Bypassing Network Flooding Attacks using FastPass
نویسندگان
چکیده
We describe the design and implementation of FastPass, a next-generation network architecture that thwarts bandwidth flooding attacks by providing destinations with finegrained control over their upstream network capacity. Prior attempts to achieve network flood resilience have required destinations to successfully receive an initial unprotected packet (capability-based designs) or have relied upon global cooperation (filtering-based designs). FastPass requires neither. Instead, it allows destinations to distribute cryptographic availability tokens to potential senders that instruct routers to prioritize a limited rate of traffic from the sender in the case of network congestion. In contrast to prior architectures, we show that availability tokens provide two highly desirable DoS resilience properties: (1) hosts capable of identifying legitimate users can quickly communicate regardless of the size of the attack directed against them; and (2) hosts unable to differentiate between legitimate and malicious senders can strictly limit the ability of attackers to overwhelm incoming network capacity.
منابع مشابه
FastPass: Providing First-Packet Delivery
This paper introduces FastPass, an architecture that thwarts flooding attacks by providing destinations with total control over their upstream network capacity. FastPass explores an extreme design point, providing complete resistance to directed flooding attacks. FastPass builds upon prior work on network capabilities and addresses the oft-noted problem that in such schemes, a sender must first...
متن کاملCross-domain DoS link-flooding attack detection and mitigation using SDN prin- ciples
The Denial of Service (DoS) attacks pose a major threat to Internet users and services. Since the network security ecosystem is expanding over the years, new types of DoS attacks emerge. The DoS link-flooding attacks target to severely congest certain network links disrupting Internet accessibility to certain geographical areas and services passing through these links. Since crucial services li...
متن کاملAnomaly Based Intrusion Detection Systems Using SNMP Data
This paper discusses a statistical algorithm to detect DOS attacks on computer networks. DOS attacks hamper the network by making resources unavailable to genuine users. The algorithm presented here use SNMP data in order to detect incoming flooding attack on a computer or network. The data to be monitored depends on the class of flooding attacks that is intended to be detected. In this paper w...
متن کاملSecuring Mobile Ad Hoc Networks Using Danger Theory-Based Artificial Immune Algorithm
A mobile ad hoc network (MANET) is a set of mobile, decentralized, and self-organizing nodes that are used in special cases, such as in the military. MANET properties render the environment of this network vulnerable to different types of attacks, including black hole, wormhole and flooding-based attacks. Flooding-based attacks are one of the most dangerous attacks that aim to consume all netwo...
متن کاملImpact of AODV under Black Hole and Flooding Attack
Mobile Ad Hoc Networks (MANETs) is a collection of wireless mobile nodes connected by wireless links forming a temporary network without the aid of any infrastructure or any centralized administration. Owing to its mobility and broadcast nature MANETs are particularly vulnerable to attacks over traditional wired networks finally makes them susceptible to various active and passive attacks. In p...
متن کامل