DoS Defense Based On Packet Marking

Denial-of-Service (DoS) attacks are critical threats to networking, especially Internet security. The main cause of DoS is the deficiency in the original development of TCP/IP protocols and the open of the Internet. And DoS defense is considered very important in both technical and social aspects. Recently many defense techniques are proposed to try to address the DoS problem. Though they are helpful, due to the complexities of attack activities and defense deployments, DoS is still difficult to handle till today.In this thesis we focus on packet marking and try to trace, identify and filter malicious packets in packet-level. Several schemes based on current Internet architecture and the Next Generation Secure Internet (NGSI) are proposed respectively. The thesis involves computer science, networking and communications, combinatorics, cryptography and other areas. Our contributions are listed below.1. A Deterministic Packet Marking (DPM) scheme based on Redundant Decomposition (DPM-RD) for IP taceback is proposed. In DPM-RD, an incoming packet is marked deterministically by the ingress border router. And the victim can recover the IP address of the attack ingress router by retrieving information from collected packets. In comparison with previous DPM scheme, DPM-RD is more effective while the computation load is lower. Furthermore, we develop the Across Domain Deterministic Packet Marking (ADDPM) scheme. It extends the tracing scope of DPM-like techniques to remote source Autonomous System (AS) and corresponding source ingress routers. Theoretical analyses, deployment policies and simulation results show the feasibilities of DPM-RD and ADDPM.2. The Path identification (Pi) is another kind of packet marking techniques against DoS attacks. Unlike IP traceback, Pi focuses on identifying and filtering malicious packet with particular packet markings corresponding to the paths. To improve previous Pi techniques we propose the Optimal Pi (OPi) scheme. In OPi a router generates the marking with a flexible length according to the TTL value of an arriving packet. OPi utilizes the marking space more completely and decreases the impact of forged values in the marking field by sophisticated attackers. Simulations based on actual Internet topologies show that malicious packets can be identified and filtered by OPi more effectively.3. In consideration of that indirect flooding attacks can defeat static packet marking schemes like Pi. We analyze the impact on network status by malicious flows and study another kind of packet marking schemes to record dynamic network status. Then we propose the Packet Asymmetry Path Marking (PAPM) scheme. In PAPM a router inserts the packet-asymmetry information into a forwarding packet. And the information can be used as the criteria to identify and filter malicious packets by downstream routers. PAPM outperforms most previous packet marking schemes in defending against indirect flooding attacks.4. We deeply study capabilities techniques which may be adopted in the NGSI. The potential vulnerabilities of capabilities and the decrements of transmission efficiency are analyzed deeply. Some effective improvement mechanisms are proposed. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities.The aim of the thesis is to promote the research on Internet security, especially DoS defense techniques. We pay our attentions to IP traceback, identifying, filtering and so on. We propose multiple packet marking schemes and show their effectiveness respectively.