DefAT: Dependable Connection Setup for Network Capabilities

Abstract : Network-layer capabilities offer strong protection against link flooding by authorizing individual flows with unforgeable credentials (i.e., capabilities). However, the capability-setup channel is vulnerable to flooding attacks that prevent legitimate clients from acquiring capabilities; i.e., in Denial of Capability (DoC) attacks. Based on the observation that the distribution of attack sources in the current Internet is highly non-uniform, we provide a router-level scheme, named DefAT (Defense via Aggregating Traffic), that confines the effects of DoC attacks to specified locales or neighborhoods (e.g., one or more administrative domains of the Internet). DefAT provides precise access guarantees for capability schemes, even in the face of flooding attacks. The effectiveness of DefAT is shown in two ways. First, we illustrate the precise link-access guarantees provided by DefAT via ns2 simulations. Second, we show the effectiveness of DefAT in the current Internet via Internet-scale simulations using real Internet topologies and attack distribution.

[1]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[2]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[3]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[4]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[6]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[7]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[8]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[9]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[10]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[11]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[12]  Virgil D. Gligor,et al.  FLoc : Dependable Link Access for Legitimate Traffic in Flooding Attacks , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[13]  Paul E. McKenney,et al.  Stochastic fairness queueing , 1990, Proceedings. IEEE INFOCOM '90: Ninth Annual Joint Conference of the IEEE Computer and Communications Societies@m_The Multiple Facets of Integration.

[14]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[15]  Kang G. Shin,et al.  Stochastic fair blue: a queue management algorithm for enforcing fairness , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[17]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[18]  George Varghese,et al.  Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[19]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.