Denial of Service (DoS) in Internet Protocol (IP) Network and Information Centric Network (ICN): An Impediment to Network Quality of Service (QoS).

This paper compares and analyses the Denial-of-Service attacks in the two different Network architectures. The two architectures are based on different routing approaches: Hop-by-Hop IP routing and source-routing using Bloom filters. In Hop-by-Hop IP routing, the packet header contains the address, and the route is decided node by node. Forwarding in this method requires a node to have a routing table which contains the port through which the packet should traverse depending on the address of the destination. Instead in source-routing, the forwarding identifier is encoded with the path a packet should take and it is placed in the packet header. The forwarding identifier in this approach does not require a forwarding table for look ups like the IP routing; it relies on Line Speed Publish/Subscribe (LIPSIN) forwarding solution that focuses on using named links not nodes or interfaces. The forwarding identifier encompasses a set of Link ID’s which specifies the path to the recipient and they are encoded in a Bloom filter. The In-packet Bloom filters serve as both path selectors and as capabilities, and they are generated dynamically. However, this thesis is going to focus on the latter network technology by looking at both its benefits and drawbacks as well as analysing the possibilities of having a Denial of service attack. Keywords: DoS, DDoS, TCP/IP Protocol Suite, ICMP flood, E-mail Bomb, Ping of Death, TCP and UD

Adaptive Response System for Distributed Denial-of-Service Attacks

The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses

Scalability of Information Centric Networking Using Mediated Topology Management

Information centric networking is a new concept that places emphasis on the information items themselves rather than on where the information items are stored. Consequently, routing decisions can be made based on the information items rather than on simply destination addresses. There are a number of models proposed for information centric networking and it is important that these models are investigated for their scalability if we are to move from early prototypes towards proposing that these models are used for networks operating at the scale of the current Internet. This paper investigates the scalability of an ICN system that uses mediation between information providers and information consumers using a publish/subscribe delivery mechanism. The scalability is investigated by extrapolating current IP traffic models for a typical national-scale network provider in the UK to estimate mediation workload. The investigation demonstrates that the mediation workload for route determination is on a scale that is comparable to, or less than, that of current IP routing while using a forwarding mechanism with considerably smaller tables than current IP routing tables. Additionally, the work shows that this can be achieved using a security mechanism that mitigates against maliciously injected packets thus stopping attacks such as denial of service that is common with the current IP infrastructure