Open access
Author
Date
2022Type
- Doctoral Thesis
ETH Bibliography
yes
Altmetrics
Abstract
While it is impressive that many of the prevalent protocols and algorithms in
today's networks and the Internet have remained essentially unchanged since the
very first computer networks in the Sixties, they were not designed for today's
security environment. Only thanks to protocol extensions and new technologies,
today's network users are protected against many threats. For example, most
hosts are behind firewalls that prevent some malicious traffic from reaching
them, and most traffic is encrypted to prevent eavesdropping. However, today's
protections are not enough. For example, denial-of-service attacks can cut a
host's connection even if their traffic does not reach it, and encrypted traffic
still leaks information about its contents.
In this dissertation, we explore how obfuscation can help to prevent such
weak points. To this end, we present two solutions:
First, we present NetHide, a system that mitigates denial-of-service attacks
against the network infrastructure by obfuscating the network topology. The key
idea behind NetHide is to formulate topology obfuscation as a multi-objective
optimization problem that allows for a flexible trade-off between the security
of the topology and the usability of network debugging tools. NetHide then
intercepts and modifies path-tracing probes in the data plane to ensure that
attackers can only learn the obfuscated topology.
Second, we present ditto, a system that prevents traffic-analysis attacks by
obfuscating the timing and size of packets. The key idea behind ditto is to add
padding to packets and to introduce chaff packets such that the resulting
traffic is independent of production traffic with respect to packet sizes and
timing. ditto provides high throughput without requiring changes at hosts, which
makes it ideal for protecting wide area networks.
Both systems leverage recent advances in network programmability. They show that
programmable switches can increase the security of high-throughput networks
without degrading their performance.
However, programmable switches do not only provide high performance for
obfuscation, but they also allow analyzing traffic at scale. We complete this
dissertation with a discussion of four use cases where programmable switches
analyze traffic – for both benign and malicious purposes. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000584627Publication status
publishedExternal links
Search print copy at ETH Library
Contributors
Examiner: Vanbever, Laurent
Examiner: Lenders, Vincent
Examiner: Chen, Ang
Examiner: Perrig, Adrian
Publisher
ETH ZurichSubject
Computer networks; Computer network security; Obfuscation; programmable data planeOrganisational unit
09477 - Vanbever, Laurent / Vanbever, Laurent
More
Show all metadata
ETH Bibliography
yes
Altmetrics