Preventing Internet denial-of-service with capabilities
- 1 January 2004
- journal article
- Published by Association for Computing Machinery (ACM) in ACM SIGCOMM Computer Communication Review
- Vol. 34 (1), 39-44
- https://doi.org/10.1145/972374.972382
Abstract
In this paper, we propose a new approach to preventing and constraining denial-of-service (DoS) attacks. Instead of being able to send anything to anyone at any time, in our architecture, nodes must first obtain "permission to send" from the destination; a receiver provides tokens, or capabilities, to those senders whose traffic it agrees to accept. The senders then include these tokens in packets. This enables verification points distributed around the network to check that traffic has been certified as legitimate by both endpoints and the path in between, and to cleanly discard unauthorized traffic. We show that our approach addresses many of the limitations of the currently popular approaches to DoS based on anomaly detection, traceback, and pushback. Further, we argue that our approach can be readily implemented in today's technology, is suitable for incremental deployment, and requires no more of a security infrastructure than that already needed to fix BGP's security weaknesses. Finally, our proposal facilitates innovation in application and networking protocols, something increasingly curtailed by existing DoS measures.Keywords
This publication has 11 references indexed in Scilit:
- Internet quarantine: requirements for containing self-propagating codePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2004
- A framework for classifying denial of service attacksPublished by Association for Computing Machinery (ACM) ,2003
- SOSPublished by Association for Computing Machinery (ACM) ,2002
- Controlling high bandwidth aggregates in the networkACM SIGCOMM Computer Communication Review, 2002
- Code-RedPublished by Association for Computing Machinery (ACM) ,2002
- A signal analysis of network traffic anomaliesPublished by Association for Computing Machinery (ACM) ,2002
- On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internetsPublished by Association for Computing Machinery (ACM) ,2001
- Hash-based IP tracebackPublished by Association for Computing Machinery (ACM) ,2001
- Practical network support for IP tracebackPublished by Association for Computing Machinery (ACM) ,2000
- The click modular routerACM Transactions on Computer Systems, 2000