Mitigating Denial of Capability with An Notification Mechanism

Denial-of-service (DoS) attacks is a major threat to Internet security. Among numerous defense techniques, recently architecture-level capabilities scheme is a promising one. As a typical and comprehensive capabilities scheme, traffic validation architecture (TVA) tries to limit DoS attacks essentially and completely. Yet its effectiveness suffers from a new kind of DoS attacks, denial-of-capability (DoC), which takes place in the connection-setup step when clients send requests for capabilities. To overcome the DoC attacks, potential attack characteristics are analyzed in detail. And a notification-based mechanism is proposed to mitigate DoC attacks and enhance the robustness of TVA. A capability-enabled router should send a reverse notification with a special and unforgeable source identifier to the source when it has to drop a request packet under DoC attacks. Then an enhanced request packet including the source identifier is returned by the source and verified by the router. The enhanced request packet with higher secure level is processed in enhanced channels instead of unprivileged channels. Moreover enhanced requests are fair-queued based on per-source instead of per-Pi in TVA. Theoretical analysis and simulation results show that the notification mechanism can suppress DoC attacks effectively and make the capabilities architecture more robust and practical.