טכניון מכון טכנולוגי לישראל
הטכניון מכון טכנולוגי לישראל - בית הספר ללימודי מוסמכים  
M.Sc Thesis
M.Sc StudentOleg Romanov
SubjectBeaver on IPSec - Protection from DoS Attacks
DepartmentDepartment of Electrical Engineering
Supervisor Full Professor Keidar Idit
Full Thesis textFull thesis text - English Version


Abstract

Many client-server systems on the Internet are susceptible to Denial of Service (DoS) attacks. This thesis presents Beaver - a client-server architecture that is robust against DoS attacks. Its main purpose is to protect client-server communication from DoS attacks, especially from flooding it with messages. Beaver employs two DoS-protection mechanisms: one for admission of new client sessions, and another for protecting ongoing sessions. The former uses dedicated admission servers (ADMs). The use of ADMs takes the admission load off the server, so that the server is not concerned with DoS attacks on clients trying to be admitted into the system. The latter is Φ-Hopper - a two-party communication protocol that mitigates DoS attacks by filtering packets. Φ-Hopper protects client-server communication sessions from DoS attacks, but does not authenticate the communication by itself. Φ-Hopper only provides dynamic filtering and rate-limiting facilities. Together, the ADMs and Φ-Hopper are very effective against DoS attacks. At the first stage, we design and implement a Φ-Hopper. Our implementation extends a Linux kernel's IPSec implementation. IPSec (IP Security) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream. The implementation is followed by experiments, which investigate the influence of attacking power on systems with and without our protection. Next, we design and implement a rate-limiting mechanism also by extending Linux kernel's IPSec implementation. Next, we design and implement the admission server. Finally, we build the whole system by putting all parts together, and by running experiments, we show that the system is robust even when DoS attacks and compromised clients are present.