Title :
Dependable connection setup for network capabilities
Author :
Lee, Sao Bum ; Gligor, Virgil D. ; Perrig, Adrian
Author_Institution :
CyLab, Carnegie Mellon Univ., Carnegie Mellon, PA, USA
fDate :
June 28 2010-July 1 2010
Abstract :
Network-layer capabilities offer strong protection against link flooding by authorizing individual flows with unforgeable credentials (i.e., capabilities). However, the capability-setup channel is vulnerable to flooding attacks that prevent legitimate clients from acquiring capabilities; i.e., in Denial of Capability (DoC) attacks. Based on the observation that the distribution of attack sources in the current Internet is highly non-uniform, we provide a router-level scheme that confines the effects of DoC attacks to specified locales or neighborhoods (e.g., one or more administrative domains of the Internet). Our scheme provides precise access guarantees for capability schemes, even in the face of flooding attacks. The effectiveness of our scheme is evaluated by ns2 simulations under different attack scenarios.
Keywords :
Internet; authorisation; computer network security; Internet; access; attack sources; authorization; capability-setup channel; denial of capability attacks; dependable connection setup; flooding attacks; legitimate clients; link flooding; network-layer capabilities; ns2 simulations; protection; router-level scheme; unforgeable credentials; Aggregates; Authorization; Counting circuits; Filtering; Filters; Floods; Internet; Large-scale systems; Protection; Telecommunication traffic;
Conference_Titel :
Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on
Conference_Location :
Chicago, IL
Print_ISBN :
978-1-4244-7500-1
Electronic_ISBN :
978-1-4244-7499-8
DOI :
10.1109/DSN.2010.5544303
