Mitigating Distributed Denial of Capability Attacks Using Sink Tree Based Quota Allocation
Paper in proceeding, 2010
Network capabilities have been proposed to prevent Distributed Denial of Service (DDoS) attacks proactively. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC).
In this paper, we propose an algorithm to mitigate DoC attacks. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture.
Randomization and Bloom filters are used as tools against threats (attacking scenarios). We both analytically and experimentally show that legitimate hosts can get service with guaranteed probability. We also address issues on fault-tolerance and the deployment of the approach proposed.
Sink Tree
Denial-of-Capability
Denial-of-Service
Author
Zhang Fu
Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)
Marina Papatriantafilou
Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)
Philippas Tsigas
Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)
Wei Wei
Norwegian University of Science and Technology (NTNU)
In the Proceedings of 25th ACM Symposium on Applied Computing (SAC 2010)
713-718
978-160558638-0 (ISBN)
Subject Categories
Computer Science
DOI
10.1145/1774088.1774234
ISBN
978-160558638-0