Redistributing the Costs of Volumetric Denial-of-Service Mitigation

DeLaughter, Samuel

Author(s)

DeLaughter, Samuel

DownloadThesis PDF (2.153Mb)

Advisor

Sollins, Karen

Terms of use

In Copyright - Educational Use Permitted Copyright retained by author(s) https://rightsstatements.org/page/InC-EDU/1.0/

Metadata

Show full item record

Abstract

Volumetric Denial-of-Service (DoS) attacks pose a severe and exponentially increasing threat to the Internet. Existing mitigations provide valuable stop-gaps but fail to address the root cause, and the overhead they incur is poorly understood. To combat these attacks we present a protocol-agnostic approach to DoS mitigation that moves overhead away from service bottlenecks, towards the network edge and onto attackers themselves. We observe that the vast majority of attacks rely on a small subset of packet types which are individually identical to legitimate packets, but generated far more often by attackers than by regular clients. Making such packets marginally more difficult to generate can significantly reduce flood volumes without harming legitimate clients. We design and implement two novel mitigations in TCP following this approach, to combat the ubiquitous SYN Flood attack. The first is largely a toy example illustrating how simple packet padding can rate-limit bandwidth-constrained attackers, while the second is a more robust approach using miniature proofs-of-work to restrict the common CPU-bound attacker. We also present a rigorous experimental methodology and novel suite of metrics for more accurately evaluating the efficacy and overhead of arbitrary DoS mitigations across changes in attack, client behavior, and network topology. We use this measurement framework to evaluate our proposed mitigations in a controlled network testbed. Both mitigations exhibit negligible overhead, and while their efficacy is subjective they succeed in completely nullifying potentially devastating SYN floods in certain contexts. Beyond our immediate findings in TCP, this work is broadly applicable to the design of DoS-resilient network protocols and internet architectures.

Date issued

2023-09

URI

https://hdl.handle.net/1721.1/152862

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Collections

Doctoral Theses