A dependable architecture to mitigate distributed denial of service attacks on network-based control systems

Today, the Internet has become a promising platform for network-based control systems (NBCS), where packets are used to transmit feedback and control signals between a plant and controllers. On the other hand, today's distributed denial of service (DDoS) attacks cause significant disruption to the Internet, which threaten the operation of NBCS. This paper proposes an architecture called Fosel (filtering with the help of an overlay security layer) to protect NBCS from DDoS attacks. Fosel is a DoS defense technique that drops excess traffic effectively, thus reducing the overhead at the victim. The Fosel architecture is constructed using a combination of access point proxies, packet authentications, routing via onion tunnels, secret green nodes, rate limiter routers and a selective filter. For performance evaluation of Fosel, we use a networked proportional integral (PI) controller and a second-order plant (dc motor speed) as a case study. Emulab machines are used to implement the Fosel architecture. Real DoS toolkits are used to attack the plant's server and the Fosel architecture. Empirical results show that the Fosel architecture significantly reduces the likelihood of successful DDoS attacks to negligible levels. Practical results indicate that the Fosel architecture keeps communication alive between controllers and the plant. (C) 2011 Elsevier B.V. All rights reserved.