Edge-based inference, control, and DoS resilience for the Internet

Realizing new services on the Internet ultimately requires edge-based solutions for both deployability and scalability. Each such solution has two fundamental aspects. The first is the ability to accurately infer critical network parameters and processes such as Quality of Service (QoS) mechanisms, end-to-end available bandwidth, or the existence of a Denial of Service (DoS) activity; and the second is the ability to effectively utilize this knowledge to build endpoint services. This thesis presents the design, implementation, and evaluation of a series of edge-based algorithms and protocols for efficient inference, control, and DOS resilience of the Internet from its endpoints. The proposed solutions together form a new foundation for a robust quality-of-service communication via a scalable edge-based architecture where the novel functionality is added strictly at either edge routers or end hosts. In particular, this thesis develops techniques for multi-class service inference, active probing for available bandwidth, and end-point-based protection against DoS attacks.; The proposed multi-class service inference techniques reveal the sophisticated multi-class network components such as service disciplines and rate limiters using solely passive packet monitoring at the network edges. These inferences significantly enhance the network monitoring and service validation capabilities and provide vital information for making efficient use of resources. The proposed active probing scheme infers and utilizes only the available network bandwidth and aims to realize a low-priority service from the network endpoints, a functionality that would otherwise require a multi-priority or separate network. Finally, this thesis discovers and explores two deterrent vulnerabilities of the Transmission Control Protocol (TCP), the dominant transport protocol in today's Internet. The first is TCP's vulnerability to low-rate periodic attacks that can be as harmful as the high-rate ones, yet much harder to detect, due to their low-rate nature; the second is an extreme vulnerability of the class of receiver-driven TCP stacks to the misbehaviors launched at the receiving endpoints which may temper with the congestion control algorithm for their own benefit. The proposed end-point schemes significantly outperform the state-of-the-art core-based solutions and demonstrate that counter-DoS mechanisms should be implemented not only in the network core, as conventionally done, but also at the network edge. More importantly, the thesis demonstrates that protocol performance on one hand, and vulnerability to misbehaviors on the other, are quite often fundamentally coupled such that both cannot be maximized simultaneously.