NetFence
- 16 August 2010
- journal article
- conference paper
- Published by Association for Computing Machinery (ACM) in ACM SIGCOMM Computer Communication Review
- Vol. 40 (4), 255-266
- https://doi.org/10.1145/1851275.1851214
Abstract
Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders' traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System).Keywords
This publication has 20 references indexed in Scilit:
- Scalable Network-Layer Defense Against Internet Bandwidth-Flooding AttacksIEEE/ACM Transactions on Networking, 2009
- To filter or to authorizePublished by Association for Computing Machinery (ACM) ,2008
- Accountable internet protocol (aip)Published by Association for Computing Machinery (ACM) ,2008
- Policing congestion response in an internetwork using re-feedbackPublished by Association for Computing Machinery (ACM) ,2005
- Preventing Internet denial-of-service with capabilitiesACM SIGCOMM Computer Communication Review, 2004
- SOSPublished by Association for Computing Machinery (ACM) ,2002
- Controlling high bandwidth aggregates in the networkACM SIGCOMM Computer Communication Review, 2002
- The click modular routerACM Transactions on Computer Systems, 2000
- Random early detection gateways for congestion avoidanceIEEE/ACM Transactions on Networking, 1993
- Analysis of the increase and decrease algorithms for congestion avoidance in computer networksComputer Networks and ISDN Systems, 1989