| Perhaps one of the most compelling problems of the modern Internet is the lack of a comprehensive and unifying approach to dealing with service security and resilience. Although many such individual reliability mechanisms exist, no general set of policies or standards exists for how these mechanisms can be combined to achieve an overall robust state of security for the network. In short, no "security and availability" architecture exists. This thesis introduces and analyzes mechanisms that boost the security, resilience, and performance of network systems in a manner that is transparent to both the existing infrastructure and the end-users.;In this dissertation, we discuss our work on defending against distributed denial of service (DDoS) attacks. Such attacks involve large numbers of compromised hosts (bots) that send unsolicited traffic toward a target, thereby congesting the network links close to it, rendering its services unusable. To frustrate these types of attacks, we propose and evaluate practical mechanisms that can protect a wide range of services while maintaining or even improving their performance characteristics. Our approach is focused on network-level faults and attacks; we do not focus our attention on application-level service vulnerabilities. We do, however, offer protection against malicious or unexpected increases in network-bound service requests. Our end goal is to provide a practical end-to-end framework that significantly improves service availability and connectivity without incurring a prohibitive deployment or performance cost. Ideally, the protection system should be able to scale to millions of users and accommodate any applications' requirements including network latency and throughput. We developed a number of systems (PROOFS, WebSOS, MOVE, and packet spreading via multi-path overlays) that illustrate a progression toward the aforementioned goals.;Because our solutions depend on large scale overlay networks, we present a novel mechanism for protecting a wide class of these networks against insider attacks. For overlay networks that exhibit well-defined properties (due to their topology or structure), we demonstrate how to defend such networks against non-conforming (i.e., abnormal) behavior of participating nodes. In particular, we can defend against DoS attacks from within the overlay itself. We use a lightweight distributed detection mechanism that exploits inherent structural invariants of Distributed Hash Tables (DHTs) to ferret out anomalous flow behavior. Upon detection, we invoke a Pushback-like protocol to notify and prompt into action (e.g., throttle the traffic) the predecessor node: the node from which the offending traffic arrives. In addition, we demonstrate how to remain TCP-friendly by using packet spreading and replication techniques with regular TCP connections in addition to our UDP-based techniques. Our experiments show that our system can take advantage of the underlying multi-path link capacity without starving other flows over shared links. For TCP flows, we show that there is no significant throughput or latency degradation when using regular TCP connections.;To demonstrate the applicability of our system for real-time and interactive applications, we introduce Access Assured Mobile desktop computing (A 2M), a secure and attack-resilient remote desktop computing hosting infrastructure. A2M combines a stateless and secure communication protocol, a single-hop Indirection-based network (IBN) and a remote display architecture to provide mobile users with continuous access to their desktop computing sessions. Our architecture protects both the hosting infrastructure and the client's connections against a wide range of service disruption attacks. Unlike any other DoS protection system, A2M takes advantage of its low-latency remote display mechanisms and asymmetric traffic characteristics by using multi-path routing to send a small number of of each packet transmitted from client to server. This multi-path packet replication diversifies the client-server communication, boosts system resilience, and reduces end-to-end latency. Through deployment on a planet-lab, a distributed network, we show that A2M significantly increases the hosting infrastructure's attack resilience. Using current ISP bandwidth data, we can protect against attacks involving millions of bots while providing good performance for multimedia and web applications and basic GUI interactions even when up to 30% and 50%, respectively, of indirection nodes become completely unresponsive. |
