Files in this item

FilesDescriptionFormat

application/pdf

application/pdfLiu_Zhuotao.pdf (1MB)Restricted to U of Illinois
(no description provided)PDF

Description

Title:FlowPolice: enforcing congestion accountability to defend against DDoS attacks
Author(s):Liu, Zhuotao
Advisor(s):Hu, Yih-Chun
Contributor(s):Hu, Yih-Chun
Department / Program:Electrical & Computer Eng
Discipline:Electrical & Computer Engr
Degree Granting Institution:University of Illinois at Urbana-Champaign
Degree:M.S.
Genre:Thesis
Subject(s):Distributed Denial of Service (DDoS) Attacks
Internet Security
Abstract:Defending the Internet against distributed denial of service (DDoS) attacks is a fundamental problem. Despite over a decade of research, little progress has been made on the real-world deployment of proposed approaches due to the prohibitive deployment hurdles. This thesis presents FlowPolice, a new DDoS defense mechanism capable of thwarting millions of attack flows, while requiring very lightweight deployment. Specifically, FlowPolice can immediately benefit the first deployed autonomous system (AS) without further deployment at other ASs, and a single deployed router can protect all downstream links that implement a simple prioritization mechanism. The design of FlowPolice suppresses attack traffic by forcing attackers to be accountable for congestion via proper rate limiting. To learn users’ congestion accountability, FlowPolice leverages a capability feedback mechanism so that the deploying router can make rate limiting decisions based only on its self-generated capability tags. We use theoretical analysis, large scale simulation and Linux implementation to demonstrate the effectiveness of FlowPolice. Specifically, the the- oretical analysis proves that FlowPolice ensures per-flow fair share at the bottleneck link. Our implementation shows that FlowPolice can scale up to handle very large scale DDoS attacks and introduces little packet process- ing overhead. We also perform detailed packet-level simulation to show that FlowPolice is effective to mitigate DDoS attacks.
Issue Date:2015-03-16
Type:Thesis
URI:http://hdl.handle.net/2142/78589
Rights Information:Copyright 2015 Zhuotao Liu
Date Available in IDEALS:2015-07-22
Date Deposited:May 2015


This item appears in the following Collection(s)

Item Statistics