A Rate-Limiting System to Mitigate Denial of Service Attacks
No Thumbnail Available
URL
Journal Title
Journal ISSN
Volume Title
Helsinki University of Technology |
Diplomityö
Checking the digitized thesis and permission for publishing
Instructions for the author
Instructions for the author
Authors
Date
2003
Department
Major/Subject
Tietoverkkotekniikka
Mcode
S-38
Degree programme
Language
en
Pages
xiii + 97
Series
Abstract
This document describes an implementation and the testing of an automatic defense system that uses rate-limiting to mitigate Denial of Service attacks. Denial of Service attacks - and particularly the distributed ones - are amongst the latest and most problematic trends in network security threats. Currently, a few effective defense methods exist against them. In this document, the proposal is to jointly use the, capabilities of attack detection (via Intrusion Detection Systems) and Quality of Service to rate-limit these attacks. As an automatic reaction, rate-limiting has an advantage over blocking: it preserves the legitimate traffic that is mis-identified as belonging to an attack. This document describes in detail an already specified Rate-Limiting System. This system selects traffic into legitimate and attack aggregates thanks to an attack detection module. Based on this selection, routers direct the traffic aggregates into different queues. Attack queues are managed by a new Active Queue Management mechanism that enforces rate-limiting limiting by randomly discarding packets. This thesis presents mainly an implementation of the Rate-Limiting System in a Linux environment and its testing. It appeared from the tests that HTTP and FTP-downloading can handle one-way packet loss well, thus showing the suitability of rate-limiting to defend a website against low-bandwidth Denial of Service attacks such as typical TCP SYN or ICMP Echo Request flooding attacks.Description
Supervisor
Jormakka, JormaThesis advisor
Mölsä, JarmoKeywords
Denial of Service, Intrusion Detection Systems, Quality of Service, rate-limiting, Rate-Limiting System, RLS-AQM