【 摘 要 】

Defending the Internet against distributed denial of service (DDoS) attacks is a fundamental problem. Despite over a decade of research, little progress has been made on the real-world deployment of proposed approaches due to the prohibitive deployment hurdles. This thesis presents FlowPolice, a new DDoS defense mechanism capable of thwarting millions of attack flows, while requiring very lightweight deployment. Specifically, FlowPolice can immediately benefit the first deployed autonomous system (AS) without further deployment at other ASs, and a single deployed router can protect all downstream links that implement a simple prioritization mechanism. The design of FlowPolice suppresses attack traffic by forcing attackers to be accountable for congestion via proper rate limiting. To learn users’ congestion accountability, FlowPolice leverages a capability feedback mechanism so that the deploying router can make rate limiting decisions based only on its self-generated capability tags.We use theoretical analysis, large scale simulation and Linux implementation to demonstrate the effectiveness of FlowPolice. Specifically, the the- oretical analysis proves that FlowPolice ensures per-flow fair share at the bottleneck link. Our implementation shows that FlowPolice can scale up to handle very large scale DDoS attacks and introduces little packet process- ing overhead. We also perform detailed packet-level simulation to show that FlowPolice is effective to mitigate DDoS attacks.

【 预 览 】

附件列表

Files	Size	Format	View
FlowPolice: enforcing congestion accountability to defend against DDoS attacks	1102KB	PDF	download