skip to main content
10.1145/1774088.1774234acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Mitigating denial of capability attacks using sink tree based quota allocation

Published: 22 March 2010 Publication History

Abstract

Network capabilities have been proposed to prevent Distributed Denial of Service (DDoS) attacks proactively. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In this paper, we propose an algorithm to mitigate DoC attacks. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). We both analytically and experimentally show that legitimate hosts can get service with guaranteed probability. We also address issues on fault-tolerance and the deployment of the approach proposed.

References

[1]
T. Anderson, T. Roscoe, and D. Wetherall. Preventing internet denial of service with capabilities. In In Proceedings of Workshop on Hot Topics in Networks (HotNets-II), November 2003.
[2]
K. Argyraki and D. Cheriton. Network capability: The good, the bad and the ugly. In In Proceedings of Workshop on Hot Topics in Networks (HotNets-IV), November 2005.
[3]
B. K. Choi and R. Bettati. Endpoint admission control: Network based approach. In International Conference on Distributed Computing Systems(ICDCS), page 0227, Los Alamitos, CA, USA, 2001. IEEE Computer Society.
[4]
G. Jin, J. Yang, W. Wei, and Y. Dong. Mitigating denial of capability with an notification mechanism. Networking, Architecture, and Storage, International Conference on, 0:101--108, 2007.
[5]
J. Lembke and B. K. Choi. Edge-limited scalable qos flow set-up. J. Netw. Comput. Appl., 31(3):317--337, 2008.
[6]
A. B. I. M. Mitzenmacher. Network applications of bloom filters: A survey. In Internet Mathematics, pages 636--646, 2002.
[7]
R R Pan, E. L. Hahne, and H. G. Schulzrinne. Bgrp: Sink-tree-based aggregation for inter-domain reservations. Journal of Communications and Networks, 2:157----167, 2000.
[8]
B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu. Portcullis: Protecting connection setup from denial-of-capability attacks. In Proceedings of the ACM SIGGOMM, Aug. 2007.
[9]
A. Yaar, A. Perrig, and D. Song. Siff: A stateless internet flow filter to mitigate ddos flooding attacks. IEEE Security and Privacy Symposium, page 130, 2004.
[10]
X. Yang, D. Wetherall, and T. Anderson. A dos-limiting network architecture. In Proceedings of the ACM SIGGOMM, Aug. 2005.

Cited By

View all
  • (2011)CluBProceedings of the 2011 ACM Symposium on Applied Computing10.1145/1982185.1982297(520-527)Online publication date: 21-Mar-2011
  • (2011)Mapping Systems Security Research at ChalmersProceedings of the 2011 First SysSec Workshop10.1109/SysSec.2011.22(67-70)Online publication date: 6-Jul-2011
  • (2011)Mitigating Distributed Denial-of-Service AttacksProceedings of the 2011 Seventh European Conference on Computer Network Defense10.1109/EC2ND.2011.18Online publication date: 6-Sep-2011

Index Terms

  1. Mitigating denial of capability attacks using sink tree based quota allocation

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing
      March 2010
      2712 pages
      ISBN:9781605586397
      DOI:10.1145/1774088
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 22 March 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. denial-of-capability
      2. denial-of-service
      3. sink tree

      Qualifiers

      • Research-article

      Conference

      SAC'10
      Sponsor:
      SAC'10: The 2010 ACM Symposium on Applied Computing
      March 22 - 26, 2010
      Sierre, Switzerland

      Acceptance Rates

      SAC '10 Paper Acceptance Rate 364 of 1,353 submissions, 27%;
      Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

      Upcoming Conference

      SAC '25
      The 40th ACM/SIGAPP Symposium on Applied Computing
      March 31 - April 4, 2025
      Catania , Italy

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)1
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2011)CluBProceedings of the 2011 ACM Symposium on Applied Computing10.1145/1982185.1982297(520-527)Online publication date: 21-Mar-2011
      • (2011)Mapping Systems Security Research at ChalmersProceedings of the 2011 First SysSec Workshop10.1109/SysSec.2011.22(67-70)Online publication date: 6-Jul-2011
      • (2011)Mitigating Distributed Denial-of-Service AttacksProceedings of the 2011 Seventh European Conference on Computer Network Defense10.1109/EC2ND.2011.18Online publication date: 6-Sep-2011

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media