Dissertation (Access Restricted)
Doctor of Philosophy
Denial of service (DoS) attacks are currently one of the biggest risks any organization connected to the Internet can face. Launched primarily by sending floods of traffic across a bottleneck network link or a target router, such attacks overwhelm the limited resources available at a victim organization. This causes a DoS for legitimate users that are behaving in a fair manner. In this dissertation we develop a series of independent defense mechanisms to mitigate and defend against such congestion-based DoS attacks. These mechanisms are categorized based on the kind of TCP/IP layer (application or network) they can be implemented in. At the application layer, we use game theoretic mechanisms to model such attacks as games played between an attacker and a defender. The widely accepted concept of Nash equilibrium is used to determine the optimal strategy for players participating in the game. These strategies can be executed by application layer tools like firewalls and/or intrusion detection systems (IDS). We build a comprehensive defense architecture called Game Inspired Defense Architecture (GIDA) using open source tools (Bro IDS, IPFW and Dummynet) and evaluate its performance on public testbeds like DeterLab. Similarly at the network layer, we develop an active queue management (AQM) technique that can be implemented by network layer tools like edge router(s). Our proposed technique provides router buffer stability and fairness among flows while defending against congestion-based DoS attacks. We compare its performance against various other prominent AQM techniques. Proposing defense mechanisms at different layers gives us the opportunity to observe the behavior of such DoS attacks from different perspectives as well as validate the applicability of various tools like firewalls, IDSs and techniques like AQM towards mitigating them is diverse real world scenarios. Our proposed defense techniques work independently towards handling congestion-based DoS attacks. One of the future directions of research can be towards building a holistic defense architecture that can use the defense mechanisms proposed in this dissertation in conjunction to handle other kinds of complex DoS attacks that target both the application and network layers of a victim’s organization simultaneously.
Dissertation or thesis originally submitted to the local University of Memphis Electronic Theses & dissertation (ETD) Repository.
Bedi, Harkeerat Singh, "Mitigating Congestion-based Denial of Service (DoS) Attacks" (2013). Electronic Theses and Dissertations. 2266.