Many Denial of Service attacks use brute-force bandwidth flooding of intended victims. Such volume-based attacks aggregate at a target’s access router, suggesting that (i) detection and mitigation are best done by providers in their networks; and (ii) attacks are most readily detectable at access routers, where their impact is strongest. In-network detection presents a tension between scalability and accuracy. Specifically, accuracy of detection dictates fine grained traffic monitoring, but performing such monitoring for the tens or hundreds of thousands of access interfaces in a large provider network presents serious scalability issues. We investigate the design space for in-network DDoS detection and propose a triggered, multi-stage approach that addresses both scalability and accuracy. Our contribution is the design and implementation of LADS (Large-scale Automated DDoS detection System). The attractiveness of this system lies in the fact that it makes use of data that is readily available to an ISP, namely, SNMP and Netflow feeds from routers, without dependence on proprietary hardware solutions. We report our experiences using LADS to detect DDoS attacks in a tier-1 ISP. 1

We argue that the current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate due to problems that go beyond the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing network protocols, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of “end-middle-end” network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.

We present the WebSOS architecture, a mechanism for countering denial of service (DoS) attacks against web servers. WebSOS uses a combination of overlay networking, contentbased routing, and aggressive packet filtering to guarantee access to a service that is targeted by a DoS attack. Our approach requires no modifications to servers or browsers, and makes use of the web proxy feature and TLS client authentication supported by modern browsers.

I believe that the process of earning a PhD degree fundamentally changes the way one thinks. And one’s advisor is the most significant contributor to such a change. Harrick Vin has striven hard to make me think differently, to convert me into a scientist from an engineer. Harrick’s insistence on elegance of presentation both in writing and in talking has been quite valuable in honing my skills. His rigorous understanding, cute insights and passionate criticism have made my dissertation better by the day, and my PhD a pleasant experience overall. I have cherished many incredibly lengthy and interesting, but never tiring, meetings with him on both technical and philosophical issues. His personal warmth and support during happy and tough times, and his patience and nicety during heated discussions and everyday interactions have given me the necessary protection and confidence to keep going. Thanks for everything Harrick. Over the past five years, I have also been fortunate to work closely with Lorenzo Alvisi and Mike Dahlin. Both have been great mentors in their own right. I am thankful to Lorenzo for believing in me more than I did in myself at one point

As we increase our dependency upon networked communication, the incentive to compromise and degrade network perlbrmance increases lbr those who wish to disrupt the flow of information. Attacks that lead to such compromise and degradation can come in a variety of forms, including distributed denial of service (DDoS) attacks, cutting wires, jamming transmissions, and monitoring/eavesdropping. Users can protect themselves from monitoring by applying cryptographic techniques, and the recent work has explored developing networks that react to DDoS attacks by locating the source(s) of the attack. However, there has been little work that addresses preventing the other kinds of attacks as opposed to reacting to them. Here, we discuss how network overlays can be used to complicate the job of an attacker that wishes to prevent communication. To amplify our point, we focus briefly on a study of preventing DDoS attacks by using overlays.

Denial of service (DoS) attacks are a large and increasing threat to the Internet community. In this paper, we propose using a distributed approach to DoS defense. Our architecture leverages the properties of a wide-area overlay network to isolate clusters of attackers while denying access to a minimal amount of legitimate users. This is done by collaborating with other members of a structured peer to peer network, which is inherently collaborative. Our results show that such our approach is effective at both detection and suppression of a DoS attack.

We present a general model, called the Search/Index Link (SIL) model, for studying peer-to-peer search networks. This model allows us to analyze and visualize existing network architectures. It also allows us to discover novel architectures that have desirable properties. Finally, it can be used as a starting point for developing new network construction techniques.

Internet service providers have resisted deploying Denial-of-Service (DoS) protection mechanisms despite numerous research results in the area. This is so primarily because ISPs cannot directly charge users for the use of such mechanisms, discouraging investment in the necessary infrastructure and operational support.

In peer-to-peer systems, attrition attacks include both traditional, network-level denial of service attacks as well as application-level attacks in which malign peers conspire to waste loyal peers' resources. We describe several defenses for the LOCKSS peer-to-peer digital preservation system that help ensure that applicationlevel attrition attacks even from powerful adversaries are less effective than simple network-level attacks, and that network-level attacks must be intense, widespread, and prolonged to impair the system.

Mayday is an architecture that combines overlay networks with lightweight packet filtering to defend against denial of service attacks. The overlay nodes perform client authentication and protocol verification, and then relay the requests to a protected server. The server is protected from outside attack by simple packet filtering rules that can be efficiently deployed even in backbone routers. Mayday generalizes earlier work on Secure Overlay Services. Mayday improves upon this prior work by separating the overlay routing and the filtering, and providing a more powerful set of choices for each. Through this generalization, Mayday supports several different schemes that provide different balances of security and performance, and supports mechanisms that achieve better security or better performance than earlier systems. To evaluate both Mayday and previous work, we present several practical attacks, two of them novel, that are effective against filtering-based systems.