- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- Preventing denial-of-service attacks with packet symmetry
Open Collections
UBC Theses and Dissertations
UBC Theses and Dissertations
Preventing denial-of-service attacks with packet symmetry Wood, Mike
Abstract
Denial-of-service (DoS) attacks are a serious problem affecting the Internet today with security firms estimating over 5000 attacks are launched per day, leading to revenue loss and tarnished reputations for online businesses. These attacks remain prevalent and successful because the Internet has no mechanism to distinguish wanted from unwanted packets. The core of the Internet impartially forwards any packet to its destination without regard as to whether the destination actually desires said packet or not. This thesis evaluates packet symmetry [47] as a heuristic to distinguish wanted from unwanted traffic at the source network, to enable proactive filtering of DoS attack traffic before it reaches the core. Packet symmetry measures the "goodness" of outgoing traffic using the ratio of transmitted-to-reply packets with a lower ratio implying better traffic. A packet symmetry limiter shapes outgoing traffic to ensure the per-flow ratio of transmission-to-reply packets never exceeds a pre-defined threshold. This empowers DoS victims to throttle any unwanted traffic from symmetry-limited sources simply by not replying to those sources' requests. This power is especially important for end users and small businesses, who make up the majority of DoS attack victims [56, 53], that cannot afford to over-provision network resources as a means to tolerate massive flooding attacks. The net effect is that a network governed by packet symmetry cannot be the source of flooding DoS attacks, as senders are automatically rate-limited proportional to the rate of reply. In this thesis, analysis of network traces helps derive packet symmetry limiting principles and thresholds that effectively discern innocent from malicious DoS traffic with few false-positives. The implementation of a symmetry limiter prototype for the Linux kernel and corresponding deployment on a UBC research lab network evaluate the efficacy of the solution on live traffic with encouraging performance and usability results.
Item Metadata
Title |
Preventing denial-of-service attacks with packet symmetry
|
Creator | |
Publisher |
University of British Columbia
|
Date Issued |
2007
|
Description |
Denial-of-service (DoS) attacks are a serious problem affecting the Internet today with security firms estimating over 5000 attacks are launched per day, leading to revenue loss and tarnished reputations for online businesses. These attacks remain prevalent and successful because the Internet has no mechanism to distinguish wanted from unwanted packets. The core of the Internet impartially forwards any packet to its destination without regard as to whether the destination actually desires said packet or not. This thesis evaluates packet symmetry [47] as a heuristic to distinguish wanted from unwanted traffic at the source network, to enable proactive filtering of DoS attack traffic before it reaches the core. Packet symmetry measures the "goodness" of outgoing traffic using the ratio of transmitted-to-reply packets with a lower ratio implying better traffic. A packet symmetry limiter shapes outgoing traffic to ensure the per-flow ratio of transmission-to-reply packets never exceeds a pre-defined threshold. This empowers DoS victims to throttle any unwanted traffic from symmetry-limited sources simply by not replying to those sources' requests. This power is especially important for end users and small businesses, who make up the majority of DoS attack victims [56, 53], that cannot afford to over-provision network resources as a means to tolerate massive flooding attacks. The net effect is that a network governed by packet symmetry cannot be the source of flooding DoS attacks, as senders are automatically rate-limited proportional to the rate of reply. In this thesis, analysis of network traces helps derive packet symmetry limiting principles and thresholds that effectively discern innocent from malicious DoS traffic with few false-positives. The implementation of a symmetry limiter prototype for the Linux kernel and corresponding deployment on a UBC research lab network evaluate the efficacy of the solution on live traffic with encouraging performance and usability results.
|
Genre | |
Type | |
Language |
eng
|
Date Available |
2011-03-09
|
Provider |
Vancouver : University of British Columbia Library
|
Rights |
For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use.
|
DOI |
10.14288/1.0052073
|
URI | |
Degree | |
Program | |
Affiliation | |
Degree Grantor |
University of British Columbia
|
Campus | |
Scholarly Level |
Graduate
|
Aggregated Source Repository |
DSpace
|
Item Media
Item Citations and Data
Rights
For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use.