Date of Award


Embargo Period


Degree Type


Degree Name

Doctor of Philosophy (PhD)


Electrical and Computer Engineering


Adrian Perrig


Numerous cyberattack incidents have demonstrated adversaries’ capability to cause Internet outages lasting hours or even days, jeopardizing governmental, financial, telecommunication, transportation, and healthcare services. With the intensity and frequency of cyberattacks constantly growing, it becomes crucial to find a way to provide availability guarantees despite active adversaries. As an initial step toward building a highly available Internet, this dissertation explores how to secure the data plane against off-path adversaries that flood the network (Distributed Denial of Service attacks) as well as on-path adversaries that discriminate against traffic (selective dropping attacks). These two types of attacks are increasingly prevalent, and their mitigation will lead to substantial improvement in Internet availability. However, DDoS and selective dropping attacks have yet to be addressed efficiently and effectively in the current Internet, primarily due to the fact that many security problems are too pervasive and fundamental to be fixed using patches constrained by the underlying Internet architecture. To address this challenge, this dissertation studies complementary defense mechanisms on top of a recently proposed clean-slate Internet architecture. This new architecture is a key enabler of this dissertation, as it provides several useful architectural primitives to support fine-grained isolation and fair access to resources—two driving principles behind the design of the defense mechanisms in this work. Fine-grained isolation protects legitimate traffic from interference with other traffic, including attack traffic. When isolation is not possible, fair access guarantees that legitimate traffic receives a fair share of resources during resource competition. Guided by these two principles, the first part of the dissertation describes novel solutions that cover three aspects of DDoS defense: (1) isolating DDoS traffic via bandwidth reservation, (2) bounding the waiting time before a successful reservation of flow bandwidth, and (3) ensuring that every flow complies with its allocated bandwidth limit without keeping per-flow state. The second part of the dissertation explores the prevention of address-based selective dropping through topological anonymity, and describes a lightweight anonymous forwarding scheme with near-optimal latency under a relaxed attacker model. The integration of these mechanisms achieves end-to-end availability guarantees on top of the clean-slate architecture under the assumptions that the lower layers are available and the routing paths are given. The resulting guarantees are independent of the strength of remote attackers, a feature that none of the existing work is able to achieve. Since several of the proposed mechanisms can be deployed incrementally for incremental protection, they can also improve the availability of the current Internet.