Show simple item record

Files in this item


Item metadata

dc.contributor.advisorBhatti, Saleem Noel
dc.contributor.authorShehzad, Khawar
dc.coverage.spatialxxviii, 178 p.en_US
dc.description.abstractThis research considered a novel approach to network security by combining a new networking architecture based on the Identifier-Locator Network Protocol (ILNP) and the existing Domain Name System (DNS). Specifically, the investigations considered the mitigation of network-level and transport-level based Denial of Service (DoS) attacks. The solutions presented for DoS are applicable to secure servers that are visible externally from an enterprise network. DoS was chosen as an area of concern because in recent years DoS has become the most common and hard to defend against attacks. The novelty of this approach was to consider the way the DNS and ILNP can work together, transparently to the application, within an enterprise scenario. This was achieved by the introduction of a new application-level access control function - the Capability Management System (CMS) - which applies configuration at the application level (DNS data) and network level (ILNP namespaces). CMS provides dynamic, ephemeral identity and location information to clients and servers, in order to effectively partition legitimate traffic from attack traffic. This was achieved without modifying existing network components such as switches and routers and making standard use of existing functions, such as access control lists, and DNS servers, all within a single trust domain that is under the control of the enterprise. The prime objectives of this research were: • to defend against DoS attacks with the use of naming and DNS within an enterprise scenario. • to increase the attacker’s effort in launching a successful DoS attack. • to reduce the visibility of vulnerabilities that can be discovered by an attacker by active probing approaches. • to practically demonstrate the effectiveness of ILNP and DNS working together to provide a solution for DoS mitigation. The solution methodology is based on the use of network and transport level capabilities, dynamic changes to DNS data, and a Moving Target Defence (MTD) paradigm. There are three solutions presented which use ILNP namespaces. These solutions are referred to as identifier-based, locator-based, and combined identifier-locator based solutions, respectively. ILNP-based node identity values were used to provide transport-level per-client server capabilities, thereby providing per-client isolation of traffic. ILNP locator values were used to allow a provision of network-level traffic separation for externally accessible enterprise services. Then, the identifier and locator solutions were combined, showing the possibility of protecting the services, with per-client traffic control and topological traffic path separation. All solutions were site-based solutions and did not require any modification in the core/external network, or the active cooperation of an ISP, therefore limiting the trust domain to the enterprise itself. Experiments were conducted to evaluate all the solutions on a test-bed consisting of off-the-shelf hardware, open-source software, an implementation of the CMS written in C, all running on Linux. The discussion includes considering the efficacy of the solutions, comparisons with existing methods, the performance of each solution, and critical analysis highlighting future improvements that could be made.en_US
dc.publisherUniversity of St Andrews
dc.rightsAttribution-NonCommercial-NoDerivatives 4.0 International*
dc.subjectIdentifier-Locator Network Protocol (ILNP)en_US
dc.subjectDomain Name System (DNS)en_US
dc.subjectDenial of Service (DoS) Attacksen_US
dc.subjectTransport-level DoS attacksen_US
dc.subjectNetwork-level DoS attacksen_US
dc.subjectMoving Target Defence (MTD)en_US
dc.subjectILNP namespace-based Capabilitiesen_US
dc.subjectEnterprise-host securityen_US
dc.subjectEnterprise-network securityen_US
dc.subjectCapabilities Management System (CMS)en_US
dc.subjectDNS Capabilitiesen_US
dc.subjectDoS mitigationen_US
dc.subjectPer-client traffic controlen_US
dc.subjectTopological traffic path separationen_US
dc.subjectAccess Control Lists (ACLs)en_US
dc.subjectDNS fast-fluxen_US
dc.subjectComputer Networkingen_US
dc.subjectILNP Mobilityen_US
dc.subject.lcshComputer securityen
dc.subject.lcshComputer networks--Security measuresen
dc.subject.lcshInternet--Security measuresen
dc.subject.lcshDenial of service attacksen
dc.titleDefence against Denial of Service (DoS) attacks using Identifier-Locator Network Protocol (ILNP) and Domain Name System (DNS)en_US
dc.contributor.sponsorUniversity of St Andrewsen_US
dc.contributor.sponsorVerisign, Inc.en_US
dc.type.qualificationnamePhD Doctor of Philosophyen_US
dc.publisher.institutionThe University of St Andrewsen_US
dc.publisher.departmentSchool of Computer Scienceen_US

The following license files are associated with this item:

    This item appears in the following Collection(s)

    Show simple item record

    Attribution-NonCommercial-NoDerivatives 4.0 International
    Except where otherwise noted within the work, this item's license for re-use is described as Attribution-NonCommercial-NoDerivatives 4.0 International