GGrantIndex
← Search

CRII: SaTC: Explorng the Real World Applicability of Denial of Service Mitigation via Routing

$174,860FY2019CSENSF

University Of Tennessee Knoxville, Knoxville TN

Investigators

Abstract

Distributed Denial of Service (DDoS) attacks disrupt the ability of computers to communicate over the Internet by flooding victims with large volumes of unwanted network traffic. Due to their high economic impact and low technical complexity, such attacks remain one of the most problematic and common attacks experienced by companies, organizations, and high-profile individuals. This research project explores the viability of mitigating the effects of a distributed denial of service attack by dynamically adjusting the path traffic takes through the Internet, causing it avoid links congested with attack traffic. This technique has a number of advantages over currently deployed techniques which are both costly and, in many instances, ineffective. The research in this project additionally helps scientists more broadly understand how the Internet responds to on-demand re-routing of traffic. The final product of this research is functional prototype systems that are capable of ensuring that victims of a distributed denial of service attack can still communicate over the Internet, while at the same time being inexpensive and deployable on the existing Internet infrastructure. The project will train students in research as well as distribute software prototypes for the network operator community to use. It will also spend efforts to transition research to practice. The adoption of such systems would help companies avoid the financial harm that comes from distributed denial of service attacks and secure critical infrastructures, for example Smart Grids and national defense communications, from such attacks. This research project expands our knowledge of how re-routing based DDoS attack mitigation systems would function in practice. The experiments being conducted explore three key areas necessary for viable deployment of such systems. First, the research would validate the feasibility of re-routing as a security primitive on the live Internet. To explore this, researchers are attempting to execute re-routing policy on the Internet for their own network, observing from diverse vantage points the impact on path selection. These experiments quantify the prevalence of policies that inhibit the ability to migrate traffic, the number of alternative paths available in practice, and the independence of those paths. Second, researchers are exploring the viability of multiple actors successfully utilizing re-routing simultaneously. Researchers are developing algorithms that both compute the maximal amount of re-routing the Internet infrastructure can support and allocate those resources to make the most efficient use of this capacity. Lastly, researchers are enhancing re-routing based mitigation to function against dynamic adversaries. By considering the capacity of adversaries to also re-route their malicious traffic, researchers are building alternative path selection strategies that minimize the ability of the adversary to violate traffic isolation, and at the same time are exploring the viability of using a moving target defensive strategy through continuously re-routing critical traffic. This project results in functional software prototypes of a re-routing based distributed denial of service mitigation system that are freely supplied to the networking operator community for their use. Researchers are facilitating the system's transition to practice (TTP) by reaching out to the network operator community, both educating them on the possibilities of such solutions and as well as receiving feedback and suggestions for future enhancement. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →