A Precise and Efficient Evaluation of the Proximity Between Web Clients and Their Local DNS Servers
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Preventing Internet denial-of-service with capabilities
ACM SIGCOMM Computer Communication Review
Taming IP packet flooding attacks
ACM SIGCOMM Computer Communication Review
A system for authenticated policy-compliant routing
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
On the responsiveness of DNS-based network control
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Protecting browsers from DNS rebinding attacks
ACM Transactions on the Web (TWEB)
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
Using strongly typed networking to architect for tussle
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense
IEEE Journal on Selected Areas in Communications
Resolvers Revealed: Characterizing DNS Resolvers and their Clients
ACM Transactions on Internet Technology (TOIT)
On modern DNS behavior and properties
ACM SIGCOMM Computer Communication Review
On measuring the client-side DNS infrastructure
Proceedings of the 2013 conference on Internet measurement conference
Hi-index | 0.00 |
There are many deployed approaches for blocking unwanted traffic, either once it reaches the recipient's network, or closer to its point of origin. One of these schemes is based on the notion of traffic carrying capabilities that grant access to a network and/or end host. However, leveraging capabilities results in added complexity and additional steps in the communication process: Before communication starts a remote host must be vetted and given a capability to use in the subsequent communication. In this paper, we propose a lightweight mechanism that turns the answers provided by DNS name resolution - which Internet communication broadly depends on anyway - into capabilities. While not achieving an ideal capability system, we show the mechanism can be built from commodity technology and is therefore a pragmatic way to gain some of the key benefits of capabilities without requiring new infrastructure.