Mitigating Distributed Denial-of-Service Attacks: Application-defense and Network-defense Methods
Licentiate thesis, 2010
Distributed Denial of Service (DDoS) attacks can be so powerful that they
can easily deplete the computing resources or bandwidth of the potential targets.
Based on the types of the targets, DDoS attacks can be addressed in two levels:
application-level and network-level.
Taking the network-based applications into consideration, a weak point is
that they commonly open some known communication port(s), making themselves
targets for denial of service (DoS) attacks. Considering adversaries
that can eavesdrop and launch directed DoS attacks to the applications’ open
ports, solutions based on pseudo-random port-hopping have been suggested. As
port-hopping needs the communicating parties to hop in a synchronized manner,
these solutions suggest acknowledgment-based protocols between a clientserver
pair or assume the presence of synchronized clocks. Acknowledgments,
if lost, can cause a port to be open for longer time and thus be vulnerable to
DoS attacks; Time servers for synchronizing clocks can become targets to DoS
We propose solutions for multiple parties which have clocks with rate drifts,
which is common in networking. In particular, we propose an algorithm, BIGWHEEL,
for servers to communicate with multiple clients in a port-hopping
manner, without the server needing to keep state for each client individually,
which enables support to multi-party applications as well. We also present an
adaptive algorithm, HOPERAA, for hopping in the presence of clock-drifts,
as well as the analysis and evaluation of the methods. The solutions are simple,
based on each client interacting with the server independently of the other
clients, without the need of acknowledgments or time servers.
Mechanisms working in the application-level are not sufficient to deal with
DDoS attacks that aim to congest the victim’s network. Victims may need the help from network-based solutions to solve the problem. Among the networkbased
solutions against DDoS attacks, network-capability mechanism is a novel
approach. A capability is a ticket-like token, checkable by routers, that a server
can issue for legitimate traffic. Still, malicious hosts may swamp a server with
requests for capability establishment, essentially causing possible Denial-of-
Capability (DoC). In this thesis an algorithm to mitigate DoC attacks is proposed.
With this algorithm, the legitimate hosts can get service with guaranteed
probability. The algorithm divides the server’s capacity for handling capability
requests into quotas. Quotas are allocated based on a sink tree architecture.
Randomization and Bloom filters are used as tools against threats (attacking
scenarios). Issues on fault-tolerance and the deployment of the approach proposed
are also addressed.
Mitigating DDoS attacks are challenging not only for the targets of the attacks,
but also for the network, as large volume of illegitimate traffic share the
same network resources as legitimate traffic and can furthermore causes congestion
phenomena and performance degradation. Considering malicious traffic,
we would like ideally to disallow it completely from consuming network
resources. To achieve that, the malicious traffic should be controlled as close
to the source(s) as possible. It is observed that there is a trade-off between the
protection level of the network and the efficiency/overhead of the protecting
method. By building on earlier work and improving on distribution of control
aspects, a proactive method, which we call CluB, is proposed in this thesis to
mitigate DDoS attacks. The method balances the effectiveness-overhead tradeoff
by addressing the issue of granularity of control in the network. CluB can
collaborate with different routing policies in the network, including contemporary
datagram options. We estimate the effectiveness of the method and also
study a set of factors for tuning the granularity of control.