Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation
Doktorsavhandling, 2012

Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets, by flooding massive packets. Internet infrastructures and network applications, including social services and communication systems for emergency management, are under the threat of the DDoS problem. This thesis aims at providing efficient methods which can detect and mitigate DDoS attacks, meanwhile keeping the network performance degradation as little as possible. Dealing with DDoS attacks is challenging, due to their multifaceted properties: dynamic attack rates, various kinds of targets, big scale of botnets, etc. Multifaceted nature of DDoS attacks justifies the need for multifaceted defense. Thus we address the DDoS problems from different aspects. In particular, in the thesis we present an adaptive port-hopping method to address application-level DDoS problems. The method enables multiparty applications to communicate via ports changed periodically. Thus, the adversary cannot effectively attack the communication ports of the targets. The proposed method can deal with clock drifts among the communication parties without the need of acknowledgments or time server. To address the bandwidth-flooding attacks, in the thesis, we propose and present SIEVE, a lightweight distributed filtering method. Depending on the adversary's ability, SIEVE can provide a standalone filter for moderate adversary models and a complementary filter which can enhance the performance of strong and more complex methods for stronger adversary models. SIEVE uses an overlay network to form a distributed ``sieve'' and uses lightweight authenticators (e.g. source IP addresses) to filter packets. SIEVE includes also a simple solution to protect connection setup procedures between legitimate clients and protected servers, which can also be applied to address the Denial-of-Capability (DoC) problem. In this thesis we present how to complement network-capability mechanisms by addressing the Denial-of-Capability problem. Mitigating DDoS attacks are challenging not only for the end hosts, but also for the network. By building on earlier work and improving on distribution of control aspects, a proactive method, which we call CluB, is proposed in this thesis to mitigate DDoS attacks. The method balances the effectiveness-overhead trade-off by addressing the issue of granularity of control in the network. CluB can collaborate with different routing policies in the network, including contemporary datagram options. We estimate the effectiveness of the method and also study a set of factors for tuning the granularity of control. The thesis also studies the problem of monitoring high-speed traffic and detecting DDoS-related anomalies in a data streaming fashion to offer a detection at an early stage in the core network, thus activating appropriate DDoS mitigations only when necessary. We propose an IP-prefix based aggregation method to monitor and detect DDoS-related anomalies. Furthermore, we investigate the design space of combining parallel-distributed data streaming with both online detection and baseline profile maintenance, and give detailed solutions for achieving this. The proposed data streaming based DDoS defense solutions are implemented upon a parallel-distributed data stream engine.

Data Streaming

Network Security


Distributed Denial-of-Service

System Design

DDoS Detection

Distributed Computing


Zhang Fu

Chalmers, Data- och informationsteknik, Nätverk och system

Mitigating Distributed Denial of Capability Attacks Using Sink Tree Based Quota Allocation

In the Proceedings of 25th ACM Symposium on Applied Computing (SAC 2010),; (2010)p. 713-718

Paper i proceeding

CluB: A Cluster Based Framework for Mitigating Distributed Denial of Service Attacks

Proceedings of the ACM Symposium on Applied Computing. 26th ACM Symposium on Applied Computing (SAC 2011), TaiChung, 21-24 March 2011,; (2011)p. 520-527

Paper i proceeding

Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock Drifts

IEEE Transactions on Dependable and Secure Computing,; Vol. 9(2012)p. 401-413

Artikel i vetenskaplig tidskrift


Informations- och kommunikationsteknik






Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 3414

Mer information