CapMan: Capability-Based Defense against Multi-Path Denial of Service (DoS) Attacks in MANET

This paper presents a capability-based security mechanism called CapMan. Our approach is designed to prevent Denial-of-Service (DoS) attacks on wireless communications, particularly against multi-path communication in Mobile Ad-hoc Networks (MANETs). CapMan offers a mechanism for a per flow, distributed bandwidth control by all the participating nodes along multiple communication paths. By exchanging summary capability messages, each node can maintain a global view of the overall throughput of flows in the network, and then dynamically adjust local constraints to prevent potential DoS attacks against a specific node or the network. Our approach is capable of scalably curtailing sophisticated DoS attacks that target multi-path routing protocols, even in the case that both the initiator and the responder of a network flow are malicious insiders and collude to deprive the network of valuable resources. We provide a theoretical analysis of our algorithms and also evaluate the protection and overhead of our prototype using AOMDV for routing.