DefAT: Dependable Connection Setup for Network Capabilities

Abstract

Network-layer capabilities offer strong protection against link flooding by authorizing individual flows with unforgeable credentials (i.e., capabilities). However, the capability-setup channel is vulnerable to flooding attacks that prevent legitimate clients from acquiring capabilities; i.e., in Denial of Capability (DoC) attacks. Based on the observation that the distribution of attack sources in the current Internet is highly non-uniform, we provide a router-level scheme, named DefAT (Defense via Aggregating Traffic), that confines the effects of DoC attacks to specified locales or neighborhoods (e.g., one or more administrative domains of the Internet). DefAT provides precise access guarantees for capability schemes, even in the face of flooding attacks. The effectiveness of DefAT is shown in two ways. First, we illustrate the precise link-access guarantees provided by DefAT via ns2 simulations. Second, we show the effectiveness of DefAT in the current Internet via Internet-scale simulations using real Internet topologies and attack distribution.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 23, 2011
Accession Number
ADA554350

Entities

People

  • Adrian Perrig
  • Soo Bum Lee
  • Virgil D. Gligor

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Access Time
  • Algorithms
  • Authentication
  • Computer Networks
  • Defense Mechanisms
  • Denial Of Service Attack
  • Electronic Mail
  • Floods
  • Guarantees
  • Information Operations
  • Internet
  • Network Protocols
  • Network Topology
  • Networks
  • Routing Protocols
  • Simulations
  • Topology

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Cybersecurity.