Mitigating Distributed Denial of Capability Attacks Using Sink Tree Based Quota Allocation
Paper in proceedings, 2010

Network capabilities have been proposed to prevent Distributed Denial of Service (DDoS) attacks proactively. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In this paper, we propose an algorithm to mitigate DoC attacks. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). We both analytically and experimentally show that legitimate hosts can get service with guaranteed probability. We also address issues on fault-tolerance and the deployment of the approach proposed.

Sink Tree

Denial-of-Capability

Denial-of-Service

Author

Zhang Fu

Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)

Marina Papatriantafilou

Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)

Philippas Tsigas

Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)

Wei Wei

Norwegian University of Science and Technology (NTNU)

In the Proceedings of 25th ACM Symposium on Applied Computing (SAC 2010)

713-718

Subject Categories

Computer Science

DOI

10.1145/1774088.1774234

ISBN

978-160558638-0

More information

Latest update

4/20/2018