| Summary: | Industry is reporting increasingly damaging and popular application layer Denialof-Service (DoS) attacks. Therefore, now more than ever before, it is important to develop mitigations to DoS attacks generally, and application layer DoS attacks in particular. The challenge of this work is that application layer Internet-of-Things (IoT) systems integrated with cloud services exhibit a distinctive DoS vulnerability. The cloud services are accessed using HTTPS, but typically the small, under-resourced IoT devices only have the capacity to support the simplified, HTTP(S)-like CoAP(S) protocol, requiring protocol translation to occur in a proxy somewhere. This project addresses questions about how to reduce the vulnerability of such a proxy to DoS attacks. The contributions of this work are twofold. Firstly, we provide meaningful conclusions about the DoS-resilience of configuration parameters and compare our optimal settings with the defaults of the most substantial and widely used open source implementation of the CoAP(S) protocol proxy and auxiliary utilities. Our optimal settings result in substantial resilience against DoS attacks. Specifically, we cut mean client response time by two thirds, increase the number of messages that clients send successfully to 3.6x, reduce proxy memory usage by 20%, and reduce proxy CPU utilization in half. We additionally provide an architectural design proposal for the proxy which is likely to drastically increase its ability to maintain good performance for clients during an attack. Secondly, running experiments on DeterLab presents challenges regarding the collection and handling of experiment results without impinging on the performance of the experiments themselves. We provide our findings on solving the issues of impingement-free data collection and experiment storage and analysis in the form of an experiment management toolkit. To conclude, the research both demonstrates a viable reconfiguration of the proxy to simultaneously improve performance and reduce vulnerability to DoS attacks, and demonstrates the effectiveness of the experiment management toolkit developed during our research.
|
|---|