Dependable connection setup for network capabilities

Author

Lee, Sao Bum ; Gligor, Virgil D. ; Perrig, Adrian

Author_Institution

CyLab, Carnegie Mellon Univ., Carnegie Mellon, PA, USA

fYear

2010

fDate

June 28 2010-July 1 2010

Firstpage

301

Lastpage

310

Abstract

Network-layer capabilities offer strong protection against link flooding by authorizing individual flows with unforgeable credentials (i.e., capabilities). However, the capability-setup channel is vulnerable to flooding attacks that prevent legitimate clients from acquiring capabilities; i.e., in Denial of Capability (DoC) attacks. Based on the observation that the distribution of attack sources in the current Internet is highly non-uniform, we provide a router-level scheme that confines the effects of DoC attacks to specified locales or neighborhoods (e.g., one or more administrative domains of the Internet). Our scheme provides precise access guarantees for capability schemes, even in the face of flooding attacks. The effectiveness of our scheme is evaluated by ns2 simulations under different attack scenarios.

Keywords

Internet; authorisation; computer network security; Internet; access; attack sources; authorization; capability-setup channel; denial of capability attacks; dependable connection setup; flooding attacks; legitimate clients; link flooding; network-layer capabilities; ns2 simulations; protection; router-level scheme; unforgeable credentials; Aggregates; Authorization; Counting circuits; Filtering; Filters; Floods; Internet; Large-scale systems; Protection; Telecommunication traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on

Conference_Location

Chicago, IL

Print_ISBN

978-1-4244-7500-1

Electronic_ISBN

978-1-4244-7499-8

Type

conf

DOI

10.1109/DSN.2010.5544303

Filename

5544303