A DoS-limiting network architecture

We present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from receivers that they stamp on their packets. We address the full range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulation to show that attack traffic can only degrade legitimate traffic to a limited extent, significantly outperforming previously proposed DoS solutions. We use a modified Linux kernel implementation to argue that our design can run on gigabit links using only inexpensive off-the-shelf hardware. Our design is also suitable for transition into practice, providing incremental benefit for incremental deployment.

[1]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[2]  Mukund Seshadri,et al.  A scalable and robust solution for bandwidth allocation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[3]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[4]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[5]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[6]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[9]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[10]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[11]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[12]  Scott Shenker,et al.  Analysis and simulation of a fair queueing algorithm , 1989, SIGCOMM 1989.

[13]  Mark Handley,et al.  Steps towards a DoS-resistant internet architecture , 2004, FDNA '04.

[14]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[15]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[16]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[17]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[18]  Peter Druschel,et al.  Lazy receiver processing (LRP): a network subsystem architecture for server systems , 1996, OSDI '96.

[19]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[20]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[21]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[22]  Radia J. Perlman,et al.  Network layer protocols with Byzantine robustness , 1988 .

[23]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[24]  Scott Shenker,et al.  Core-stateless fair queueing: achieving approximately fair bandwidth allocations in high speed networks , 1998, SIGCOMM '98.

[25]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.