Responsive aggregate defence for denial of service attacks

Abstract

The Internet is the main provider of information, communication and media services for an increasing percentage of the world's population. Its architecture is based on packet switching principles and employs a layered, end-to-end design in its protocols. This architecture has demonstrated scalability and evolutionary resilience since its introduction thirty years ago. Congestion responsive transport protocols based on an end-to-end design, such as TCP, coupled with best effort packet forwarding approaches have been the most widely used networking concepts on the Internet. However, these same design approaches are highly vulnerable to abuse from malicious traffic sources that do not comply with TCP congestion control principles. These non compliant traffic types can be used to mount Denial of Service (DoS) attacks to prevent legitimate users from accessing Internet services. The work described in this dissertation provides a range of original contributions in the design of an effective router queueing mechanism for bandwidthflooding DoS defence. The Responsive Aggregate Defence (RAD) scheme introduces a scalable, easily implementable Active Queue Management (AQM) scheme that accurately detects and penalises malicious congestion unresponsive DoS traffic at the router queue. RAD is effective against a wide variety of DoS attack vectors, including a range of attack time-scales and packet header spoofing techniques used to conceal their activity.