article

A DoS-limiting network architecture

Authors:

David Wetherall,

Thomas AndersonAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 35, Issue 4

Pages 241 - 252

https://doi.org/10.1145/1090191.1080120

Published: 22 August 2005 Publication History

Abstract

We present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from receivers that they stamp on their packets. We address the full range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulation to show that attack traffic can only degrade legitimate traffic to a limited extent, significantly outperforming previously proposed DoS solutions. We use a modified Linux kernel implementation to argue that our design can run on gigabit links using only inexpensive off-the-shelf hardware. Our design is also suitable for transition into practice, providing incremental benefit for incremental deployment.

References

[1]

D. Andersen. Mayday: Distributed Filtering for Internet Services. In 3rd Usenix USITS, 2003.

Digital Library

[2]

T. Anderson, T. Roscoe, and D. Wetherall. Preventing Internet Denial of Service with Capabilities. In Proc. HotNets-II, Nov. 2003.

[3]

K. Argyraki and D. Cheriton. Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In USENIX 2005, 2005.

Digital Library

[4]

DDoS attacks still pose threat to Internet. BizReport, 11/4/03.

[5]

Extortion via DDoS on the rise. Network World, 5/16/05.

[6]

A. Demers, S. Keshav, and S. Shenker. Analysis and Simulation of a Fair Queueing Algorithm. In ACM SIGCOMM, 1989.

Digital Library

[7]

P. Druschel and G. Banga. Lazy Receiver Processing (LRP): A Network Subsystem Architecture for Server Systems. In 2nd OSDI, 1996.

Digital Library

[8]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks that Employ IP Source Address Spoofing. Internet RFC 2827, 2000.

Digital Library

[9]

M. Handley and A. Greenhalgh. Steps Towards a DoS-Resistant Internet Architecture. In ACM SIGCOMM Work-shop on Future Directions in Network Architecture (FDNA), 2004.

Digital Library

[10]

J. Ioannidis and S. Bellovin. Implementing Pushback: Router-Based Defense Against DoS Attacks. In NDSS, 2002.

[11]

S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In 2nd NSDI, May 2005.

Digital Library

[12]

A. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In ACM SIGCOMM, 2002.

Digital Library

[13]

E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18(3):263--297, Aug. 2000.

Digital Library

[14]

K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. Taming IP Packet Flooding Attacks. In Proc. HotNets-II, 2003.

[15]

S. Machiraju, M. Seshadri, and I. Stoica. A Scalable and Robust Solution for Bandwidth Allocation . In IWQoS'02, 2002.

[16]

R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling High Bandwidth Aggregates in the Network. Computer Communications Review, 32(3), July 2002.

Digital Library

[17]

A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography, chapter 9. CRC Pres, 1997.

Digital Library

[18]

D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Usenix Security Symposium 2001, 2001.

Digital Library

[19]

http://www.netfilter.org/.

[20]

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In ACM SIGCOMM, 2000.

Digital Library

[21]

A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-Based IP Traceback. In ACM SIGCOMM, 2001.

Digital Library

[22]

D. Song and A. Perrig. Advance and Authenticated Marking Schemes for IP Traceback. In Proc. IEEE Infocom, 2001.

[23]

I. Stoica, S. Shenker, and H. Zhang. Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks. In ACM SIGCOMM, 1998.

Digital Library

[24]

A. Yaar, A. Perrig, and D. Song. Pi: A Path Identification Mechanism to Defend Against DDoS Attacks. In IEEE Symposium on Security and Privacy, 2003.

Digital Library

[25]

A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy, 2004.

Cited By

Zhang ZXiao GSong SCan Aygun RStavrou AZhang LOsterweil E(2025)Revealing Protocol Architecture’s Design Patterns in the Volumetric DDoS Defense Design SpaceIEEE Communications Surveys & Tutorials10.1109/COMST.2024.339225327:1(353-371)Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1109/COMST.2024.3392253
Mirkovic J(2025)Collaborative DoS DefensesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_263(374-378)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_263
Băluţă ASoare RRughiniş RTurcanu D(2024)GeckoNet - Self-Healing SDN Framework2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet)10.1109/RoEduNet64292.2024.10722172(1-6)Online publication date: 19-Sep-2024
https://doi.org/10.1109/RoEduNet64292.2024.10722172
Show More Cited By

Index Terms

A DoS-limiting network architecture
1. Networks
  1. Network components
  2. Network types
    1. Public Internet

Recommendations

A DoS-limiting network architecture
SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

We present the design and evaluation of TVA, a network architecture that limits the impact of Denial of Service (DoS) floods from the outset. Our work builds on earlier work on capabilities in which senders obtain short-term authorizations from ...
NetFence: preventing internet denial of service from inside out
SIGCOMM '10

Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel ...
NetFence: preventing internet denial of service from inside out
SIGCOMM '10: Proceedings of the ACM SIGCOMM 2010 conference

Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 35, Issue 4

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

October 2005

324 pages

ISSN:0146-4833

DOI:10.1145/1090191

Issue’s Table of Contents

SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
August 2005
350 pages
ISBN:1595930094
DOI:10.1145/1080091
General Chair:
Roch Guerin
University of Pennsylvania
,
Program Chairs:
Ramesh Govindan
University of Southern California
,
Greg Minshall
Unaffiliated

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 August 2005

Published in SIGCOMM-CCR Volume 35, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

216
Total Citations
View Citations
2,143
Total Downloads

Downloads (Last 12 months)187
Downloads (Last 6 weeks)22

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang ZXiao GSong SCan Aygun RStavrou AZhang LOsterweil E(2025)Revealing Protocol Architecture’s Design Patterns in the Volumetric DDoS Defense Design SpaceIEEE Communications Surveys & Tutorials10.1109/COMST.2024.339225327:1(353-371)Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1109/COMST.2024.3392253
Mirkovic J(2025)Collaborative DoS DefensesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_263(374-378)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_263
Băluţă ASoare RRughiniş RTurcanu D(2024)GeckoNet - Self-Healing SDN Framework2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet)10.1109/RoEduNet64292.2024.10722172(1-6)Online publication date: 19-Sep-2024
https://doi.org/10.1109/RoEduNet64292.2024.10722172
Paul BSarker AAbhi SDas SAli MIslam MIslam MMoyeen SRahman Badal MAhamed MSarker SDas PHasan MSaqib N(2024)Potential smart grid vulnerabilities to cyber attacks: Current threats and existing mitigation strategiesHeliyon10.1016/j.heliyon.2024.e3798010:19(e37980)Online publication date: Oct-2024
https://doi.org/10.1016/j.heliyon.2024.e37980
Sheikh MKhan GHussain F(2022)Systematic Analysis of DDoS Attacks in Blockchain2022 24th International Conference on Advanced Communication Technology (ICACT)10.23919/ICACT53585.2022.9728816(132-137)Online publication date: 13-Feb-2022
https://doi.org/10.23919/ICACT53585.2022.9728816
Atre NSadok HChiang EWang WSherry JKuipers FOrda A(2022)SurgeProtectorProceedings of the ACM SIGCOMM 2022 Conference10.1145/3544216.3544250(723-738)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3544216.3544250
Zhan MLi YYang HYu GLi BWang W(2022)Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in ContainersIEEE Transactions on Services Computing10.1109/TSC.2022.3194266(1-12)Online publication date: 2022
https://doi.org/10.1109/TSC.2022.3194266
Luo HLiu ZZhang S(2022)Preventing DDoS Flooding Attacks With Cryptographic Path Identifiers in Future InternetIEEE Transactions on Network and Service Management10.1109/TNSM.2022.314751119:2(1690-1704)Online publication date: Jun-2022
https://doi.org/10.1109/TNSM.2022.3147511
Wyss MGiuliari GLegner MPerrig A(2022)DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)10.1109/IWQoS54832.2022.9812889(1-10)Online publication date: 10-Jun-2022
https://doi.org/10.1109/IWQoS54832.2022.9812889
Blarer MKwon JGraf VPerrig A(2022)Consent Routing: Towards Bilaterally Trusted Communication Paths2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS54860.2022.00122(1247-1257)Online publication date: Jul-2022
https://doi.org/10.1109/ICDCS54860.2022.00122
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents