Skip to main content

Technical Reports: CMU-CyLab-12-013

Title:Sanctuary Trail: Refuge from Internet DDoS Entrapment
Authors:Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Sangjae Yoo, Xin Zhang, Soo Bum Lee, Virgil Gligor, and Adrian Perrig
Publication Date:June 7, 2012


We propose STRIDE, a new Internet architecture that provides strong DDoS defense mechanisms for both public services and private end-to-end communication. This new architecture presents several novel concepts including long-term static paths, bandwidth allocation through a top-down topology discovery protocol, dynamic bandwidth allocation via network capabilities, and differentiated packet prioritization. In concert, these mechanisms provide 1) a strong static class bandwidth guarantee, 2) strongly guaranteed capability establishment for private end-to-end communication, and a linear waiting time guarantee in the number of malicious source domains for capability establishment for public services, and 3) globally fair bandwidth allocation for capability-protected flows. STRIDE addresses the denial-of-capability problem and defends against a Coremelt attack by preventing a botnet from crowding out other flows on bottleneck network links. We demonstrate these properties through formal analysis and simulation.

Full Report: CMU-CyLab-12-013

Related Project : SCION: Scalability, Control, and Isolation On Next-Generation Networks