S3B: Software-Defined Secure Server Bindings

For decades, request-routing protocols operating at multiple layers of the network stack have been a staple of Internet services. Commonly deployed request-routing techniques use the requestor's IP address as an identifier of the client. For instance, using DNS as a request-routing protocol, the local DNS resolver's IP address is used as a surrogate identifier of the client in order to assign the client to the closest server. While such coarse associations may be acceptable for performance-centric purposes, they are not appropriate in settings that require fine-grained, enforceable bindings of clients to servers - e.g., to ensure that malicious clients are unable to bypass their bindings and issue their request to a server of their choosing. In this paper, we propose S3B (Software-defined Secure Server Bindings), a protocol that provides precise and enforceable client-server assignments. S3B uses a server module to assign clients unique access keys. Using HTTP redirection with the key encrypted as an additional domain label, the name server is able to distribute precise server assignments specific to each client. In addition, the server module maintains an access control list to enforce these assignments. As an implementation of the S3B protocol, we have developed an HTTP/S prototype and deployed it to Amazon AWS. Our performance evaluation suggests that our prototype introduces no discernible overhead for client requests. To evaluate S3B's effectiveness as a security appliance, we developed an application to isolate clients suspected as spiders, capable of virtually immediate containment once detected.