Denial-of-Service attacks continue to grow in size and frequency despite serious underreporting.
While several research solutions have been proposed over the years, they have had
important deployment hurdles that have prevented them from seeing any significant level of
deployment on the Internet. Commercial solutions exist, but they are costly and generally are
not meant to scale to Internet-wide levels.
In this thesis we present three filtering architectures against large Denial-of-Service attacks.
Their emphasis is in providing an effective solution against such attacks while using
simple mechanisms in order to overcome the deployment hurdles faced by other solutions.
While these are well-suited to being implemented in fast routing hardware, in the early stages
of deployment this is unlikely to be the case. Because of this, we implemented them on low-cost
off-the-shelf hardware and evaluated their performance on a network testbed. The results are
very encouraging: this setup allows us to forward traffic on a single PC at rates of millions of
packets per second even for minimum-sized packets, while at the same time processing as many
as one million filters; this gives us confidence that the architecture as a whole could combat even
the large botnets currently being reported. Better yet, we show that this single-PC performance
scales well with the number of CPU cores and network interfaces, which is promising for our
solutions if we consider the current trend in processor design.
In addition to using simple mechanisms, we discuss how the architectures provide clear
incentives for ISPs that adopt them early, both at the destination as well as at the sources of
attacks. The hope is that these will be sufficient to achieve some level of initial deployment.
The larger goal is to have an architectural solution against large DoS deployed in place before
even more harmful attacks take place; this thesis is hopefully a step in that direction
