Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation

Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets, by flooding massive packets. Internet infrastructures and network applications, including social services and communication systems for emergency management, are under the threat of the DDoS problem. This thesis aims at providing efficient methods which can detect and mitigate DDoS attacks, meanwhile keeping the network performance degradation as little as possible. Dealing with DDoS attacks is challenging, due to their multifaceted properties: dynamic attack rates, various kinds of targets, big scale of botnets, etc. Multifaceted nature of DDoS attacks justifies the need for multifaceted defense. Thus we address the DDoS problems from different aspects. In particular, in the thesis we present an adaptive port-hopping method to address application-level DDoS problems. The method enables multiparty applications to communicate via ports changed periodically. Thus, the adversary cannot effectively attack the communication ports of the targets. The proposed method can deal with clock drifts among the communication parties without the need of acknowledgments or time server. To address the bandwidth-flooding attacks, in the thesis, we propose and present SIEVE, a lightweight distributed filtering method. Depending on the adversary’s ability, SIEVE can provide a standalone filter for moderate adversary models and a complementary filter which can enhance the performance of strong and more complex methods for stronger adversary models. SIEVE uses an overlay network to form a distributed “sieve” and uses lightweight authenticators (e.g. source IP addresses) to filter packets. SIEVE includes also a simple solution to protect connection setup procedures between legitimate clients and protected servers, which can also be applied to address the Denial-of-Capability (DoC) problem. In this thesis we present how to complement network-capability mechanisms by addressing the Denial-of-Capability problem. Mitigating DDoS attacks are challenging not only for the end hosts, but also for the network. By building on earlier work and improving on distribution of control aspects, a proactive method, which we call CluB, is proposed in this thesis to mitigate DDoS attacks. The method balances the effectiveness-