![Page 1: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/1.jpg)
1
TVA: A DoS-limiting Network Architecture
Xiaowei Yang (UC Irvine)David Wetherall (Univ. of Washington)
Thomas Anderson (Univ. of Washington)
![Page 2: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/2.jpg)
2
DoS is not even close to be solved
Address validation is insufficient (botnets) Traceback is too little too late (detection only) Pushback lacks discrimination (imprecise) Secure overlay filtering requires offline
authenticators (public servers)
![Page 3: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/3.jpg)
3
Capabilities are a promising approach
Destination control The destinations know better.
Network filtering based on explicit and unforgeable packet state, i.e., capabilities Only the network can shed load before the
damage has been made. Anderson et al. [Anderson03], Yarr et al.
[Yarr04]
![Page 4: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/4.jpg)
4
Sketch of the capability approach
1. Source requests permission to send.2. Destination authorizes source for limited transfer, e.g,
32KB in 10 secs• A capability is the proof of a destination’s authorization.
3. Source places capabilities on packets and sends them.4. Network filters packets based on capabilities.
cap
![Page 5: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/5.jpg)
5
Capabilities alone do not effectively limit DoS
Goal: minimize the damage of the arbitrary behavior of k attacking hosts.
Non-goal: make DoS impossible Problems
1. Request or authorized packet floods2. Added functionality in a router’s forwarding path 3. Authorization policies4. Deployment
TVA addresses all of the above.
![Page 6: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/6.jpg)
6
Challenges
1. Counter a broad range of attacks, including request and authorized packet floods
2. Router processing with bounded state and computation
3. Effective authorization policies4. Incrementally deployable
![Page 7: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/7.jpg)
7
Request packet floods
Request packets do not carry capabilities.
![Page 8: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/8.jpg)
8
Counter request packet floods (I)
Rate-limit request packets
cap capcap
![Page 9: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/9.jpg)
9
Counter request packet floods (II)
Rate-limit request packets Routers insert path identifier tags [Yarr03]. Fair queue requests using the most recent tags.
Per path-id queues1 2
1 1
![Page 10: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/10.jpg)
10
Authorized packet floods
capcap
cap
cap
cap
![Page 11: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/11.jpg)
11
Counter authorized packet floods
Per-destination queues TVA bounds the number of queues.
cap
cap
cap cap
capcap
![Page 12: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/12.jpg)
12
Challenges
1. Counter a broad range of attacks, including request packet floods and authorized packet floods
2. Router processing with bounded state and computation
3. Effective authorization policies
![Page 13: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/13.jpg)
13
TVA’s implementation of capabilities
Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp)
Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in
10 seconds
pre1 pre2
cap1 cap2
![Page 14: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/14.jpg)
14
Validating fine-grained capabilities
1. A router verifies that the hash value is correct.
2. Checks for expiration: timestamp + T · now
3. Checks for byte bound: sent + pkt_len · N
cap1 cap2 data
N, T, timestamp, hash(pre-cap, N, T)
![Page 15: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/15.jpg)
15
Bounded computation
The main computation overhead is hash validation.
On a Pentium Xeon 3.2GHz PC Stamping pre-capabilities takes 460ns Validating capabilities takes 1486ns
![Page 16: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/16.jpg)
16
Bounded state
Create a slot if a capability sends faster than N/T. For a link with a fixed capacity C, there are at
most C/(N/T) flows Number of slots is bounded by C / (N/T)
cap1 cap2 data
N, T, timestamp, hash(pre-cap, N, T)
sent + pkt_len · N
![Page 17: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/17.jpg)
17
Worst case byte bound is 2N in T seconds
Tt1 t2 t30
a slot is created a slot is expired
TTL average rate · N/T average rate · N/T
t · T
bytes · N
bytes · N
If a slot expires, it indicates that a capability sends slower than N/T.
t4 t5
![Page 18: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/18.jpg)
18
Bounded number of queues
Tag space bounds the number of request queues. Number of destination queues is bounded by C/R
path-identifier queue
Validate capability
requests
per-destination queueregular packets
Y
Nlow priority queuelegacy packets
Queue on most recent tags
Keeps a queue if a destination receives faster than a threshold rate R
![Page 19: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/19.jpg)
19
Challenges
1. Counter a broad range of attacks, including request packet floods and authorized packet floods
2. Router processing with bounded state and computation
3. Effective authorization policies
![Page 20: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/20.jpg)
20
Simple policies can be effective
Fine-grained capabilities tolerate authorization mistakes.
Client policy Authorize requests that match outgoing ones
Public server policy Authorize all initial requests Stop misbehaving senders A server has control over its incoming traffic
when overload occurs.
![Page 21: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/21.jpg)
21
Evaluation
![Page 22: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/22.jpg)
22
Overview of different schemes
SIFF [Yarr04] request and legacy traffic have the same
priority authorized traffic has a higher priority time-limited capabilities
Pushback [Mahajan01, Ioannidis02] Network controlled filtering
Legacy Internet best-effort
![Page 23: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/23.jpg)
23
Ns-2 Simulation Setup
Scale down topology to speed up simulations Two metrics:
The transfer time of a fixed-length file (20KB) Fraction of completed transfers
……
10 legitimate users
1-100 attackers
10Mb
bottleneck
destination
colluder
1Mb
1Mb
![Page 24: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/24.jpg)
24
TVA is able to limit legacy packet floods
Internet
Internet
SIFF
SIFF
pushback
pushback
TVA
TVA
![Page 25: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/25.jpg)
25
TVA is able to limit request packet floods
TVA
TVA
![Page 26: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/26.jpg)
26
TVA is able to limit authorized packet floods
SIFF
SIFF
TVA
TVA
![Page 27: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/27.jpg)
27
Simple policies can be effective
![Page 28: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/28.jpg)
28
Conclusion
Key contribution a comprehensive and practical capability
system for the first time. We made TVA practical in three aspects
Counter a broad range of attacks Bounded state and computation Simple and effective authorization policies
Coming next Testbed implementation
Request rate limit, queuing scheme Robust service differentiation
Traffic with different priority
![Page 29: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/29.jpg)
29
Types of Queues inside a TVA-router
TVA bounds the number of queues.
path-identifier queue
Validate capability
requests
per-destination queueregular packets
Y
Nlow priority queuelegacy packets
![Page 30: 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a36c5d/html5/thumbnails/30.jpg)
30
TVA’s implementation of capabilities
Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp)
Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in
10 seconds
pre1 pre2
cap1 cap2
cap1 cap2 data