CT-ISG: PacketSpread; Practical Network Capabilities Angelos Keromytis Columbia University
Network denial of service attacks occur with increasing frequency and devastating economic and psychological effects for the targeted sites and their users. Addressing the problem has proven difficult, primarily due to deployment and complexity concerns about previously proposed mechanisms. In particular, receiver-controlled capabilities are an elegant way for preventing communication interference, but are difficult to deploy in practice and are susceptible to control-channel attacks.
This project is investigating a new communication paradigm, named PacketSpread, which makes feasible the use of capability-like mechanisms on the current Internet, without requiring architectural modifications to networks or hosts. The high-level hypothesis of the research is that practical network capability schemes can be constructed through the use of end-point traffic-redirection mechanisms that use a spread-spectrum-like communication paradigm enabled by an overlay network. To test this hypothesis, the project is prototyping and experimentally validating the resistance of such a scheme against attacks launched by realistic adversaries, while minimizing the impact of the approach to end-to-end communication latency and throughput.
The results of this research will enable a better understanding how network-capability schemes can be deployed and used to provide robust and secure communications under both normal operation and in times of crisis. Improvements in the security and reliability of large-scale systems on which society, business, government, and individuals depend on will have a positive impact on society.