Repository logo
 

Protecting critical services from DDoS attacks

Simple item page
dc.contributor.authorKambhampati, Vamsi K., author
dc.contributor.authorMassey, Daniel, advisor
dc.contributor.authorPapadopoulos, Christos, advisor
dc.contributor.authorStrout, Michelle M., committee member
dc.contributor.authorChong, Edwin K. P., committee member
dc.date.accessioned2007-01-03T08:09:52Z
dc.date.available2007-01-03T08:09:52Z
dc.date.issued2012
dc.description.abstractCritical services such as emergency response, industrial control systems, government and banking systems are increasing coming under threat from Distributed Denial of Service (DDoS) attacks. To protect such services, in this dissertation we propose Epiphany, an architecture that hides the service IP address making it hard for an attacker to find, attack and disable the service. Like other location hiding based approaches, Epiphany provides access to the service through numerous lightweight proxies, which present a very wide target for the attacker. However, unlike these solutions Epiphany uses a novel approach to hide the service from both clients and proxies, thus eliminating the need to trust proxies or apply a filtering perimeter around the service destination. The approach uses dynamically generated hidden paths that are fully controlled by the service, so if a specific proxy misbehaves or is attacked, it can be promptly removed. Since the service cannot be targeted directly, the attacker may target the proxy infrastructure. To combat such threats, Epiphany separates the proxies into setup and data proxies. Setup proxies are only responsible for letting a client make initial contact with the service, while data proxies provide further access to the service. However, the setup proxies employ IP anycast to isolate the network into distinct regions. Connection requests generated in a region bounded by an anycast setup proxy are automatically directed to that proxy. This way, the attacker botnet becomes dispersed, i.e., the attacker cannot combine bots from different regions to target setup proxies in specific networks. By adding more anycast setup proxies, networks that only have legitimate clients can be freed from the perils of unclean networks (i.e., networks with attackers). Moreover, the attacker activity becomes more exposed in these unclean networks, upon which the operators may take further action such as remove them or block them until the problem is resolved. Epiphany data proxies are kept private; the service can assign different data proxies to distinct clients depending on how they are trusted. The attacker cannot disrupt on-going communication of a client who's data proxy it does not know. We evaluate the effectiveness of Epiphany defenses using simulations on an Internet scale topology, and two different implementations involving real Internet routers and an overlay on PlanetLab.
dc.format.mediumborn digital
dc.format.mediumdoctoral dissertations
dc.identifierKambhampati_colostate_0053A_10978.pdf
dc.identifierETDF2012400246COMS
dc.identifier.urihttp://hdl.handle.net/10217/67463
dc.languageEnglish
dc.language.isoeng
dc.publisherColorado State University. Libraries
dc.relation.ispartof2000-2019
dc.rightsCopyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright.
dc.subjectdistributed denial of service
dc.subjectproxies
dc.subjectlocation hiding
dc.subjecthidden paths
dc.titleProtecting critical services from DDoS attacks
dc.typeText
dcterms.rights.dplaThis Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).
thesis.degree.disciplineComputer Science
thesis.degree.grantorColorado State University
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy (Ph.D.)

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
Kambhampati_colostate_0053A_10978.pdf
Size:
2.42 MB
Format:
Adobe Portable Document Format
Description:
Download

Collections

2000-2019
Theses and Dissertations