A Dos-Limiting Network Architecture
Abstract
We present the design and evaluation of a network architecture that
limits the impact of Denial of Service (DoS) floods from the outset.
Our work builds on earlier work on capabilities in which senders
obtain short-term authorizations from receivers that they use to stamp
their packets. Unlike previous work, however, our design addresses
the full range of possible attacks against communication between pairs
of hosts, including spoofed packet floods, network and host
bottlenecks, and router state exhaustion. We use simulation to show
that attack traffic can only degrade legitimate traffic to a limited
extent, significantly outperforming previously proposed DoS
solutions. We use a modified Linux kernel implementation to argue that
our design can run on gigabit links using only inexpensive
off-the-shelf hardware. Our design is also easy to transition into
practice, providing incremental benefit for incremental deployment.
Papers
Xiaowei Yang, David Wetherall, and Tom Anderson, "A DoS-limiting
Network Architecture," SIGCOMM 2005 PDF.
Xiaowei Yang, David Wetherall, and Tom Anderson, "TVA: A
DoS-limiting Network Architecture," submitted to ToN, PDF.
Software
The source code used to produce our simulation results can be found here.
Home