Mitigating Distributed Denial-of-Service Attacks: Application-defense and Network-defense Methods

Licentiate thesis, 2010

Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets. Based on the types of the targets, DDoS attacks can be addressed in two levels: application-level and network-level. Taking the network-based applications into consideration, a weak point is that they commonly open some known communication port(s), making themselves targets for denial of service (DoS) attacks. Considering adversaries that can eavesdrop and launch directed DoS attacks to the applications’ open ports, solutions based on pseudo-random port-hopping have been suggested. As port-hopping needs the communicating parties to hop in a synchronized manner, these solutions suggest acknowledgment-based protocols between a clientserver pair or assume the presence of synchronized clocks. Acknowledgments, if lost, can cause a port to be open for longer time and thus be vulnerable to DoS attacks; Time servers for synchronizing clocks can become targets to DoS attack themselves. We propose solutions for multiple parties which have clocks with rate drifts, which is common in networking. In particular, we propose an algorithm, BIGWHEEL, for servers to communicate with multiple clients in a port-hopping manner, without the server needing to keep state for each client individually, which enables support to multi-party applications as well. We also present an adaptive algorithm, HOPERAA, for hopping in the presence of clock-drifts, as well as the analysis and evaluation of the methods. The solutions are simple, based on each client interacting with the server independently of the other clients, without the need of acknowledgments or time servers. Mechanisms working in the application-level are not sufficient to deal with DDoS attacks that aim to congest the victim’s network. Victims may need the help from network-based solutions to solve the problem. Among the networkbased solutions against DDoS attacks, network-capability mechanism is a novel approach. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of- Capability (DoC). In this thesis an algorithm to mitigate DoC attacks is proposed. With this algorithm, the legitimate hosts can get service with guaranteed probability. The algorithm divides the server’s capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). Issues on fault-tolerance and the deployment of the approach proposed are also addressed. Mitigating DDoS attacks are challenging not only for the targets of the attacks, but also for the network, as large volume of illegitimate traffic share the same network resources as legitimate traffic and can furthermore causes congestion phenomena and performance degradation. Considering malicious traffic, we would like ideally to disallow it completely from consuming network resources. To achieve that, the malicious traffic should be controlled as close to the source(s) as possible. It is observed that there is a trade-off between the protection level of the network and the efficiency/overhead of the protecting method. By building on earlier work and improving on distribution of control aspects, a proactive method, which we call CluB, is proposed in this thesis to mitigate DDoS attacks. The method balances the effectiveness-overhead tradeoff by addressing the issue of granularity of control in the network. CluB can collaborate with different routing policies in the network, including contemporary datagram options. We estimate the effectiveness of the method and also study a set of factors for tuning the granularity of control.