Colorado State University
Kambhampati, Vamsi K.
Protecting critical services from DDoS attacks.
Degree: PhD, Computer Science, 2007, Colorado State University
Critical services such as emergency response, industrial control systems, government and banking systems are increasing coming under threat from Distributed Denial of Service (DDoS) attacks. To protect such services, in this dissertation we propose Epiphany, an architecture that hides the service IP address making it hard for an attacker to find, attack and disable the service. Like other location hiding based approaches, Epiphany provides access to the service through numerous lightweight proxies, which present a very wide target for the attacker. However, unlike these solutions Epiphany uses a novel approach to hide the service from both clients and proxies, thus eliminating the need to trust proxies or apply a filtering perimeter around the service destination. The approach uses dynamically generated hidden paths that are fully controlled by the service, so if a specific proxy misbehaves or is attacked, it can be promptly removed. Since the service cannot be targeted directly, the attacker may target the proxy infrastructure. To combat such threats, Epiphany separates the proxies into setup and data proxies. Setup proxies are only responsible for letting a client make initial contact with the service, while data proxies provide further access to the service. However, the setup proxies employ IP anycast to isolate the network into distinct regions. Connection requests generated in a region bounded by an anycast setup proxy are automatically directed to that proxy. This way, the attacker botnet becomes dispersed, i.e., the attacker cannot combine bots from different regions to target setup proxies in specific networks. By adding more anycast setup proxies, networks that only have legitimate clients can be freed from the perils of unclean networks (i.e., networks with attackers). Moreover, the attacker activity becomes more exposed in these unclean networks, upon which the operators may take further action such as remove them or block them until the problem is resolved. Epiphany data proxies are kept private; the service can assign different data proxies to distinct clients depending on how they are trusted. The attacker cannot disrupt on-going communication of a client who's data proxy it does not know. We evaluate the effectiveness of Epiphany defenses using simulations on an Internet scale topology, and two different implementations involving real Internet routers and an overlay on PlanetLab.
Advisors/Committee Members: Massey, Daniel (advisor), Papadopoulos, Christos (advisor), Strout, Michelle M. (committee member), Chong, Edwin K. P. (committee member).
Subjects/Keywords: distributed denial of service; proxies; location hiding; hidden paths
to Zotero / EndNote / Reference
APA (6th Edition):
Kambhampati, V. K. (2007). Protecting critical services from DDoS attacks. (Doctoral Dissertation). Colorado State University. Retrieved from http://hdl.handle.net/10217/67463
Chicago Manual of Style (16th Edition):
Kambhampati, Vamsi K. “Protecting critical services from DDoS attacks.” 2007. Doctoral Dissertation, Colorado State University. Accessed December 05, 2019.
MLA Handbook (7th Edition):
Kambhampati, Vamsi K. “Protecting critical services from DDoS attacks.” 2007. Web. 05 Dec 2019.
Kambhampati VK. Protecting critical services from DDoS attacks. [Internet] [Doctoral dissertation]. Colorado State University; 2007. [cited 2019 Dec 05].
Available from: http://hdl.handle.net/10217/67463.
Council of Science Editors:
Kambhampati VK. Protecting critical services from DDoS attacks. [Doctoral Dissertation]. Colorado State University; 2007. Available from: http://hdl.handle.net/10217/67463