Combinatorial design of congestion-free networks
IEEE/ACM Transactions on Networking (TON)
ACM Transactions on Computer Systems (TOCS)
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
IEEE/ACM Transactions on Networking (TON)
A system for authenticated policy-compliant routing
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Source selectable path diversity via routing deflections
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
MIRO: multi-path interdomain routing
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Active internet traffic filtering: real-time response to denial-of-service attacks
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
NIRA: a new inter-domain routing architecture
IEEE/ACM Transactions on Networking (TON)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
FLoc: Dependable Link Access for Legitimate Traffic in Flooding Attacks
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
NetFence: preventing internet denial of service from inside out
Proceedings of the ACM SIGCOMM 2010 conference
R-BGP: staying connected In a connected world
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
SCION: Scalability, Control, and Isolation on Next-Generation Networks
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Verifying and enforcing network paths with icing
Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
How well can congestion pricing neutralize denial of service attacks?
Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE joint international conference on Measurement and Modeling of Computer Systems
The rate-based flow control framework for the available bit rate ATM service
IEEE Network: The Magazine of Global Internetworking
Hi-index | 0.00 |
We propose STRIDE, a new DDoS-resilient Internet architecture that isolates attack traffic through viable bandwidth allocation, preventing a botnet from crowding out legitimate flows. This new architecture presents several novel concepts including tree-based bandwidth allocation and long-term static paths with guaranteed bandwidth. In concert, these mechanisms provide domain-based bandwidth guarantees within a trust domain - administrative domains grouped within a legal jurisdiction with enforceable accountability; each administrative domain in the trust domain can then internally split such guarantees among its endhosts to provide (1) connection establishment with high probability, and (2) precise bandwidth guarantees for established flows, regardless of the size or distribution of the botnet outside the source and the destination domains. Moreover, STRIDE maintains no per-flow state on backbone routers and requires no key establishment across administrative domains. We demonstrate that STRIDE achieves these DDoS defense properties through formal analysis and simulation. We also show that STRIDE mitigates emerging DDoS threats such as Denial-of-Capability (DoC) [6] and N2 attacks [22] based on these properties that none of the existing DDoS defense mechanisms can achieve.