On building inexpensive network capabilities

Authors:
Craig A. Shue;Andrew J. Kalafut;Mark Allman;Curtis R. Taylor
Affiliations:
Worcester Polytechnic Institute, Worcester, Massachusetts, USA;Grand Valley State University, Allendale, Michigan, USA;International Computer Science Institute, Berkeley, California, USA;Oak Ridge National Laboratory, Oak Ridge, Tennessee, USA
Venue:
ACM SIGCOMM Computer Communication Review
Year:
2012

Citing 11
Cited 3

A Precise and Efficient Evaluation of the Proximity Between Web Clients and Their Local DNS Servers

ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Preventing Internet denial-of-service with capabilities

ACM SIGCOMM Computer Communication Review
Taming IP packet flooding attacks

ACM SIGCOMM Computer Communication Review
A system for authenticated policy-compliant routing

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
On the responsiveness of DNS-based network control

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Portcullis: protecting connection setup from denial-of-capability attacks

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
To filter or to authorize: network-layer DoS defense against multimillion-node botnets

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Protecting browsers from DNS rebinding attacks

ACM Transactions on the Web (TWEB)
TVA: a DoS-limiting network architecture

IEEE/ACM Transactions on Networking (TON)
Using strongly typed networking to architect for tussle

Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

IEEE Journal on Selected Areas in Communications

Resolvers Revealed: Characterizing DNS Resolvers and their Clients

ACM Transactions on Internet Technology (TOIT)
On modern DNS behavior and properties

ACM SIGCOMM Computer Communication Review
On measuring the client-side DNS infrastructure

Proceedings of the 2013 conference on Internet measurement conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

There are many deployed approaches for blocking unwanted traffic, either once it reaches the recipient's network, or closer to its point of origin. One of these schemes is based on the notion of traffic carrying capabilities that grant access to a network and/or end host. However, leveraging capabilities results in added complexity and additional steps in the communication process: Before communication starts a remote host must be vetted and given a capability to use in the subsequent communication. In this paper, we propose a lightweight mechanism that turns the answers provided by DNS name resolution - which Internet communication broadly depends on anyway - into capabilities. While not achieving an ideal capability system, we show the mechanism can be built from commodity technology and is therefore a pragmatic way to gain some of the key benefits of capabilities without requiring new infrastructure.