Skip to main content
SpringerLink
Log in

Capability-Based Defenses Against DoS Attacks in Multi-path MANET Communications

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

We present the design, implementation, and evaluation of CapMan, a capability-based security mechanism that prevents denial-of-service (DoS) attacks against mobile ad-hoc networks (MANETs). In particular, our approach is designed to mitigate insider attacks that exploit multi-path routing to flood with packets on other participating nodes in the network. CapMan is instantiated on every node and enforces capability limits that effectively regulate the traffic for all end-to-end network flows. Each capability is issued and advertised by the capability distribution module, and is globally maintained via the capability enforcement logic. By periodically exchanging small usage summaries, all cooperating nodes are informed of the global network state in a scalable and consistent manner. The distribution of summaries empowers individual nodes to make informed decisions and regulate traffic as dictated by the per-flow capabilities across multiple dynamic routing paths. We implemented a prototype of CapMan as a module of the NS2 simulator. We conducted extensive simulations with the prototype using AOMDV as the underlying multi-path routing protocol. Both theoretical analysis and experimental results validate that our mechanism can effectively curtail sophisticated DoS attacks that target multi-path routing in MANETs. We can protect the overall network health even when both the initiator and the responder are malicious insiders and collude in an attempt to deprive the network of valuable resources. Finally, our results show that CapMan introduces relatively small and configurable network overhead and imposes minimal impact on non-attacking traffic flows.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Alicherry, M., & Keromytis, A. D. (2010). Diploma: Distributed policy enforcement architecture for manets. In Proceedings of the 4th international conference on network and system security (NSS) (pp. 89–98).

  2. Alicherry, M., Keromytis, A. D., & Stavrou, A. (2009). Deny-by-default distributed security policy enforcement in mobile ad hoc networks. In Proceedings of the 5th international conference on security and privacy in communication, networks.

  3. Alicherry, M., Keromytis, A. D., & Stavrou, A. (2009). Evaluating a collaborative defense architecture for manets. In IMSAA’09: Proceedings of the 3rd IEEE international conference on Internet multimedia services architecture and applications (pp. 229–234). Piscataway, NJ: IEEE Press.

  4. Andersen, D. G. (2003). Mayday: Distributed filtering for internet services. In USITS’03: Proceedings of the 4th conference on USENIX symposium on internet technologies and systems (p. 3). Berkeley, CA: USENIX Association.

  5. Anderson, T., Roscoe, T., & Wetherall, D. (2004). Preventing internet denial-of-service with capabilities. SIGCOMM Computer Communications Review, 34(1), 39–44.

    Article  Google Scholar 

  6. Argyraki, K., & Cheriton, D. R. (2005). Network capabilities: The good, the bad and the ugly. In ACM HotNets-IV.

  7. Bellovin, S., Leech, M., & Taylor, T. (2003). Internet draft: Icmp traceback messages. http://tools.ietf.org/html/draft-ietf-itrace-04.

  8. Boneh, D., Gentry, C., Lynn, B., & Shacham, H. (2003). Aggregate and verifiably encrypted signatures from bilinear maps. In EUROCRYPT (pp. 416–432).

  9. Feng, W. C., Kandlur, D. D., Saha, D., & Shin, K. G. (2001). Stochastic fair blue: A queue management algorithm for enforcing fairness. In Proceedings of IEEE INFOCOM (pp. 1520–1529).

  10. Ferguson, P., Senie, D. (2000). Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704.

  11. Hubaux, J.-P., Buttyán, L., & Capkun, S. (2001). The quest for security in mobile ad hoc networks. In Proceedings of the 2nd ACM international symposium on Mobile ad hoc networking & computing, MobiHoc ’01 (pp. 146–155). New York, NY: ACM.

  12. Ioannidis, J., & Bellovin, S. M. (2002). Implementing pushback: Router-based defense against ddos attacks. In Proceedings of network and distributed system security, symposium.

  13. Keromytis, A. D., Misra, V., & Rubenstein, D. (2002). Sos: Secure overlay services. In Proceedings of ACM SIGCOMM (pp. 61–72).

  14. Koo, C.-Y., Bhandari, V., Katz, J., & Vaidya, N. H. (2006). Reliable broadcast in radio networks: The bounded collision case. In Proceedings of the twenty-fifth annual ACM symposium on principles of distributed computing, PODC ’06 (pp. 258–264). New York, NY: ACM.

  15. Liu, X., Yang, X., & Lu, Y. (2008). To filter or to authorize: network-layer dos defense against multimillion-node botnets. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication (pp. 195–206). New York, NY: ACM.

  16. Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., & Shenker, S. (2002). Controlling high bandwidth aggregates in the network. ACM Computer Communication Review, 32, 62–73.

    Article  Google Scholar 

  17. Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., & Zhang, Y. (2007). dfence: Transparent network-based denial of service mitigation. In NSDI.

  18. Marina, M. K., & Das, S. R. (2001). On-demand multipath distance vector routing in ad hoc networks. In Proceedings of IEEE international conference on network protocols (ICNP) (pp. 14–23).

  19. Mueller, S., Tsang, R., & Ghosal, D. (2004). Multipath routing in mobile ad hoc networks: Issues and challenges. In Performance tools and applications to networked systems, volume 2965 of LNCS (pp. 209–234). Berlin: Springer.

  20. Park, K., & Lee, H. (2001). On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets. SIGCOMM Computer Communication Review, 31(4), 15–26.

    Article  Google Scholar 

  21. Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., & Hu, Y.-C. (2007). Portcullis: Protecting connection setup from denial-of-capability attacks. In Proceedings of the ACM SIGCOMM.

  22. Pleisch, S., Balakrishnan, M., Birman, K., van Renesse, R. (2006). Mistral: Efficient flooding in mobile ad-hoc networks. In Proceedings of the 7th ACM international symposium on Mobile ad hoc networking and computing, MobiHoc ’06 (pp. 1–12). New York, NY: ACM.

  23. Savage, S., Wetherall, D., Karlin, A., & Anderson, T. (2000). Practical network support for ip traceback. SIGCOMM Computer Communication Review, 30(4), 295–306.

    Article  Google Scholar 

  24. Shi, Z. (2011). Stochastic modeling, correlation, competition, and cooperation in a Csma wireless network. Charleston: BiblioBazaar.

    Google Scholar 

  25. Shi, Z., Beard, C., & Mitchell, K. (September 2009). Analytical models for understanding misbehavior and mac friendliness in csma networks. Performance Evaluation, 66(9–10), 469–487.

  26. Shi, Z., Beard, C., & Mitchell, K. (2011). Competition, cooperation, and optimization in multi-hop csma networks. In Proceedings of the 8th ACM symposium on performance evaluation of wireless ad hoc, sensor, and ubiquitous networks, PE-WASUN ’11 (pp. 117–120). New York, NY: ACM.

  27. Shi, Z., Beard, C., & Mitchell, K. (April 2013). Analytical models for understanding space, backoff, and flow correlation in csma wireless networks. Wireless Networks, 19(3), 393–409.

  28. Snoeren, A. C. (2001). Hash-based ip traceback. SIGCOMM Computer Communication Review, 31(4), 3–14.

    Article  Google Scholar 

  29. Stavrou, A., Keromytis, A. D. (2005). Countering dos attacks with stateless multipath overlays. In CCS ’05: Proceedings of the 12th ACM conference on computer and communications security (pp. 249–259). New York, NY: ACM.

  30. Stoica, I., Adkins, D., Zhuang, S., Shenker, S., & Surana, S. (2004). Internet indirection infrastructure. IEEE/ACM Transactions on Networking, 12(2), 205–218.

    Article  Google Scholar 

  31. Stone, R. (2000). Centertrack: An ip overlay network for tracking dos floods. In SSYM’00: Proceedings of the 9th conference on USENIX Security Symposium (pp. 15–15), Berkeley, CA: USENIX Association.

  32. The network simulator ns-2. http://www.isi.edu/nsnam/ns/.

  33. Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., & Shenker, S. (2006). Ddos defense by offense. In Proceedings of ACM SIGCOMM.

  34. Wang, X., & Reiter, M. K. (2003). Defending against denial-of-service attacks with puzzle auctions. In SP ’03: Proceedings of the 2003 IEEE symposium on security and privacy (p. 78), Washington, DC: IEEE Computer Society.

  35. Williams, B, & Camp, T. (2002). Comparison of broadcasting techniques for mobile ad hoc networks. In Proceedings of the 3rd ACM international symposium on mobile ad hoc networking & computing, MobiHoc ’02 (pp. 194–205). New York, NY: ACM.

  36. Wu, B., Chen, J., Wu, J., & Cardei, M. (2006). A survey on attacks and countermeasures in MANETs, chapter 12. Berlin: Springer.

  37. Yaar, A., Perrig, A., & Song, D. (2003). Pi: A path identification mechanism to defend against ddos attacks. In SP ’03: Proceedings of the 2003 IEEE symposium on security and privacy (p. 93), Washington, DC: IEEE Computer Society.

  38. Yaar, A., Perrig, A., & Song, D. (2004). Siff: A stateless internet flow filter to mitigate ddos flooding attacks. In IEEE symposium on security and privacy (pp. 130–143).

  39. Yang, X., Wetherall, D., & Anderson, T. (2008). Tva: A dos-limiting network architecture. IEEE/ACM Transactions on Networking, 16(6), 1267–1280.

    Article  Google Scholar 

  40. Yi, S., & Kravets, R. (2003). Moca: Mobile certificate authority for wireless ad hoc networks. Ad Hoc Networks, 51, 65.

    Google Scholar 

  41. Zhang, X., & Shin, K. G. (2010). Chorus: Collision resolution for efficient wireless broadcast. In Proceedings of the 29th conference on information communications, INFOCOM’10 (pp. 1747–1755). Piscataway, NJ: IEEE Press.

  42. Zouridaki, C., Mark, B. L., Gaj, K., & Thomas, R. K. (2004). Distributed CA-based PKI for mobile ad hoc networks using elliptic curve cryptography. In Proceedings of the public key infrastructure. First European PKI workshop: Research and applications, EuroPKI 2004 (pp. 232–45) BN—3 540 22216 2+. Berlin: Springer.

Download references

Author information

Authors and Affiliations

  1. Center for Secure Information Systems, George Mason University, 4400 University Drive, Fairfax, VA, 22030, USA

    Quan Jia, Kun Sun & Angelos Stavrou

Authors
  1. Quan Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Quan Jia.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jia, Q., Sun, K. & Stavrou, A. Capability-Based Defenses Against DoS Attacks in Multi-path MANET Communications. Wireless Pers Commun 73, 127–148 (2013). https://doi.org/10.1007/s11277-013-1297-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-013-1297-3

Keywords

Search

Navigation