Redistributing the Costs of Volumetric Denial-of-Service Mitigation
Author(s)
DeLaughter, Samuel
DownloadThesis PDF (2.153Mb)
Advisor
Sollins, Karen
Terms of use
Metadata
Show full item recordAbstract
Volumetric Denial-of-Service (DoS) attacks pose a severe and exponentially increasing threat to the Internet. Existing mitigations provide valuable stop-gaps but fail to address the root cause, and the overhead they incur is poorly understood. To combat these attacks we present a protocol-agnostic approach to DoS mitigation that moves overhead away from service bottlenecks, towards the network edge and onto attackers themselves. We observe that the vast majority of attacks rely on a small subset of packet types which are individually identical to legitimate packets, but generated far more often by attackers than by regular clients. Making such packets marginally more difficult to generate can significantly reduce flood volumes without harming legitimate clients. We design and implement two novel mitigations in TCP following this approach, to combat the ubiquitous SYN Flood attack. The first is largely a toy example illustrating how simple packet padding can rate-limit bandwidth-constrained attackers, while the second is a more robust approach using miniature proofs-of-work to restrict the common CPU-bound attacker. We also present a rigorous experimental methodology and novel suite of metrics for more accurately evaluating the efficacy and overhead of arbitrary DoS mitigations across changes in attack, client behavior, and network topology. We use this measurement framework to evaluate our proposed mitigations in a controlled network testbed. Both mitigations exhibit negligible overhead, and while their efficacy is subjective they succeed in completely nullifying potentially devastating SYN floods in certain contexts. Beyond our immediate findings in TCP, this work is broadly applicable to the design of DoS-resilient network protocols and internet architectures.
Date issued
2023-09Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
Massachusetts Institute of Technology