ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A DoS-limiting network architecture
Full text PdfPdf (371 KB)
Source ACM SIGCOMM Computer Communication Review archive
Volume 35 ,  Issue 4  (October 2005) table of contents
SESSION: Security table of contents
Pages: 241 - 252  
Year of Publication: 2005
ISSN:0146-4833
Also published in ...
Authors
Xiaowei Yang  University of California, Irvine
David Wetherall  University of Washington
Thomas Anderson  University of Washington
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 19,   Downloads (12 Months): 141,   Citation Count: 38
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1090191.1080120
What is a DOI?

ABSTRACT

We present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from receivers that they stamp on their packets. We address the full range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulation to show that attack traffic can only degrade legitimate traffic to a limited extent, significantly outperforming previously proposed DoS solutions. We use a modified Linux kernel implementation to argue that our design can run on gigabit links using only inexpensive off-the-shelf hardware. Our design is also suitable for transition into practice, providing incremental benefit for incremental deployment.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
D. Andersen. Mayday: Distributed Filtering for Internet Services. In 3rd Usenix USITS, 2003.
 
2
T. Anderson, T. Roscoe, and D. Wetherall. Preventing Internet Denial of Service with Capabilities. In Proc. HotNets-II, Nov. 2003.
 
3
K. Argyraki and D. Cheriton. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In USENIX 2005, 2005.
 
4
DDoS attacks still pose threat to Internet. BizReport, 11/4/03.
 
5
Extortion via DDoS on the rise. Network World, 5/16/05.
6
A. Demers , S. Keshav , S. Shenker, Analysis and simulation of a fair queueing algorithm, Symposium proceedings on Communications architectures & protocols, p.1-12, September 25-27, 1989, Austin, Texas, United States
7
Peter Druschel , Gaurav Banga, Lazy receiver processing (LRP): a network subsystem architecture for server systems, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.261-275, October 29-November 01, 1996, Seattle, Washington, United States
 
8
P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks that Employ IP Source Address Spoofing. Internet RFC 2827, 2000.
9
Mark Handley , Adam Greenhalgh, Steps towards a DoS-resistant internet architecture, Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture, August 30-30, 2004, Portland, Oregon, USA  [doi>10.1145/1016707.1016717]
 
10
J. Ioannidis and S. Bellovin. Implementing Pushback: Router-Based Defense Against DoS Attacks. In NDSS, 2002.
 
11
S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In 2nd NSDI, May 2005.
12
Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
13
Eddie Kohler , Robert Morris , Benjie Chen , John Jannotti , M. Frans Kaashoek, The click modular router, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.263-297, Aug. 2000  [doi>10.1145/354871.354874]
 
14
K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. Taming IP Packet Flooding Attacks. In Proc. HotNets-II, 2003.
 
15
S. Machiraju, M. Seshadri, and I. Stoica. A Scalable and Robust Solution for Bandwidth Allocation . In IWQoS'02, 2002.
16
Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
 
17
Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
 
18
D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Usenix Security Symposium 2001, 2001.
 
19
http://www.netfilter.org/.
20
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
21
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
 
22
D. Song and A. Perrig. Advance and Authenticated Marking Schemes for IP Traceback. In Proc. IEEE Infocom, 2001.
23
Ion Stoica , Scott Shenker , Hui Zhang, Core-stateless fair queueing: achieving approximately fair bandwidth allocations in high speed networks, Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication, p.118-130, August 31-September 04, 1998, Vancouver, British Columbia, Canada
 
24
Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003
 
25
A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy, 2004.

CITED BY  38
Harsha V. Madhyastha , Arun Venkataramani , Arvind Krishnamurthy , Thomas Anderson, Oasis: an overlay-aware network stack, ACM SIGOPS Operating Systems Review, v.40 n.1, January 2006
Maitreya Natu , Jelena Mirkovic, Fine-grained capabilities for flooding DDoS defense using client reputations, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
Adam Bender , Neil Spring , Dave Levin , Bobby Bhattacharjee, Accountability as a service, Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet, p.1-6, June 18, 2007, Santa Clara, CA
Jelena Mirkovic , Alefiya Hussain , Brett Wilson , Sonia Fahmy , Peter Reiher , Roshan Thomas , Wei-Min Yao , Stephen Schwab, Towards user-centric metrics for denial-of-service measurement, Proceedings of the 2007 workshop on Experimental computer science, p.8-es, June 13-14, 2007, San Diego, California
Pratap Ramamurthy , Vyas Sekar , Aditya Akella , Balachander Krishnamurthy , Anees Shaikh, Remote profiling of resource constraints of web servers using mini-flash crowds, USENIX 2008 Annual Technical Conference on Annual Technical Conference, p.185-198, June 22-27, 2008, Boston, Massachusetts
Matthew Caesar , Tyson Condie , Jayanthkumar Kannan , Karthik Lakshminarayanan , Ion Stoica, ROFL: routing on flat labels, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Wen Xu , Jennifer Rexford, MIRO: multi-path interdomain routing, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Patrick Verkaik , Oliver Spatscheck , Jacobus Van der Merwe , Alex C. Snoeren, PRIMED: community-of-interest-based DDoS mitigation, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.147-154, September 11-15, 2006, Pisa, Italy
Michael Walfish , Mythili Vutukuru , Hari Balakrishnan , David Karger , Scott Shenker, DDoS defense by offense, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Jelena Mirkovic , Alefiya Hussain , Brett Wilson , Sonia Fahmy , Peter Reiher , Roshan Thomas , Wei-Min Yao , Stephen Schwab, A user-centric metric for denial-of-service measurement, Experimental computer science on Experimental computer science, p.7-7, June 13-14, 2007, San Diego
Xiaoming Fu , Jon Crowcroft, GONE: an infrastructure overlay for resilient, DoS-limiting networking, Proceedings of the 2006 international workshop on Network and operating systems support for digital audio and video, November 22-23, 2006, Newport, Rhode Island
Daniel R. Simon , Sharad Agarwal , David A. Maltz, AS-based accountability as a cost-effective DDoS defense, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.9-9, April 10, 2007, Cambridge, MA
Teemu Koponen , Mohit Chawla , Byung-Gon Chun , Andrey Ermolinskiy , Kye Hyun Kim , Scott Shenker , Ion Stoica, A data-oriented (and beyond) network architecture, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Xin Liu , Ang Li , Xiaowei Yang , David Wetherall, Passport: secure and adoptable source authentication, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.365-378, April 16-18, 2008, San Francisco, California
Vyas Sekar , Michael K. Reiter , Walter Willinger , Hui Zhang , Ramana Rao Kompella , David G. Andersen, CSAMP: a system for network-wide flow monitoring, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.233-246, April 16-18, 2008, San Francisco, California
Colin Dixon , Thomas Anderson , Arvind Krishnamurthy, Phalanx: withstanding multimillion-node botnets, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.45-58, April 16-18, 2008, San Francisco, California
Bryan Parno , Dan Wendlandt , Elaine Shi , Adrian Perrig , Bruce Maggs , Yih-Chun Hu, Portcullis: protecting connection setup from denial-of-capability attacks, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Mudhakar Srivatsa , Arun Iyengar , Jian Yin , Ling Liu, Mitigating application-level denial of service attacks on Web servers: A client-transparent approach, ACM Transactions on the Web (TWEB), v.2 n.3, p.1-49, July 2008
Tilman Wolf, Design of a network architecture with inherent data path security, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Craig A. Shue , Minaxi Gupta , Matthew P. Davy, Packet forwarding with source verification, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.8, p.1567-1582, June, 2008
Barath Raghavan , Kashi Vishwanath , Sriram Ramabhadran , Kenneth Yocum , Alex C. Snoeren, Cloud control with distributed rate limiting, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Mehmet H. Gunes , Sevcan Bilir , Kamil Sarac , Turgay Korkmaz, A measurement study on overhead distribution of value-added internet services, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.14, p.4153-4173, October, 2007
Bryan Parno , Adrian Perrig , Dave Andersen, SNAPP: stateless network-authenticated path pinning, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
Don P. Cox , Youssif Al-Nashif , Salim Hariri, Application of autonomic agents for global information grid management and security, Proceedings of the 2007 summer computer simulation conference, July 16-19, 2007, San Diego, California
Saikat Guha , Paul Francis, An end-middle-end approach to connection establishment, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Mimoza Durresi , Leonard Barolli , Vamsi Paruchuri , Arjan Durresi, Scalable traceback against distributed denial of service, International Journal of Web and Grid Services, v.2 n.2, p.221-233, September 2006
Xiaowei Yang, Auction, but don't block, Proceedings of the 3rd international workshop on Economics of networked systems, August 22-22, 2008, Seattle, WA, USA
Ruiliang Chen , Jung-Min Park , Randolph Marchany, A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks, IEEE Transactions on Parallel and Distributed Systems, v.18 n.5, p.577-588, May 2007
Maxim Podlesny , Sergey Gorinsky, Rd network services: differentiation through performance incentives, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Mudhakar Srivatsa , Arun Iyengar , Jian Yin , Ling Liu, A middleware system for protecting against application level denial of service attacks, Proceedings of the ACM/IFIP/USENIX 2006 International Conference on Middleware, November 01-01, 2006, Melbourne, Australia
Xiaowei Yang , David Wetherall , Thomas Anderson, TVA: a DoS-limiting network architecture, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1267-1280, December 2008
Arjan Durresi , Vamsi Paruchuri , Leonard Barolli, Fast autonomous system traceback, Journal of Network and Computer Applications, v.32 n.2, p.448-454, March, 2009
Ramakrishna Gummadi , Hari Balakrishnan , Petros Maniatis , Sylvia Ratnasamy, Not-a-Bot: improving service availability in the face of botnet attacks, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.307-320, April 22-24, 2009, Boston, Massachusetts
Barath Raghavan , Patric Verkaik , Alex C. Snoeren, Secure and policy-compliant source routing, IEEE/ACM Transactions on Networking (TON), v.17 n.3, p.764-777, June 2009
Katerina Argyraki , David R. Cheriton, Scalable network-layer defense against internet bandwidth-flooding attacks, IEEE/ACM Transactions on Networking (TON), v.17 n.4, p.1284-1297, August 2009
Lorenzo De Carli , Yi Pan , Amit Kumar , Cristian Estan , Karthikeyan Sankaralingam, PLUG: flexible lookup modules for rapid deployment of new protocols in high-speed routers, ACM SIGCOMM Computer Communication Review, v.39 n.4, October 2009
Matthias Baumgart , Christian Scheideler , Stefan Schmid, A DoS-resilient information system for dynamic data management, Proceedings of the twenty-first annual symposium on Parallelism in algorithms and architectures, August 11-13, 2009, Calgary, AB, Canada
Anjali Sardana , Ramesh Joshi, An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks, Computer Communications, v.32 n.12, p.1384-1399, July, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.6 Internetworking


General Terms:
Design, Security


Keywords:
denial-of-service, internet

Collaborative Colleagues:
Xiaowei Yang: colleagues
David Wetherall: colleagues
Thomas Anderson: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player