TVA: A DoS-limiting network architecture
We motivate the capability approach to network denial-of-service (DoS) attacks, and evaluate the Traffic Validation Architecture (TVA) architecture which builds on capabilities. With our approach, rather than send packets to any destination at any time, senders must first obtain "permission to send" from the receiver, which provides the permission in the form of capabilities to those senders whose traffic it agrees to accept. The senders then include these capabilities in packets. This enables verification points distributed around the network to check that traffic has been authorized by the receiver and the path in between, and hence to cleanly discard unauthorized traffic. To evaluate this approach, and to understand the detailed operation of capabilities, we developed a network architecture called TVA. TVA addresses a wide range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulations to show the effectiveness of TVA at limiting DoS floods, and an implementation on Click router to evaluate the computational costs of TVA. We also discuss how to incrementally deploy TVA into practice. © 2008 IEEE.
Duke Scholars
Altmetric Attention Stats
Dimensions Citation Stats
Published In
DOI
ISSN
Publication Date
Volume
Issue
Start / End Page
Related Subject Headings
- Networking & Telecommunications
- 4606 Distributed computing and systems software
- 4006 Communications engineering
- 1005 Communications Technologies
- 0906 Electrical and Electronic Engineering
- 0805 Distributed Computing
Citation
Published In
DOI
ISSN
Publication Date
Volume
Issue
Start / End Page
Related Subject Headings
- Networking & Telecommunications
- 4606 Distributed computing and systems software
- 4006 Communications engineering
- 1005 Communications Technologies
- 0906 Electrical and Electronic Engineering
- 0805 Distributed Computing