Internet defenses against distributed denial of service attacks

Distributed denial of service (DDoS) attacks swiftly achieve massive site failures resulting in loss of commerce and data traffic. They neither leave any clues to their origins nor leave their victims any means to mitigate the attacks. The successful DDoS defense requires rapid origin identification and remote filter deployment to block the attack. First, this thesis introduces Reverse Caching (RC) and Segmented Deterministic Packet Marking (S-DPM). The former introduces the concept of storing ingress information when a router forwards a packet. S-DPM refines RC by generating a source-based routing table from packet information including the prefix of the packet's source address and a special backpointer embedded in the packet that either points back to the last router or autonomous system (AS) that forwarded the packet. This distribution of path information allows a victim to launch a traceback immediately. With ingress information kept on a prefix basis, S-DPM does not require per packet state—thereby enabling it to scale to full Internet deployment. Other features include the ability to track reflector DDoS attacks, incremental deployment, and backwards compatibility with IP fragmentation. Second, this thesis proposes the Detection, Identification, and Mitigation (DIM) protocol. DIM uses S-DPM to locate attackers before deploying remote filter agents. Further, S-DPM and DIM act together to isolate any harm caused by a compromised router used in the attack. Simulations with real Internet topologies show the effectiveness of this approach even when only a few ASes participate in the protocol.