TVA

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

TVA: a DoS-limiting network architecture

Full text

Pdf (628 KB)

Source

IEEE/ACM Transactions on Networking (TON) archive
Volume 16 , Issue 6 (December 2008) table of contents

Pages 1267-1280

Year of Publication: 2008

ISSN:1063-6692

Authors

Xiaowei Yang	University of California, Irvine, CA
David Wetherall	University of Washington and Intel Research Seattle, Seattle, WA
Thomas Anderson	Department of Computer Science and Engineering, University of Washington, Seattle, WA

Publisher

IEEE Press Piscataway, NJ, USA

Bibliometrics

Downloads (6 Weeks): 14, Downloads (12 Months): 85, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	10.1109/TNET.2007.914506

ABSTRACT

We motivate the capability approach to network denial-of-service (DoS) attacks, and evaluate the Traffic Validation Architecture (TVA) architecture which builds on capabilities. With our approach, rather than send packets to any destination at any time, senders must first obtain "permission to send" from the receiver, which provides the permission in the form of capabilities to those senders whose traffic it agrees to accept. The senders then include these capabilities in packets. This enables verification points distributed around the network to check that traffic has been authorized by the receiver and the path in between, and hence to cleanly discard unauthorized traffic. To evaluate this approach, and to understand the detailed operation of capabilities, we developed a network architecture called TVA. TVA addresses a wide range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulations to show the effectiveness of TVA at limiting DoS floods, and an implementation on Click router to evaluate the computational costs of TVA. We also discuss how to incrementally deploy TVA into practice.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Appendix [Online]. Available: http://www.ics.uci.edu/xwy/publications/tva-appendix.pdf
	2	David G. Andersen, Mayday: distributed filtering for internet services, Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems, p.3-3, March 26-28, 2003, Seattle, WA
	3	T. Anderson, T. Roscoe, and D.Wetherall, "Preventing Internet denial of service with capabilities," in Proc. HotNets-II, Nov. 2003.
	4	Katerina Argyraki , David R. Cheriton, Active internet traffic filtering: real-time response to denial-of-service attacks, Proceedings of the annual conference on USENIX Annual Technical Conference, p.10-10, April 10-15, 2005, Anaheim, CA
	5	K. Argyraki and D. R. Cheriton, "Network capabilities: The good, the bad and the ugly," in Proc. ACM HotNets, 2005.
	6	H. Ballani, Y. Chawathe, S. Ratnasamy, T. Roscoe, and S. Shenker, "Off by default," in Proc. Hotnets-IV, 2005.
	7	Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637210]
	8	Jon C. R. Bennett , Hui Zhang, Hierarchical packet fair queueing algorithms, IEEE/ACM Transactions on Networking (TON), v.5 n.5, p.675-689, Oct. 1997 [doi>10.1109/90.649568]
	9	Robert Beverly , Steven Bauer, The spoofer project: inferring the extent of source address filtering on the internet, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.8-8, July 07, 2005, Cambridge, MA
	10	The CAPTCHA Project. [Online]. Available: http://www.captcha.net/
	11	Martin Casado , Aditya Akella , Pei Cao , Niels Provos , Scott Shenker, Cookies along trust-boundaries (CAT): accurate and deployable flood protection, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.3-3, July 07, 2006, San Jose, CA
	12	P. Ferguson , D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC Editor, 2000
	13	Mark Handley , Adam Greenhalgh, Steps towards a DoS-resistant internet architecture, Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture, August 30-30, 2004, Portland, Oregon, USA [doi>10.1145/1016707.1016717]
	14	Alireza Hodjat , David D. Hwang , Bocheng Lai , Kris Tiri , Ingrid Verbauwhede, A 3.84 gbits/s AES crypto coprocessor with modes of operation in a 0.18-μm CMOS technology, Proceedings of the 15th ACM Great Lakes symposium on VLSI, April 17-19, 2005, Chicago, Illinois, USA [doi>10.1145/1057661.1057677]
	15	Alefiya Hussain , John Heidemann , Christos Papadopoulos, A framework for classifying denial of service attacks, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany [doi>10.1145/863955.863968]
	16	J. Ioannidis and S. Bellovin, "Implementing pushback: Router-based defense against DoS attacks," in Proc. NDSS, 2002.
	17	Srikanth Kandula , Dina Katabi , Matthias Jacob , Arthur Berger, Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, p.287-300, May 02-04, 2005
	18	Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	19	Eddie Kohler , Robert Morris , Benjie Chen , John Jannotti , M. Frans Kaashoek, The click modular router, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.263-297, Aug. 2000 [doi>10.1145/354871.354874]
	20	S. Machiraju, M. Seshadri, and I. Stoica, "A scalable and robust solution for bandwidth allocation," in IWQoS'02, 2002.
	21	Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002 [doi>10.1145/571697.571724]
	22	P. McKenney, "Stochastic fairness queuing," in Proc. IEEE INFOCOM , 1990, pp. 733-740.
	23	Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
	24	D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "The spread of the Sapphire/Slammer worm," Jan. 2003 [Online]. Available: http://www.cs.berkeley.edu/nweaver/sapphire/
	25	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637244]
	26	David Moore , Geoffrey M. Voelker , Stefan Savage, Inferring internet denial-of-service activity, Proceedings of the 10th conference on USENIX Security Symposium, p.2-2, August 13-17, 2001, Washington, D.C.
	27	L. Peterson, D. Culler, T. Anderson, and T. Roscoe, "A blueprint for introducing disruptive technology into the Internet," in Proc. HotNets-I, 2002.
	28	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
	29	M. Shreedhar , George Varghese, Efficient fair queueing using deficit round robin, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.231-242, August 28-September 01, 1995, Cambridge, Massachusetts, United States
	30	Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
	31	D. Song and A. Perrig, "Advanced and authenticated marking schemes for IP traceback," in Proc. IEEE INFOCOM, 2001, pp. 878-886.
	32	D. Wendlandt, D. G. Andersen, and A. Perrig, "FastPass: Providing first-packet delivery," CMU CYLAB, Tech. Rep., 2006.
	33	Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003
	34	A. Yaar, A. Perrig, and D. Song, "SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 130-143.
	35	Xiaowei Yang , David Wetherall , Thomas Anderson, A DoS-limiting network architecture, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	36	Yin Zhang , Lee Breslau , Vern Paxson , Scott Shenker, On the characteristics and origins of internet flow rates, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA