Selected Publications

While distributed denial-of-service (DDoS) attacks are easy to launch and are becoming more damaging, the defense against DDoS attacks often suffers from the lack of relevant knowledge of the DDoS traffic, including the paths the DDoS traffic has used, the source addresses (spoofed or not) that appear along each path, and the amount of traffic per path or per source. Though IP traceback and path inference approaches could be considered, they are either expensive and hard to deploy or inaccurate. We propose PathFinder, a service that a DDoS defense system can use to obtain the footprints of the DDoS traffic to the victim as is. It introduces a PFTrie data structure with multiple design features to log traffic at line rate, and is easy to implement and deploy on today’s Internet. We show that PathFinder can significantly improve the efficacy of a DDoS defense system, while PathFinder itself is fast and has a manageable overhead, as shown in the evaluations via both synthetic and real-world DDoS traces.
In IFIP 2018, 2018

Disruptive events, such as large-scale power outages, undersea cable cuts, or security attacks, could have an impact on the Internet and cause the Internet to deviate from its normal state of operation, which we also refer to as an “Internet earthquake.” As the Internet is a large, complex moving target, unfortunately little research has been done to define, observe, quantify, and analyze such impact on the Internet, whether it is during a past event period or in real time. In this paper, we devise an Internet seismograph, or I-seismograph, to fill this gap. Since routing is the most basic function of the Internet and the Border Gateway Protocol (BGP) is the de facto standard inter-domain routing protocol, we focus on BGP to observe, measure, and analyze the Internet earthquakes. After defining what an impact to BGP entails, we describe how I-seismograph observes and measures the impact, exemplify its usage during both old and recent disruptive events, and further validate its accuracy and convergency. Finally, we show that I-seismograph can further be used to help analyze what happened to BGP while BGP experienced an impact, including which autonomous systems (AS) were affected most or which AS paths or path segments surged significantly in BGP updates during an Internet earthquake.
In IEEE/ACM ToN, 2017

End hosts in today’s Internet have the best knowledge of the type of traffic they should receive, but they play no active role in traffic engineering. Traffic engineering is conducted by ISPs, which unfortunately are blind to specific user needs. End hosts are therefore subject to unwanted traffic, particularly from Distributed Denial of Service (DDoS) attacks. This research proposes a new system called DrawBridge to address this traffic engineering dilemma. By realizing the potential of software-defined networking (SDN), in this research we investigate a solution that enables end hosts to use their knowledge of desired traffic to improve traffic engineering during DDoS attacks.
In ACM CCR, 2014

Recent Publications

. PathFinder: Capturing DDoS Traffic Footprints on the Internet. In IFIP 2018, 2018.

. An Expectation-Based Approach to Policy-Based Security of the Border Gateway Protocol. In IEEE GLOBECOM, 2016.


. DrawBridge --- Software-Defined DDoS-Resistant Traffic Engineering. In ACM CCR, 2014.


Recent & Upcoming Talks

More Talks

Drawbridge Demo 2016
Aug 1, 2016
Game-Theory-Based DDoS Defense Strategy Study
Feb 26, 2016

Recent Posts

ox-hugo (github link) is a fantastic package that can help transform org-mode notes into HUGO blog posts. The installation is very easy if you use vanilla Emacs (i.e. just use MELPA). However, on the current develop branch of Spacemacs, I encountered the problem of dependency mismatch where ox-hugo requires org package while Spacemacs uses org-plus-contrib package. As a result, on starting Spacemacs it will try to delete org package and the reinstall org after it tries to load ox-hugo.


Network Attached System (NAS) is a good invention that makes managing and sharing our daily lives so much more convenient. In general, I like the idea of having a storage device connected to the Internet without relying on cloud storage or a always-on heavy PC. However, people would need a domain name to bind to the IP address of the NAS in order to remember it. If you bought a domain name from some providers (like Google Domains or GoDaddy), and bound a subdomain to the IP address of your NAS, is the problem solved?


First, I can only think of the tips from a PhD student’s point of view. I do not consider myself a role model as a PhD student, and I can summarize some tips that I wish I could do better on. 1. Read papers. Reading papers could be a intimidating tasks for new graduate students. However, it is the fastest way to build up your confidence in talking about any certain subjects, or writing articles.


Recently, I’ve come across a set of discussion happened on the NANOG mailing list about a DDoS ransom incident. I find it rather interesting, and summarized a few notes about this incident. What happened? A small company has received a ransom note from a very well-known group for potential DDoS attacks. The magnitude could be several hundred Gbps. Asked on NANOG mailing list for help. The attack group could most likely to be Armada Collective Primarily DNS and NTP amplicafication Web requests of 80 million per hour Suggestions from NANOG members Roland Dobbins from Arbor: Upstream ACL (access control list) Nick: If they pay the ransom: the attackers can come back at any time for more.


Using jail to separate individual running services is very easy to achieve in FreeBSD. In my case, I put my several websites into different jails just for easy maintenance and a clear mind. With the jails set up, it is then becomes the most important job to enable a stable backup plan for all the jails. In this article, I will introduce my way of backing up jails using ezjail, rsync, and crontab.