| Abstract |
One of the most serious security threats in the Internet today are the Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty to prevent them. The aim of the DDoS attacks is the disruption of services by attempting to limit access to a machine or service instead of subverting the service itself. The difficulty in the prevention is due to design decisions of the Internet that created an open resource access model emphasizing on functionality and simplicity, but not on security. In this thesis, we propose two new provider-based, deterministic packet marking models that can be used to characterize DDoS attack streams. Such common characterization can be used to make filtering at the destination-end provider more effective. In this direction we propose a rate control scheme that protects destination domains by limiting the amount of traffic during an attack, while leaving a large percentage of legitimate traffic unaffected. The above features enable providers to offer enhanced security protection against such attacks as a value-added service to their customers, hence offer positive incentives for them to deploy the proposed models. Furthermore, we propose an anti-spoofing mechanism that uses the proposed models to build a mapping table that can be used as a fast way to filter spoofed packets and a mechanism for detecting and filtering false marking attacks. Finally, we discuss approaches based on the proposed models for detecting DDoS attacks. We quantitatively evaluate the proposed marking models using a snapshot of the actual Internet topology, in terms of the achieved differentiation of attack traffic and legitimate traffic in cases of full and partial deployment, for different sizes of providers and for IPv4 and IPv6 protocols. Furthermore, we qualitatively evaluate the proposed models in terms of the desired properties that a defense model must has. Finally, we propose an elaborate metric for evaluating defense models, that can capture factors such as the usage of services and the priorities of the provider that deploys the defense model.
|
Προστασία έναντι των κατανεμημένων επιθέσεων άρνησης υπηρεσίας με χρήση ντετερμινιστικού μαρκαρίσματος πακέτων, προσαρμοσμένη στην οργάνωση του Διαδικτύου σε αυτόνομα συστήματα
