ABSTRACT
We present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from receivers that they stamp on their packets. We address the full range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulation to show that attack traffic can only degrade legitimate traffic to a limited extent, significantly outperforming previously proposed DoS solutions. We use a modified Linux kernel implementation to argue that our design can run on gigabit links using only inexpensive off-the-shelf hardware. Our design is also suitable for transition into practice, providing incremental benefit for incremental deployment.
- D. Andersen. Mayday: Distributed Filtering for Internet Services. In 3rd Usenix USITS, 2003. Google ScholarDigital Library
- T. Anderson, T. Roscoe, and D. Wetherall. Preventing Internet Denial of Service with Capabilities. In Proc. HotNets-II, Nov. 2003.Google Scholar
- K. Argyraki and D. Cheriton. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In USENIX 2005, 2005. Google ScholarDigital Library
- DDoS attacks still pose threat to Internet. BizReport, 11/4/03.Google Scholar
- Extortion via DDoS on the rise. Network World, 5/16/05.Google Scholar
- A. Demers, S. Keshav, and S. Shenker. Analysis and Simulation of a Fair Queueing Algorithm. In ACM SIGCOMM, 1989. Google ScholarDigital Library
- P. Druschel and G. Banga. Lazy Receiver Processing (LRP): A Network Subsystem Architecture for Server Systems. In 2nd OSDI, 1996. Google ScholarDigital Library
- P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks that Employ IP Source Address Spoofing. Internet RFC 2827, 2000. Google ScholarDigital Library
- M. Handley and A. Greenhalgh. Steps Towards a DoS-Resistant Internet Architecture. In ACM SIGCOMM Work-shop on Future Directions in Network Architecture (FDNA), 2004. Google ScholarDigital Library
- J. Ioannidis and S. Bellovin. Implementing Pushback: Router-Based Defense Against DoS Attacks. In NDSS, 2002.Google Scholar
- S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In 2nd NSDI, May 2005. Google ScholarDigital Library
- A. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In ACM SIGCOMM, 2002. Google ScholarDigital Library
- E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18(3):263--297, Aug. 2000. Google ScholarDigital Library
- K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. Taming IP Packet Flooding Attacks. In Proc. HotNets-II, 2003.Google Scholar
- S. Machiraju, M. Seshadri, and I. Stoica. A Scalable and Robust Solution for Bandwidth Allocation . In IWQoS'02, 2002.Google ScholarCross Ref
- R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling High Bandwidth Aggregates in the Network. Computer Communications Review, 32(3), July 2002. Google ScholarDigital Library
- A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography, chapter 9. CRC Pres, 1997. Google ScholarDigital Library
- D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Usenix Security Symposium 2001, 2001. Google ScholarDigital Library
- http://www.netfilter.org/.Google Scholar
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In ACM SIGCOMM, 2000. Google ScholarDigital Library
- A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-Based IP Traceback. In ACM SIGCOMM, 2001. Google ScholarDigital Library
- D. Song and A. Perrig. Advance and Authenticated Marking Schemes for IP Traceback. In Proc. IEEE Infocom, 2001.Google Scholar
- I. Stoica, S. Shenker, and H. Zhang. Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks. In ACM SIGCOMM, 1998. Google ScholarDigital Library
- A. Yaar, A. Perrig, and D. Song. Pi: A Path Identification Mechanism to Defend Against DDoS Attacks. In IEEE Symposium on Security and Privacy, 2003. Google ScholarDigital Library
- A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy, 2004.Google ScholarCross Ref
Index Terms
- A DoS-limiting network architecture
Recommendations
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communicationThis paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: ...
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communicationsWe present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from ...
NetFence: preventing internet denial of service from inside out
SIGCOMM '10Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel ...
Comments