexity.Proportional dependence is with respect to a specific char-acteristic of the attack, such as memory consumption orprocessing delay. Direct resource attacks like message flood-ing are likely to be proportionally dependent on workloadcontent complexity.Defending against content dependent attacks requires aware-

ness of message content. However, content-based intrusiondetection is a difficult problem. An accurate measure of con-tent complexity may help predict the impact of and defendagainst proportionally dependent DoS attacks.

Inversely Proportional (V)An attack is inversely dependent on content complexity ifthe severity of the attack increases when the adversary usesmalicious workloads of less complexity. At first, it may seemthat all resource attacks are proportionally dependent oncontent complexity. However, this depends on how attacksare mounted since load can be induced by issuing highlygeneral subscriptions, for instance. In current CPS systems,highly general subscriptions tend to attract lots of publica-tions by having low complexity. Conversely, advertisementscan typically attract more subscriptions by specifying highercomplexity schemas that cover larger subscription spaces.Again, either content awareness or an accurate measure

of content complexity will help defend against such attacks.

4.6 Statefulness of EffectsAfter an adversary has stopped all direct DoS activity, it

is possible that victims continue to suffer from the effectsof the attack for some time. The effects of an attack mayeventually dissipate or the system may have to perform someexplicit recovery mechanism to rebuild correct state. Thedegree to which the effects of a DoS attack remain in thesystem gives some measure of effort needed by an adversaryto mount the attack.Except for logic-based attacks causing system crashes, ex-

isting DoS attacks are primarily stateless. However, due tothe widespread maintenance of state in common CPS sys-tems, stateful attacks beyond straight-forward system crash-ing may now become accessible to adversaries.

Stateless (L)The effects of stateless attacks only exist while the systemis actively processing malicious messages produced by anadversary. The effects of such attacks eventually disappearduring the course of normal processing without the systemtaking special measures for recovery. Existing DoS attacksin non-CPS systems have mostly been stateless since an ad-versary must actively maintain DoS conditions (usually withhigh rate and volume malicious traffic). The lasting effectsof these existing DoS attacks are typically limited to the rel-atively brief length of time data structures remain allocatedfor accepting connections and packet processing.Similarly in CPS systems, publication messages are state-

less. Although the length of time a publication spends in thesystem can vary significantly depending on the efficiency ofmatching, publications are removed from the system onceprocessing is complete (under baseline CPS semantics). No

special recovery mechanisms are required by the system.Stateless attacks are the easiest to defend against by block-ing all malicious traffic.

Stateful (F)On the other hand, the effects of stateful attacks remain inthe system even after the processing of malicious messagesproduced by an adversary has been completed. Stateful at-tacks are an extension of traditional application level DoSattacks because the adversary can use fewer messages tocause long lasting DoS effects. However, defending againstsuch attacks will also require explicit recovery mechanismsbeyond normal message processing. There are generally twoforms of state used in CPS systems, routing state and com-plex event detection state.

Routing state is maintained by brokers for validating, match-ing, and routing messages. In CPS systems, clients can mod-ify the routing state of a broker by issuing messages. Themost common messages that allow updating routing stateinclude subscriptions, advertisements, unsubscriptions, un-advertisements, and possibly type definition or specializedupdate messages. These messages are candidates for en-abling stateful attacks. Malicious removal of these messages(by unsubscription for example) can potentially disrupt no-tifications indefinitely. Malicious insertion of these messagesis also a stateful attack if the performance of a system de-grades with the amount of state maintained. Such corrup-tions of routing state must typically be repaired explicitlyby the system upon detection of the attack.

Complex event detection state is maintained by brokersfor correlating publications against stateful subscriptions.That is, subscriptions themselves may be stateful. In sys-tems supporting complex event detection, publications arealso candidates for mounting stateful attacks. Note that de-pending on the design of such a system, it may or may notbe necessary to actually retain publications in the system.

Stateful attacks are more difficult to defend against sinceadditional explicit recovery techniques are required.

Soft-state (S)In between stateless and stateful attacks, the effects of soft-state attacks also remain in the system after malicious mes-sages have been processed. However, such effects are even-tually removed automatically via some expiry mechanism.With respect to routing state, expiry mechanisms are typi-cally used for fault tolerance purposes. In systems support-ing complex event detection, expiry mechanisms are used tolimit or window the amount of state maintained and preventpublication state from accumulating indefinitely.

An attack that is stateful against one system may onlybe soft-stateful in another due to differences in how state ismaintained. Since soft states imply the need for continualstate refreshing, we expect that state expiration will typi-cally not occur too frequently. When state expiry is signifi-cantly infrequent, soft-state attacks become very similar tostateful attacks.

Persistent (P)A CPS system may also support subscribing to historic dataor recovering state from persistent storage to achieve faulttolerance. In such systems, there is an opportunity for cor-rupting or inserting malicious messages into persistent stor-age. When retrieved, these malicious messages can poten-

tially cause DoS effects as well. Attacks are considered per-sistent if its effects can be triggered by retrieving maliciousdata off persistent storage.

4.7 Component TechniquesWhen adversaries discover effective and portable tech-

niques for mounting DoS attacks, they will be reused in a va-riety of different attacks. Buffer overflows, packet reflection,and IP spoofing are examples of existing reusable techniquesfor mounting DoS attacks in non-CPS systems that are notattacks by themselves. Defending against these techniquesis typically difficult because they are very generic, but wouldeffectively defend against entire classes of DoS attacks. ForCPS systems, we identify identity forgery, thrashing, ampli-fication, and stockpiling techniques.The techniques we identify in this class are not mutually

exclusive since a single DoS attacks may use multiple tech-niques.

Identity Forgery (F)In distributed CPS systems, there are generally two identi-ties associated with each message: the identity of the orig-inal message source and the identity of the entity actuallydelivering the message. An adversary may forge either orboth of these identities in an attack.The identity of the original message source defines the

message owner, which is used to associate messages withsome entity for the purposes of state management and no-tification delivery at the final hop. Forging the identity ofthe original message owner can be used to manipulate exist-ing state belonging to another entity or to inject arbitrarymessages on behalf of another entity.The identity of the entity actually delivering the message

is used for reverse path forwarding. Forging this identity willallow an adversary to cause misrouting of messages. For in-stance, notifications could be directed to some victim client.While this second type of identity forgery is similar in princi-ple to IP spoofing used in traditional DoS attacks, the effectsare more restricted in CPS systems. IP spoofing is often usedto reflect packets at a victim and can target any system witha routable IP address by forging the source identity of thevictim. However, this is not the case in distributed CPSsystems where routing depends on state, message content,and only the previous routing hop. Identity forgery can atmost misroute messages amongst the common neighbours ofa broker which limits the applicability of traditional reflec-tion attacks in CPS systems.

Thrashing (T)Thrashing consumes resources in the system by causing rapidand frequent state changes (analogous to thrashing in mem-ory management). Thrashing is a special case of more gen-eral resource attacks so its effectiveness depends on howmuch system load can be generated in terms of processingand network traffic.Unlike straight forward message flooding attacks, the goal

is to induce load by abusing repeated state changes thatare processing intensive. This can be accomplished using aset of messages that will likely include unsubscriptions (orunadvertisements). Thrashing can succeed where floodingfails by avoiding optimization schemes that typically dependon “normal” message patterns. Generally, this will result inpathological state maintenance behaviour. This technique

is most useful in systems with covering and tight controlsover messages issued by a client (for instance, when there islittle flexibility in building a large number of unique filtersfor flooding).

Amplification (A)Amplification gives an adversary the ability to induce de-livery of multiple messages to a single entity by injecting asingle malicious message. Note that amplification does notinclude multicasting which only delivers a single message tomultiple distinct entities.

Several characteristics of the CPS paradigm are proneto amplification. For instance, a new advertisement mayattract many dormant subscriptions or an unsubscriptionmay trigger forwarding of multiple subscriptions. ExistingDoS attacks such as reflection use amplification by leverag-ing packet re-transmissions to spoofed IP addresses. How-ever, packet re-transmissions have a fixed amplification fac-tor (fixed number of re-transmissions). In contrast, existingCPS systems currently have features that potentially allowarbitrarily high amplification factors. We discuss amplifica-tion in the context of specific attacks in more detail later.

Stockpiling (S)To be successful, some attacks may depend on certain stateconfigurations in the system. Because of this, an adversarymay first need to setup the state needed to mount an attack.Such malicious traffic will need to be stateful but is not tech-nically part of the attack because it causes no DoS effectsby itself. If the malicious state build up is discovered anddealt with, the system can avoid the DoS attack altogether.We use the term stockpiling to describe such “attacks” thatbuild up malicious state in preparation for or to enable thetrue DoS attack (which itself may or may not be stateful).For instance, an adversary could first inject a number of ma-licious advertisements or subscriptions into the system thatsignificantly increases the effects of a subsequent publicationflooding attack. We elaborate more on the use of stockpilingin specific attacks in Section 5.

Vulnerability to stockpiling is introduced by allowing sys-tem users to issue messages that remain in the system. CPSsystems have so far assumed voluntary removal of such stateby the system users themselves, but little work has beendone to investigate how a system can deal with uncooper-ative users such as those intending to mount DoS attacks.Access control schemes are a possible prevention approachbut do not address situations where an adversary is able tocircumvent the access control layer or compromises an entitywith legitimate access. Note that the use of soft states doesnot prevent stockpiling since an adversary can easily refreshany stockpiled state.

5. DISCUSSIONIn Section 4, we noted that like recently emerging appli-

cation level DoS attacks, an adversary can attack a CPSsystem using relatively low volumes of malicious messagesif the messages are crafted carefully. Blindly flooding largevolumes of messages is not necessarily the most effectiveway of attacking a CPS system. As shown by our experi-ments in Section 3, the statefulness of CPS systems is a keyexploitable vulnerability that can be leveraged by advancedDoS attacks. In this section, we elaborate on our experimen-tal results and illustrate the significance of the classification

(a) Filter-based unadvertise-ment

(b) ID-based unadvertisement (c) Filter-based unsubscrip-tion

(d) ID-based unsubscription

Figure 8: Different filter removal semantics can significantly change how notification delivery is affected acrossadvertisement and subscription spaces. The filters and clients that can be affected by a single filter removaloperation (dotted box) under each semantic are marked by an 𝑋.

used in our taxonomy by discussing stateful DoS attacks inmore detail.First, since advertisements and subscriptions are used to

establish routing paths, they can be injected by an adversaryto control the flow of messages through the system. Highlygeneric subscriptions can be used to attract large amountsof publication traffic to the adversary-hosting broker or redi-rect large amounts of notification traffic to a client hostedby the same broker. Similarly, highly generic advertisementscan be used to attract large numbers of subscriptions. Ad-vertisement injections of this form consume more state thansubscription injections by attracting subscription messages,but may attract fewer overall messages if the assumptionthat legitimate publication traffic exceeds legitimate sub-scription traffic holds true. Additionally, even if the adver-sary does choose to inject malicious advertisements or sub-scriptions to load the system directly, the adversary can still“build-up” a significant amount of malicious state stealthilybefore injecting a final burst of malicious messages to com-plete the actual attack. This two-phase “build-up”/flood ap-proach allows an adversary to weaken the resilience of bro-kers deeper in the network with stealthy low-rate messagesthat are minimally affected by the traffic shaping effects ofnetwork bottlenecks. CPS researchers have informally ex-pressed concerns over the effects of highly generic filters andmalicious state before, but it is not until now that we are ableto classify such attacks as using the stockpiling technique aspresented in our taxonomy. This shows that our taxonomyis indeed useful for structuring DoS in CPS systems withrespect to real concerns and actual attack instances.Second, since advertisement and subscription state needs

to be maintained in order for messages to be delivered, it isalso possible to mount DoS attacks by maliciously remov-ing advertisements or subscriptions owned by another entity.However, the semantics of malicious state removal attacksare not as straight-forward as they first appear. This isbecause there are currently two known semantics for unad-vertisements (and similarly for unsubscriptions): ID-basedand filter-based. In some systems, filter removal is basedon ID. That is, a single unadvertisement (unsubscription)corresponds to the removal of a single advertisement (sub-scription). However, in some other systems [8], filter removalis done using another filter that covers one or more filters tobe removed and the“unfilter” is expressed using normal filtersyntax. That is, a single unadvertisement (unsubscription)may remove multiple advertisements (subscriptions). Thefilter-based removal semantics result in potentially broader

attacks since a single injected unfilter can potentially coverand remove multiple legitimate filters. The effect of ma-licious filter removal is to cut off the flow of publications,and possibly also trigger state maintenance in the case ofunadvertisements. Figure 8 illustrates the differences be-tween unadvertisement and unsubscription injections underthe ID-based and filter-based semantics we described. Thereis currently no consensus on whether ID-based or filter-basedfilter removals should be used in CPS. However, as we showhere, there are significant DoS implications arising from un-filter semantics that are independent of actual implementa-tion. Since this concern is classified under semantic weak-nesses in our taxonomy, it again shows that our taxonomyis useful for classifying real concerns and actual attack in-stances.

6. RELATED WORKMirkovic and Reiher [12] develop a taxonomy specifically

for Distributed DoS attacks in which an adversary controlsmultiple attacking entities. However, their taxonomy is spe-cific to DDoS attacks in non-CPS systems. Our taxonomysupplements their work both by identifying classificationsrelevant in the CPS domain and by not restricting ourselvesto only DDoS attacks.

In the CPS domain, there has been relatively little focuson DoS attacks, which are generally grouped together withother general security concerns.

Srivatsa and Liu [16] propose a security system on top ofpublish/subscribe based on layers of software guards. Theirauthentication mechanisms successfully limit the effects ofmessage injection attacks to a single-hop. However, theirwork is focused on providing a general security solution anddoes not discuss DoS attacks in-depth.

Wang et al. [17] discussed several broad security issues andrequirements including DoS. They briefly discuss three po-tential approaches for defending against DoS attacks: pub-lication limits, CPU-cycle-based payments, and challenge-based authentication. However, they also do not discuss theeffects of DoS attacks in any detail.

To the best of our knowledge, our work is the first to con-duct a detailed study of DoS effects and highlight key DoSconcerns new to CPS systems. As far as we are aware, weare also the first to provide a taxonomy of DoS attack char-acteristics in CPS systems, structuring a previously vaguearea.

7. CONCLUSIONIn this paper, we have presented experimental results that

highlight some key DoS concerns arising in CPS systems. Inour experiments, we have found that message propagation,content complexity, and state maintenance are characteris-tics introduced by the CPS paradigm with new DoS impli-cations. The effects of resource attacks depend heavily onhow these characteristics are leveraged by adversaries. Inparticular, load localization effects can be used as a DoSresilience technique, while remotely induced DoS effects area significant concern since such attacks will be difficult todefend against. Furthermore, both the content complexityand statefulness of malicious workloads will significantly af-fect the severity of load-based DoS attacks. We believe thiswill be a general concern for many CPS systems. Accu-rately estimating the content complexity of messages andeffectively controlling malicious message state are two direc-tions of research that we are pursuing as future work.Based on our experimental results, we have also proposed

a taxonomy for classifying DoS attack characteristics andconcerns in the domain of CPS systems. Our taxonomy iscomplete in the sense that it can be used to easily classifyboth existing and future DoS attack instances in this do-main. Our taxonomy also facilitates comparing the inher-ent DoS resilience of different CPS system designs as well ascomparing the effectiveness of different defence mechanisms.Finally, we have discussed several DoS attack instances in

detail with respect to our experimental results and taxon-omy. Our discussion provides further insight into the im-plications of state maintenance on DoS vulnerabilities. Inparticular, message stockpiling and malicious unfiltering aretwo fundamental vulnerabilities that can dramatically in-crease the effects of DoS attacks and should be consideredby DoS resilient CPS systems.It is our hope that this paper will stimulate discussion

about DoS attacks and defences in both existing and futureCPS systems.

AcknowledgementsThis research was funded in part by OCE, NSERC, CA andSun. We would also like to thank Vinod Muthusamy andthe entire Middleware Systems Research Group at the Uni-versity of Toronto for their valuable feedback regarding thiswork.

8. REFERENCES[1]

http://www.cisco.com/en/US/products/ps6480/index.html.

[2]http://www.solacesystems.com/products/Tech leadership.asp.

[3] I. Aekaterinidis and P. Triantafillou. PastryStrings: AComprehensive Content-Based Publish/Subscribe DHTNetwork. In ICDCS, 2006.

[4] M. K. Aguilera, R. E. Strom, D. C. Sturman, M. Astley,and T. D. Chandra. Matching Events in a Content-basedSubscription System. In Principles of DistributedComputing, 1999.

[5] G. Banavar, T. Chandra, B. Mukherjee, J. Nagarajarao,R. E. Strom, and D. C. Sturman. An Efficient MulticastProtocol for Content-based Publish-Subscribe Systems. InInternational Conference on Distributed ComputingSystems, 1999.

[6] F. Cao and J. Singh. MEDYM: Match-Early and DynamicMulticast for Content-base Publish/Subscribe ServiceNetworks. In IEEE International Conference onDistributed Computing Systems Workshops, 2005.

[7] N. Carvalho, F. Araujo, and L. Rodrigues. ReducingLatency in Rendezvous-Based Publish-Subscribe Systemsfor Wireless Ad Hoc Networks. In ICDCSW, 2006.

[8] A. Carzaniga, D. Rosenblum, and A. Wolf. Design andEvaluation of a Wide-Area Event Notification Service.ACM Transactions on Computer Systems, 19(3):332–383,2001.

[9] F. Fabret, H. A. Jacobsen, F. Llirbat, J. Pereira, K. A.Ross, and D. Shasha. Filtering Algorithms andImplementation for Very Fast Publish/Subscribe Systems.In Sigmod, 2001.

[10] L. Fiege, M. Mezini, G. Muhl, and A. P. Buchmann.Engineering Event-Based Systems with Scopes. In ECOOP,2002.

[11] K. J. Houle, G. M. Weaver, N. Long, and R. Thomas.Trends in Denial of Service Attack Technology. Technicalreport, CERT Coordination Center, 2001.

[12] J. Mirkovic and P. Reiher. A Taxonomy of DDoS Attackand DDoS Defense Mechanisms. ACM SIGCOMMComputer Communications Review, 34 (2):39–54, 2004.

[13] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, andS. Savage. Inferring Internet Denial-of-Service Activity.ACM Transactions on Computer Systems, 24 (2):115–139,2006.

[14] G. Muhl. Large-Scale Content-Based Publish/SubscribeSystems. PhD thesis, Vom Fachbereich Informatik derTechnischen Universitat Darmstadt, 2002.

[15] P. R. Pietzuch and J. M. Bacon. Hermes: A DistributedEvent-Based Middleware Architecture. In DEBS, 2002.

[16] M. Srivatsa and L. Liu. Securing Publish-Subscribe OverlayServices with EventGuard. In 12th ACM conference onComputer and communications security, 2005.

[17] C. Wang, A. Carzaniga, D. Evans, and A. Wolf. SecurityIssues and Requirements for Internet-ScalePublish-Subscribe Systems. In Hawaii InternationalConference on System Sciences, 2002.

a taxonomy for denial of service attacks in content-based...

Documents