[cap-talk] Capabilities at the network layer

[Karp, Alan H]

The following is from someone else's notes on a talk given at SIGCOMM08.



To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets

Xin Liu (UC Irvine); Xiaowei Yang (UC Irvine); Yanbin Lu (UC Irvine)

Which approach works better against flooding DOS attacks from Botnets?

 *   filtering-based approaches
    *   receiver asks network to install filters blocking specific traffic
 *   authorization-based approaches (capabilities)
    *   source requests permission to send, marks traffic with indication of permission (securely, to some extent)
Ongoing controversy over which approach works best

Compared approaches under various attacks

 *   tried to design better filter-based system, StopIt, to make comparison useful/fair

>From their abstract: Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks.





________________________

Alan Karp

Principal Scientist

Virus Safe Computing Initiative

Hewlett-Packard Laboratories

1501 Page Mill Road

Palo Alto, CA 94304

(650) 857-3967, fax (650) 857-7029

http://www.hpl.hp.com/personal/Alan_Karp




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20080919/1cf7a079/attachment-0001.html