|
|
Heuristic Methods for the Mitigation of DDoS Attacks that Abuse TCP Protocol
Goldschmidt, Patrik ; Wrona, Jan (referee) ; Kučera, Jan (advisor)
TCP SYN Flood is one of the most wide-spread DoS attack types used on computer networks nowadays. As a possible countermeasure, this thesis proposes a network-based mitigation method TCP Reset Cookies. The method utilizes the TCP three-way-handshake mechanism to establish a security association with a client before forwarding its SYN data. The algorithm can effectively mitigate even more sophisticated SYN flood attacks at the cost of 1-second delay for the first established connection. However, the method may not be suitable for all the scenarios, so decision-making algorithm to switch between different SYN Flood mitigation methods according to discovered traffic patterns was also developed. The project was conducted as a part of security research by CESNET. The discussed implementation of TCP Reset Cookies is already integrated into a DDoS protection solution deployed in CESNET's backbone network and Czech Internet exchange point at NIX.CZ.
|
|
|
Mitigation of DDoS Attacks Exploiting Packet Fragmentation
Nešpor, Patrik ; Vrána, Roman (referee) ; Kučera, Jan (advisor)
This bachelor's thesis deals with the development of new mitigation strategies that are designed to suppress DDoS attacks that exploit packet fragmentation. It analyses fragmented traffic primarily emphasizing the order of fragmented packets. Based on the result of the analysis, it implements a new heuristic method for port numbers inference. The work also measures the latency and throughput of newly implemented functionalities. All new methods are integrated in a project developed by the CESNET association.
|
|
|
Mitigation of DDoS Attacks Exploiting Packet Fragmentation
Nešpor, Patrik ; Vrána, Roman (referee) ; Kučera, Jan (advisor)
This bachelor's thesis deals with the development of new mitigation strategies that are designed to suppress DDoS attacks that exploit packet fragmentation. It analyses fragmented traffic primarily emphasizing the order of fragmented packets. Based on the result of the analysis, it implements a new heuristic method for port numbers inference. The work also measures the latency and throughput of newly implemented functionalities. All new methods are integrated in a project developed by the CESNET association.
|
|
|
Heuristic Methods for the Mitigation of DDoS Attacks that Abuse TCP Protocol
Goldschmidt, Patrik ; Wrona, Jan (referee) ; Kučera, Jan (advisor)
TCP SYN Flood is one of the most wide-spread DoS attack types used on computer networks nowadays. As a possible countermeasure, this thesis proposes a network-based mitigation method TCP Reset Cookies. The method utilizes the TCP three-way-handshake mechanism to establish a security association with a client before forwarding its SYN data. The algorithm can effectively mitigate even more sophisticated SYN flood attacks at the cost of 1-second delay for the first established connection. However, the method may not be suitable for all the scenarios, so decision-making algorithm to switch between different SYN Flood mitigation methods according to discovered traffic patterns was also developed. The project was conducted as a part of security research by CESNET. The discussed implementation of TCP Reset Cookies is already integrated into a DDoS protection solution deployed in CESNET's backbone network and Czech Internet exchange point at NIX.CZ.
|
guest ::
