This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: NetFence: Preventing Internet Denial of Service from Inside Out Xin Liu Dept. of Computer Science Duke University firstname.lastname@example.org Xiaowei Yang Dept. of Computer Science Duke University email@example.com Yong Xia Networking Systems Group NEC Labs China firstname.lastname@example.org ABSTRACT Denial of Service (DoS) attacks frequently happen on the Inter- net, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS- resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feed- back in packet headers to signal congestion, and access routers use it to police senders traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress un- wanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guaran- tees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux imple- mentation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System). Categories and Subject Descriptors C.2.1 [ Computer-Communication Networks ]: Network Archi- tecture and Design; C.2.6 [ Computer-Communication Networks ]: Internetworking General Terms Design, Security Keywords Internet, Denial-of-Service, Capability, Congestion Policing 1. INTRODUCTION Large-scale Denial of Service (DoS) attacks remain as a po- tent threat to the Internet. A survey from Arbor Networks shows that DoS attacks continue to grow in both scale and sophistica- tion . The largest observed attack reached 49Gbps in 2009, a 104% growth over the past two years. The survey also ranks DoS attacks as the largest anticipated threat in the next 12 months. This Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIGCOMM10, August 30September 3, 2010, New Delhi, India. Copyright 2010 ACM 978-1-4503-0201-2/10/08 ...$10.00. result is not surprising, as tens of gigabits flooding traffic could easily overwhelm most links, routers, or sites on the Internet....
View Full Document