Preventing Denial-of-Service Attacks with Packet Symmetry

Denial-of-service (DoS) attacks are a serious problem affecting the Internet today with security firms estimating over 5000 attacks are launched per day, leading to revenue loss and tarnished reputations for online businesses. These attacks remain prevalent and successful because the Internet has no mechanism to distinguish wanted from unwanted packets. The core of the Internet impartially forwards any packet to its destination without regard as to whether the destination actually desires said packet or not. This thesis evaluates packet symmetry [47] as a heuristic to distinguish wanted from unwanted traffic at the source network, to enable proactive filtering of DoS attack traffic before it reaches the core. Packet symmetry measures the “goodness” of outgoing traffic using the ratio of transmitted-toreply packets with a lower ratio implying better traffic. A packet symmetry limiter shapes outgoing traffic to ensure the per-flow ratio of transmissionto-reply packets never exceeds a pre-defined threshold. This empowers DoS victims to throttle any unwanted traffic from symmetry-limited sources simply by not replying to those sources’ requests. This power is especially important for end users and small businesses, who make up the majority of DoS attack victims [56, 53], that cannot afford to over-provision network resources as a means to tolerate massive flooding attacks. The net effect is that a network governed by packet symmetry cannot be the source of flood-