Topology dependence of PPM-based Internet Protocol traceback schemes

Multiple schemes that utilize probabilistic packet marking (PPM) have been proposed to deal with Distributed Denial of Service (DDoS) attacks by reconstructing their attack graphs and identifying the attack sources. In the first part of this dissertation, we present our contribution to the family of PPM-based schemes for Internet Protocol (IP) traceback. Our proposed approach, Prediction-Based Scheme (PBS), consists of marking and traceback algorithms that reduce scheme convergence times by dealing with the problems of data loss and incomplete attack graphs exhibited by previous PPM-based schemes. Compared to previous PPM-based schemes, the PBS marking algorithm ensures that traceback is possible with about 54% as many total network packets, while the traceback algorithm takes about 33% as many marked packets for complete attack path construction. In the second part of this dissertation, we tackle the problem of scheme evaluation and comparison across discrepant network topologies. Previous research in this area has overlooked the influence of network topology on scheme performance and often utilized disparate and simplistic network abstractions to evaluate and compare these schemes. Our approach to this problem involves the evaluation of selected PPM-based schemes across a set of 60 Internet-like topologies and the adaptation of the network motif approach to provide a common ground for comparing the schemes\u27 performances in different network topologies. This approach allows us to determine the level of structural similarity between network topologies and consequently enables the comparison of scheme performance even when the schemes are implemented on different topologies. Furthermore, we identify three network-dependent factors that affect different PPM-based schemes uniquely causing a variation in, and discrepancy between, scheme performance from one network to another. Results indicate that scheme performance is dependent on the network upon which it is implemented, i.e. the value of the PPM-based schemes\u27 convergence times and their rankings vary depending on the underlying network topology. We show how the identified network factors contribute, individually and collectively, to the scheme performance in large-scale networks. Additionally, we identify five superfamilies from the 60 considered networks and find that networks within a superfamily also exhibit similar PPM-based scheme performance. To complement our results, we present an analytical model showing a link between scheme performance in any superfamily, and the motifs exhibited by the networks in that superfamily. Our work highlights a need for multiple network evaluation of network protocols. To this end, we demonstrate a method of identifying structurally similar network topologies among which protocol performance is potentially comparable. Our work also presents an effective way of comparing general network protocol performance in which the protocol is evaluated on specific representative networks instead of an entire set of networks

Defensa proactiva y reactiva ante ataques DDoS en un entorno simulado de redes definidas por software

Las redes definidas por software (Software Defined Networking, SDN) presentan un cambio de paradigma para las redes de comunicaciones debido a la separación del plano de control y de datos, que abstrae el elemento \textit{hardware} del elemento software y dispone de un elemento central (controlador) que gestiona la red de manera centralizada. Es una arquitectura de red flexible, gestionable, adaptativa y económica, siendo ideal para soportar cualquier aplicación que se desarrolle hoy en día. Este controlador, de hecho, proporciona al sistema una capa de abstracción que facilita la creación de nuevos servicios de red y aplicaciones. En este trabajo se ha seleccionado el controlador OpenDayLight por su popularidad y sus características, tras analizar varios controladores de código abierto. Paralelamente a este cambio de paradigma, los ataques orientados a Internet, y especialmente los ataques de denegación de servicio (Distributed Denial of Service, DDoS), siguen sucediéndose. Los ataques DDoS tratan de agotar los recursos del sistema consumiendo el ancho de banda. En este Trabajo de Fin de Grado, se han estudiado los diferentes tipos de ataques DDoS, centrándose posteriormente en uno de los más comunes, \textit{flooding} sobre el protocolo HTTP. Tomando en consideración estos aspectos, en este TFG se ha desarrollado un mecanismo de defensa proactiva, que rejuvenece las replicas periódicamente, independientemente del estado en que se encuentren, y reactiva, que actúa cuando se produce la detección de una amenaza, ante ataques DDOS sobre un controlador de SDN en un entorno de red simulado (concretamente, por Mininet). El escenario de trabajo propuesto supone un servidor web que se encuentra distribuido en distintos nodos (gracias al uso de SDN), de modo que ante un ataque DDoS tolera la indisponibilidad de ciertos nodos. De este modo, se pretende mostrar una idea del funcionamiento de redes SDN en un entorno real y su potencial para contrarrestar ataques DDoS asegurando la calidad de servicio. Por último, se han realizado pruebas experimentales para demostrar su funcionamiento ante diferentes escenarios de ataque. Los resultados muestran que la defensa propuesta proporciona una capa de seguridad adicional al sistema que es capaz de mitigar los ataques DDoS. El código desarrollado se ha liberado para su utilización y para garantizar la reproducibilidad de los resultados obtenidos