Summary: Cookies Along Trust-Boundaries (CAT):
Accurate and Deployable Flood Protection
Martin Casado Aditya Akella Pei Cao Niels Provos Scott Shenker
Packet floods targeting a victim's incoming bandwidth are no-
toriously difficult to defend against. While a number of solu-
tions have been proposed, such as network capabilities, third-
party traffic scrubbing, and overlay-based protection, most suf-
fer from drawbacks that limit their applicability in practice.
We propose CAT, a new network-based flood protection
scheme. In CAT, all flows must perform a three-way handshake
with an in-network element to obtain permission to send data.
The three-way handshake dissuades source spoofing and estab-
lishes a unique handle for the flow, which can then be used for
revocation by the receiver. CAT offers the protection qualities
of network capabilities, and yet does not require major archi-
1 Background and Motivation