FANFARE for the common flow

This paper presents FANFARE 1 , a suite of infrastructure-based primitives that empowers routers and receivers to secure and enforce various o w-control mechanisms, such as per-o w admission control, service differentiation, and congestion control, even in the face of sophisticated attackers. In FANFARE, a sender must receive capabilities from both a receiver and forwarding routers in order to acquire a certain bandwidth allocation, thus empowering both receivers and routers to control the rates of o ws. FANFARE provides strong incremental deployment properties; in particular, FANFARE’s automatic congestion response mechanism can protect a downstream legacy link from being ooded by FANFARE trafc. In FANFARE, routers use no per-o w state; they only need to rely on local information to make decisions, and hence do not have to trust other routers. FANFARE can be used to secure several known architectures for managing o ws. In this paper, for example, we show how to use FANFARE to halt DDoS attacks and to secure a Diffserv infrastructure.

[1]  Scott Shenker,et al.  Internet indirection infrastructure , 2004, IEEE/ACM Transactions on Networking.

[2]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[3]  Ari Juels,et al.  $evwu Dfw , 1998 .

[4]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[5]  QUTdN QeO,et al.  Random Early Detection Gateways for Congestion Avoidance , 1993 .

[6]  Virgil D. Gligor,et al.  Guaranteeing Access in Spite of Distributed Service-Flooding Attacks (Discussion) , 2003, Security Protocols Workshop.

[7]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[8]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[9]  Scott Shenker,et al.  Core-stateless fair queueing: a scalable architecture to approximate fair bandwidth allocations in high-speed networks , 2003, TNET.

[10]  Frank E. Grubbs,et al.  An Introduction to Probability Theory and Its Applications , 1951 .

[11]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[12]  Angelos D. Keromytis,et al.  The price of safety in an active network , 2001, Journal of Communications and Networks.

[13]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[14]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[15]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[16]  Stefan Savage,et al.  TCP congestion control with a misbehaving receiver , 1999, CCRV.

[17]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[18]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[19]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[20]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[21]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[22]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[23]  Sally Floyd,et al.  Promoting the use of end-to-end congestion control in the Internet , 1999, TNET.

[24]  Scott Shenker,et al.  An Admission Control Algorithm for Predictive Real-Time Service (Extended Abstract) , 1992, NOSSDAV.

[25]  D. V. Lindley,et al.  An Introduction to Probability Theory and Its Applications. Volume II , 1967, The Mathematical Gazette.

[26]  Jeffrey Considine,et al.  Securing bulk content almost for free , 2006, Comput. Commun..

[27]  Mukund Seshadri,et al.  A scalable and robust solution for bandwidth allocation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[28]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[29]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[30]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[31]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[32]  Mark Handley,et al.  Congestion control for high bandwidth-delay product networks , 2002, SIGCOMM '02.

[33]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[34]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[35]  Harrick M. Vin,et al.  Robustness to inflated subscription in multicast congestion control , 2003, SIGCOMM '03.

[36]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[37]  K. K. Ramakrishnan,et al.  A Proposal to add Explicit Congestion Notification (ECN) to IP , 1999, RFC.

[38]  Deepak Bansal,et al.  Dynamic behavior of slowly-responsive congestion control algorithms , 2001, SIGCOMM.

[39]  Scott Shenker,et al.  Self-verifying CSFQ , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[40]  Scott Shenker,et al.  Integrated Services in the Internet Architecture : an Overview Status of this Memo , 1994 .

[41]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW '02.

[42]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[43]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[44]  David G. Andersen Mayday: Distributed Filtering for Internet Services , 2003, USENIX Symposium on Internet Technologies and Systems.

[45]  Aurel A. Lazar,et al.  Joint scheduling and admission control for ATS-based switching nodes , 1992, SIGCOMM '92.

[46]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[47]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.