Practical and scalable deployment of DoS defense measures in the Internet

Network security is one of the most prominent challenges confronting today's Internet. The denial-of-service (DoS) attack, a major form of Internet attacks, has been threatening the Internet severely. Security measures have been proposed for defending against DoS attacks. These DoS defense measures should be not only effective but also usable. Their deployment in the Internet should be feasible and acceptable in respect to the network. In this dissertation, we study two kinds of DoS defense measures, DoS tracing and DoS mitigation, from a practical perspective. We develop algorithms and protocols facilitating the practical and scalable deployment of these DoS defense measures in the Internet.;IP traceback refers to the technique tracing the source of DoS attacks. Two main kinds of IP traceback techniques have been proposed: packet marking and packet logging. In the direction of packet marking, most previous research work has focused on improving the performance of IP traceback from the perspective of end users. We improve packet marking on facilitating its deployment in the Internet from the perspective of Internet service providers (ISP). We propose a new marking scheme for IP traceback which is suitable to be deployed as a revenue-generating service and considerate of the confidentiality of ISP networks.;Compared with packet marking, IP traceback based on packet logging is more powerful but imposes much higher overhead on routers. We propose an approach to reduce the overhead of packet logging while remaining the same powerful traceback ability. Rather than optimize the algorithm at individual routers as previous work, our approach provides cooperation among routers to reduce redundant overhead. We also propose a deployment scheme facilitating the incremental deployment of packet logging. In our scheme, IP traceback still functions when packet logging is partially deployed in the network at autonomous system (AS) level.;An effective DoS mitigation scheme is to activate rate limiters at the routers the attack traffic traverses. These rate limiters throttle the attack traffic but, at the same time, incur non-trivial overhead at the supporting routers. We develop a mechanism assisting the decision of where to activate rate limiters in the network, for reaching a balance between the performance and overhead.