University of Illinois Urbana-Champaign

FlowPolice: enforcing congestion accountability to defend against DDoS attacks

Liu, Zhuotao

Permalink

https://hdl.handle.net/2142/78589

Description

Title
FlowPolice: enforcing congestion accountability to defend against DDoS attacks
Author(s)
Liu, Zhuotao
Issue Date
2015-03-16
Director of Research (if dissertation) or Advisor (if thesis)
Hu, Yih-Chun
Committee Member(s)
Hu, Yih-Chun
Department of Study
Electrical & Computer Eng
Discipline
Electrical & Computer Engr
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Keyword(s)
  • Distributed Denial of Service (DDoS) Attacks
  • Internet Security
Abstract
Defending the Internet against distributed denial of service (DDoS) attacks is a fundamental problem. Despite over a decade of research, little progress has been made on the real-world deployment of proposed approaches due to the prohibitive deployment hurdles. This thesis presents FlowPolice, a new DDoS defense mechanism capable of thwarting millions of attack flows, while requiring very lightweight deployment. Specifically, FlowPolice can immediately benefit the first deployed autonomous system (AS) without further deployment at other ASs, and a single deployed router can protect all downstream links that implement a simple prioritization mechanism. The design of FlowPolice suppresses attack traffic by forcing attackers to be accountable for congestion via proper rate limiting. To learn users’ congestion accountability, FlowPolice leverages a capability feedback mechanism so that the deploying router can make rate limiting decisions based only on its self-generated capability tags. We use theoretical analysis, large scale simulation and Linux implementation to demonstrate the effectiveness of FlowPolice. Specifically, the the- oretical analysis proves that FlowPolice ensures per-flow fair share at the bottleneck link. Our implementation shows that FlowPolice can scale up to handle very large scale DDoS attacks and introduces little packet process- ing overhead. We also perform detailed packet-level simulation to show that FlowPolice is effective to mitigate DDoS attacks.
Graduation Semester
2015-5
Type of Resource
text
Permalink
http://hdl.handle.net/2142/78589
Copyright and License Information
Copyright 2015 Zhuotao Liu

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois
Dissertations and Theses - Electrical and Computer Engineering
Dissertations and Theses in Electrical and Computer Engineering