Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
The quest for security in mobile ad hoc networks
MobiHoc '01 Proceedings of the 2nd ACM international symposium on Mobile ad hoc networking & computing
Comparison of broadcasting techniques for mobile ad hoc networks
Proceedings of the 3rd ACM international symposium on Mobile ad hoc networking & computing
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Defending Against Denial-of-Service Attacks with Puzzle Auctions
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
On-Demand Multi Path Distance Vector Routing in Ad Hoc Networks
ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
Preventing Internet denial-of-service with capabilities
ACM SIGCOMM Computer Communication Review
Internet indirection infrastructure
IEEE/ACM Transactions on Networking (TON)
Countering DoS attacks with stateless multipath overlays
Proceedings of the 12th ACM conference on Computer and communications security
MISTRAL: efficient flooding in mobile ad-hoc networks
Proceedings of the 7th ACM international symposium on Mobile ad hoc networking and computing
Reliable broadcast in radio networks: the bounded collision case
Proceedings of the twenty-fifth annual ACM symposium on Principles of distributed computing
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Centertrack: an IP overlay network for tracking DoS floods
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
Analytical models for understanding misbehavior and MAC friendliness in CSMA networks
Performance Evaluation
Aggregate and verifiably encrypted signatures from bilinear maps
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Evaluating a collaborative defense architecture for MANETs
IMSAA'09 Proceedings of the 3rd IEEE international conference on Internet multimedia services architecture and applications
Chorus: collision resolution for efficient wireless broadcast
INFOCOM'10 Proceedings of the 29th conference on Information communications
DIPLOMA: Distributed Policy Enforcement Architecture for MANETs
NSS '10 Proceedings of the 2010 Fourth International Conference on Network and System Security
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Competition, cooperation, and optimization in Multi-Hop CSMA networks
Proceedings of the 8th ACM Symposium on Performance evaluation of wireless ad hoc, sensor, and ubiquitous networks
| Hi-index | 0.00 |
We present the design, implementation, and evaluation of CapMan, a capability-based security mechanism that prevents denial-of-service (DoS) attacks against mobile ad-hoc networks (MANETs). In particular, our approach is designed to mitigate insider attacks that exploit multi-path routing to flood with packets on other participating nodes in the network. CapMan is instantiated on every node and enforces capability limits that effectively regulate the traffic for all end-to-end network flows. Each capability is issued and advertised by the capability distribution module, and is globally maintained via the capability enforcement logic. By periodically exchanging small usage summaries, all cooperating nodes are informed of the global network state in a scalable and consistent manner. The distribution of summaries empowers individual nodes to make informed decisions and regulate traffic as dictated by the per-flow capabilities across multiple dynamic routing paths. We implemented a prototype of CapMan as a module of the NS2 simulator. We conducted extensive simulations with the prototype using AOMDV as the underlying multi-path routing protocol. Both theoretical analysis and experimental results validate that our mechanism can effectively curtail sophisticated DoS attacks that target multi-path routing in MANETs. We can protect the overall network health even when both the initiator and the responder are malicious insiders and collude in an attempt to deprive the network of valuable resources. Finally, our results show that CapMan introduces relatively small and configurable network overhead and imposes minimal impact on non-attacking traffic flows.