Mitigation and traceback countermeasures for DoS attacks
Denial of service (DoS) attacks impose an imminent threat to the availability of Internet services. The alarming increase of such attacks coupled with the emergence of sophisticated DoS attack techniques, call for efficient defense mechanisms to counter these attacks. Although there has been ongoing research in this area—focusing on DoS prevention, mitigation, and traceback—the existing countermeasures lack in several qualitative and quantitative metrics. In this context, this dissertation makes two key contributions in the design and analysis of efficient, scalable schemes for DoS mitigation and traceback.
First, efficient perimeter mitigation schemes based on novel concepts, such as “protocol-determinism” and “victim-assistance” are proposed. The proposed schemes enable ISP edge routers to perform timely mitigation of both end-host and network exhaustion attacks. The proposed mitigation schemes have been evaluated through analytical studies for classical and advanced attacks quantifying security metrics, such as false positive and false negative rates, and performance metrics, such as effective attack rate and connection establishment latency increase. Our analysis shows that the proposed schemes offer very low false positive and false negative rates, and reduce attacker's effective attack rate significantly with an acceptable increase in connection establishment latency.
Second, hybrid IP traceback schemes that integrate the concepts of packet marking and packet logging in a novel manner are proposed. The goal is to achieve a drastic reduction in the number of attack packets required to conduct the traceback process. The proposed traceback schemes have been evaluated through a combination of analytical and simulation studies quantifying performance metrics, such as number of attack packets, storage overhead, and attack localization distance. Our studies show that the proposed traceback schemes are superior in comparison to the well known PPM scheme.
This dissertation opens up several directions for future research which includes (1) designing efficient mitigation schemes in the context of inter-domain network, (2) designing efficient mitigation schemes that employ traceback, and (3) designing a comprehensive DoS defense mechanism that integrates DoS prevention, mitigation, and traceback in an efficient manner.