Countering distributed denial of service attacks.

Abstract

The growing number of Distributed Denial of Service (DDoS) attacks impose a significant threat to the availability of Internet services. This dissertation examines the working mechanism of DDoS attacks and develops a number of methodologies and prototypes to counter DDoS attacks. These mechanisms defend against DDoS attacks in different ways: throttling DDoS traffic at IP routers (core or edge), sniffing flooding sources at edge routers, filtering out DDoS traffic at victim severs or their nearby firewalls, and protecting reserved network resources at edge routers. Based on the concept of layer-4 service differentiation and resource isolation, we propose a transport-aware IP router architecture, in which the flooding traffic is significantly throttled and most of the traffic is dropped in a close proximity to their sources. To sniff SYN flooding attacks, we propose a simple and robust mechanism, called <italic>SYN-dog</italic>. The core of SYN-dog is based on the distinct protocol behavior of TCP connection establishment and teardown, and is an instance of the Sequential Change Point Detection [13]. A non-parametric Cumulative Sum (CUSUM) method [19] is applied, thus making the SYN-dog insensitive to site and access pattern. We develop a novel hop-count-based filter to weed out spoofed IP packets at victim sites. <italic>Hop-Count Filtering</italic> (HCF) builds an accurate IP-to-hop-count (IP2HC) mapping table, while using a moderate amount of storage, by clustering address prefixes based on hop-count. To capture hop-count changes under dynamic network conditions, we also devise a safe update procedure for the IP2HC mapping table that prevents pollution by HCF-aware attackers. Finally, to protect reserved network resources at edge devices from DQoS (Denial of Quality of Service) attacks, we propose a fast and light-weighted IP network-edge resource access control mechanism, called <italic>IP Easy pass</italic>, we demonstrate the vulnerability of the reserved network resources to flooding attacks. Then, we attach a unique <italic>pass</italic> to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of an incoming IP packet very quickly and simply by checking its pass. Thus, <italic> Easy-pass</italic> shields the reserved network resources from spoofed packets.