Mitigating Distributed Denial of Capability Attacks Using Sink Tree Based Quota Allocation
Paper i proceeding, 2010

Network capabilities have been proposed to prevent Distributed Denial of Service (DDoS) attacks proactively. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In this paper, we propose an algorithm to mitigate DoC attacks. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). We both analytically and experimentally show that legitimate hosts can get service with guaranteed probability. We also address issues on fault-tolerance and the deployment of the approach proposed.

Sink Tree




Zhang Fu

Chalmers, Data- och informationsteknik, Nätverk och system

Marina Papatriantafilou

Chalmers, Data- och informationsteknik, Nätverk och system

Philippas Tsigas

Chalmers, Data- och informationsteknik, Nätverk och system

Wei Wei

Norges teknisk-naturvitenskapelige universitet

In the Proceedings of 25th ACM Symposium on Applied Computing (SAC 2010)



Datavetenskap (datalogi)