City University of Hong Kong

CityU Institutional Repository >
3_CityU Electronic Theses and Dissertations >
ETD - Dept. of Electronic Engineering  >
EE - Master of Philosophy  >

Please use this identifier to cite or link to this item:

Title: Network infrastructure security : a design of secure spanning-tree protocol and an analysis on distributed denial of service attack
Other Titles: Wang luo ji chu an quan : an quan sheng cheng shu xie yi de she ji he fen san shi ju jue fu wu gong ji de fen xi
網絡基礎安全 : 安全生成樹協議的設計和分散式拒絶服務攻擊的分析
Authors: Yan, Fan (閻帆)
Department: Department of Electronic Engineering
Degree: Master of Philosophy
Issue Date: 2008
Publisher: City University of Hong Kong
Subjects: Computer networks -- Security measures.
Telecommunication -- Switching systems.
Notes: CityU Call Number: TK5105.59 .Y34 2008
xii, 92 leaves : ill. 30 cm.
Thesis (M.Phil.)--City University of Hong Kong, 2008.
Includes bibliographical references (leaves 82-87)
Type: thesis
Abstract: Two problems of network infrastructure security are addressed in this thesis. The first one is the security problem of Spanning-Tree Protocol (STP), and the second one is Distributed Denial of Service (DDoS) attack. Although STP is widely used in switching networks, it is vulnerable to STP attacks. In this thesis, we solve this problem of STP by proposing an enhanced STP. The proposed solution partitions a STP network into multiple tiers of switching networks. The reason of the partitioning is to hide the STP operations of the network infrastructure (i.e. higher tiers switching networks) from the lower tiers of switching networks (those are closer to end computers). To realise the partitioning, a new kind of Ethernet boundary switches is designed and implemented. These boundary switches will on one hand participate in the normal STP operations. On the other hand, the enhanced STP operations inside the boundary switches actually partition the STP operations between tiers. To quantify the security performance of the enhanced STP protocol, performance evaluation on the new switches is studied and compared with that of the conventional STP under all known STP attacks. The results show significant reduction in number of affected switches under the Non-DoS STP attacks when the enhanced STP is used. For DoS STP attacks, the CPU utilization of switches in handling STP topology changes can also be reduced by orders of magnitude. The implementation on the Ethernet boundary switches were based on Linux bridge implementation and bridge configuration tools. Experiments were run to verify the design and to study the switches’ performance. The results show that these new switches can provide better security for STP networks. This practical implementation also demonstrates how kernel programming on Linux and some modifications on configuration tools can be made to develop new switching devices. In the second part of the thesis, the problem of unknown impacts on networks under DDoS attacks is addressed. A scale free network (constructed by 1000 nodes) is investigated and the congestion level is measured. In the scale free network which models the Internet, each node is assumed to have links with finite buffers. Unlike previous works on complex networks, nodes under attacked are not assumed to be removed. This will give more realistic results. The results show that the scale free network becomes easily congested under DDoS attack. It is also found that the robustness of the scale free network depends more on the number of attackers than the degree of the victim node.
Online Catalog Link:
Appears in Collections:EE - Master of Philosophy

Files in This Item:

File Description SizeFormat
abstract.html134 BHTMLView/Open
fulltext.html134 BHTMLView/Open

Items in CityU IR are protected by copyright, with all rights reserved, unless otherwise indicated.


Valid XHTML 1.0!
DSpace Software © 2013 CityU Library - Send feedback to Library Systems
Privacy Policy · Copyright · Disclaimer