skip to main content
article

TVA: a DoS-limiting network architecture

Published: 01 December 2008 Publication History

Abstract

We motivate the capability approach to network denial-of-service (DoS) attacks, and evaluate the Traffic Validation Architecture (TVA) architecture which builds on capabilities. With our approach, rather than send packets to any destination at any time, senders must first obtain "permission to send" from the receiver, which provides the permission in the form of capabilities to those senders whose traffic it agrees to accept. The senders then include these capabilities in packets. This enables verification points distributed around the network to check that traffic has been authorized by the receiver and the path in between, and hence to cleanly discard unauthorized traffic. To evaluate this approach, and to understand the detailed operation of capabilities, we developed a network architecture called TVA. TVA addresses a wide range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulations to show the effectiveness of TVA at limiting DoS floods, and an implementation on Click router to evaluate the computational costs of TVA. We also discuss how to incrementally deploy TVA into practice.

References

[1]
Appendix {Online}. Available: http://www.ics.uci.edu/xwy/publications/tva-appendix.pdf
[2]
D. Andersen, "Mayday: Distributed filtering for Internet services," in 3rd Usenix USITS, 2003.
[3]
T. Anderson, T. Roscoe, and D.Wetherall, "Preventing Internet denial of service with capabilities," in Proc. HotNets-II, Nov. 2003.
[4]
K. Argyraki and D. Cheriton, "Active Internet traffic filtering: Real-time response to denial-of-service attacks," in USENIX 2005.
[5]
K. Argyraki and D. R. Cheriton, "Network capabilities: The good, the bad and the ugly," in Proc. ACM HotNets, 2005.
[6]
H. Ballani, Y. Chawathe, S. Ratnasamy, T. Roscoe, and S. Shenker, "Off by default," in Proc. Hotnets-IV, 2005.
[7]
P. Barford, J. Kline, D. Plonka, and A. Ron, "A signal analysis of network traffic anomalies," in Proc. IMW, 2002.
[8]
J. C. R. Bennett and H. Zhang, "Hierarchical packet fair queueing algorithms," IEEE/ACM Trans. Networking, vol. 5, no. 5, pp. 675-689, Oct. 1997.
[9]
R. Beverly and S. Bauer, "The spoofer project: Inferring the extent of source address filtering on the Internet," in Proc. USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) Workshop, Jul. 2005, pp. 53-59.
[10]
The CAPTCHA Project. {Online}. Available: http://www.captcha.net/
[11]
M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker, "Cookies along trust-boundaries (CAT): Accurate and deployable flood protection," In Proc. USENIX SRUTI, 2006.
[12]
P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks that employ IP source address spoofing," Internet RFC 2827, 2000.
[13]
M. Handley and A. Greenhalgh, "Steps towards a DoS-resistant Internet architecture," in ACM SIGCOMM FDNA Workshop, 2004.
[14]
A. Hodjat, D. Hwang, B.-C. Lai, K. Tiri, and I. Verbauwhede, "A 3.84 Gbits/s AES crypto coprocessor with modes of operation in a 0.18 µm CMOS technology," in ACM Great Lakes Symp. VLSI, 2005.
[15]
A. Hussain, J. Heidemann, and C. Papadopolous, "A framework for classifying denial of service attacks," in ACM SIGCOMM, 2003.
[16]
J. Ioannidis and S. Bellovin, "Implementing pushback: Router-based defense against DoS attacks," in Proc. NDSS, 2002.
[17]
S. Kandula, D. Katabi, M. Jacob, and A. Berger, "Botz-4-Sale: Surviving DDoS attacks that mimic flash crowds," in Proc. 2nd NSDI, May 2005.
[18]
A. Keromytis, V. Misra, and D. Rubenstein, "SOS: Secure overlay services," in ACM SIGCOMM, 2002.
[19]
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, "The click modular router," ACM TOCS, vol. 18, no. 3, pp. 263-297, Aug. 2000.
[20]
S. Machiraju, M. Seshadri, and I. Stoica, "A scalable and robust solution for bandwidth allocation," in IWQoS'02, 2002.
[21]
R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, "Controlling high bandwidth aggregates in the network," ACM CCR, vol. 32, no. 3, Jul. 2002.
[22]
P. McKenney, "Stochastic fairness queuing," in Proc. IEEE INFOCOM, 1990, pp. 733-740.
[23]
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL: CRC Press, 1997, ch. 9.
[24]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "The spread of the Sapphire/Slammer worm," Jan. 2003 {Online}. Available: http://www.cs.berkeley.edu/nweaver/sapphire/
[25]
D. Moore, C. Shannon, and J. Brown, "Code Red: A case study on the spread and victims of an Internet worm," in Proc. IMW, 2002.
[26]
D. Moore, G. Voelker, and S. Savage, "Inferring Internet denial of service activity," in Usenix Security Symp., Aug. 2001.
[27]
L. Peterson, D. Culler, T. Anderson, and T. Roscoe, "A blueprint for introducing disruptive technology into the Internet," in Proc. HotNets-I, 2002.
[28]
S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in ACM SIGCOMM, 2000.
[29]
M. Shreedhar and G. Varghese, "Efficient fair queueing using deficit round robin," in ACM SIGCOMM, Aug. 1995.
[30]
A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer, "Hash-based IP traceback," in ACM SIGCOMM, 2001.
[31]
D. Song and A. Perrig, "Advanced and authenticated marking schemes for IP traceback," in Proc. IEEE INFOCOM, 2001, pp. 878-886.
[32]
D. Wendlandt, D. G. Andersen, and A. Perrig, "FastPass: Providing first-packet delivery," CMU CYLAB, Tech. Rep., 2006.
[33]
A. Yaar, A. Perrig, and D. Song, "Pi: a path identification mechanism to defend against DDoS attacks," in Proc. IEEE Symp. Security and Privacy, 2003, pp. 93-107.
[34]
A. Yaar, A. Perrig, and D. Song, "SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 130-143.
[35]
X. Yang, D. Wetherall, and T. Anderson, "A DoS-limiting network architecture," in ACM SIGCOMM, Philadelphia, PA, Aug. 2005.
[36]
Y. Zhang, L. Breslau, V. Paxson, and S. Shenker, "On the characteristics and origins of Internet flow rates," in ACM SIGCOMM, Aug. 2002.

Cited By

View all
  • (2023)Differential Pricing Strategies for Bandwidth Allocation With LFA Resilience: A Stackelberg Game ApproachIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329918118(4899-4914)Online publication date: 1-Jan-2023
  • (2023)Possibility and Impossibility of Propagation Safety and Reliability: A 1-Safe and Reliable Snap-Stabilizing Broadcast AlgorithmIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.317536920:3(2174-2187)Online publication date: 1-May-2023
  • (2022)Design and analysis of DDoS mitigating network architectureInternational Journal of Information Security10.1007/s10207-022-00635-122:2(333-345)Online publication date: 30-Nov-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking
IEEE/ACM Transactions on Networking  Volume 16, Issue 6
December 2008
248 pages

Publisher

IEEE Press

Publication History

Published: 01 December 2008
Revised: 16 May 2007
Received: 25 October 2006
Published in TON Volume 16, Issue 6

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Differential Pricing Strategies for Bandwidth Allocation With LFA Resilience: A Stackelberg Game ApproachIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329918118(4899-4914)Online publication date: 1-Jan-2023
  • (2023)Possibility and Impossibility of Propagation Safety and Reliability: A 1-Safe and Reliable Snap-Stabilizing Broadcast AlgorithmIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.317536920:3(2174-2187)Online publication date: 1-May-2023
  • (2022)Design and analysis of DDoS mitigating network architectureInternational Journal of Information Security10.1007/s10207-022-00635-122:2(333-345)Online publication date: 30-Nov-2022
  • (2021)BentoProceedings of the 2021 ACM SIGCOMM 2021 Conference10.1145/3452296.3472919(821-835)Online publication date: 9-Aug-2021
  • (2020)21 Years of Distributed Denial-of-Service: A Call to ActionComputer10.1109/MC.2020.299333053:8(94-99)Online publication date: 30-Jul-2020
  • (2020)Resource Burning for Permissionless Systems (Invited Paper)Structural Information and Communication Complexity10.1007/978-3-030-54921-3_2(19-44)Online publication date: 29-Jun-2020
  • (2019)DynashieldProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357039(4-4)Online publication date: 8-Jul-2019
  • (2019)Enabling a permanent revolution in internet architectureProceedings of the ACM Special Interest Group on Data Communication10.1145/3341302.3342075(1-14)Online publication date: 19-Aug-2019
  • (2018)SENSS Against Volumetric DDoS AttacksProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274717(266-277)Online publication date: 3-Dec-2018
  • (2018)On the Benefits of Keeping Path Identifiers Secret in Future Internet: A DDoS PerspectiveIEEE Transactions on Network and Service Management10.1109/TNSM.2018.280000715:2(650-664)Online publication date: 1-Jun-2018
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media