Skip to main content

Technical Reports: CMU-CyLab-11-018

Title:DefAT: Dependable Connection Setup for Network Capabilities
Authors:Soo Bum Lee, Virgil D. Gligor, Adrian Perrig
Publication Date:November 23, 2011


Network-layer capabilities offer strong protection against link flooding by authorizing individual flows with unforgeable credentials (i.e., capabilities). However, the capability setup channel is vulnerable to flooding attacks that prevent legitimate clients from acquiring capabilities; i.e., in Denial of Capability (DoC) attacks. Based on the observation that the distribution of attack sources in the current Internet is highly non-uniform, we provide a router-level scheme, named DefAT (Defense via Aggregating Traffic), that confines the effects of DoC attacks to specified locales or neighborhoods (e.g., one or more administrative domains of the Internet). DefAT provides precise access guarantees for capability schemes, even in the face of flooding attacks. The effectiveness of DefAT is shown in two ways. First, we illstrate the precise link-access guarantees provided by DefAT via ns2 simulations. Second, we show the effectiveness of DefAT in the current Internet via Interent-scale simulations using real Internet topologies and attack distribution.

Full Report: CMU-CyLab-11-018