| | |
Summary: 1
TVA: a DoS-limiting Network Architecture
Xiaowei Yang, Member, David Wetherall, Member, Thomas Anderson, Member
Abstract-- We motivate the capability approach to network
denial-of-service (DoS) attacks, and evaluate the TVA architecture
which builds on capabilities. With our approach, rather than
send packets to any destination at any time, senders must first
obtain "permission to send" from the receiver, which provides the
permission in the form of capabilities to those senders whose traffic
it agrees to accept. The senders then include these capabilities
in packets. This enables verification points distributed around
the network to check that traffic has been authorized by the
receiver and the path in between, and hence to cleanly discard
unauthorized traffic. To evaluate this approach, and to understand
the detailed operation of capabilities, we developed a network
architecture called TVA. TVA addresses a wide range of possible
attacks against communication between pairs of hosts, including
spoofed packet floods, network and host bottlenecks, and router
state exhaustion. We use simulations to show the effectiveness of
TVA at limiting DoS floods, and an implementation on Click router
|
