When End-to-end Hosts Using Network Capabilities

The internet have involved in our lives many years. Unfortunately, the gains of internet come with some pain. Every end host could become the victim in current internet architecture. Denial-of-service attacks consume the resources of a remote host or network. These attacks are simple to implement, difficult to prevent, and very difficult to traceback. The research on DDOS attack has become the critical issue in network security. Recently, the network capability has received attentions as a method for combating DDOS attacks. Destinations inform the routers in inter-network whether a packet accepted or nor. Thus, this method cut to the heart of DDOS problem by allowing the destinations to control the packet they receive. In these research methods, distributing network capabilities is extremely important. This thesis discusses this problem in following two areas:1. It is very easy to distinguish the legitimate users from the attackers for the private server. We propose ObD(Off-by-Default) mechanism based on out-of-band methods. The users send capabilities-request packet to third parties trusted by servers, and they identify the legitimate users using identifier authentication to decide whether grant the capabilities or not. The users can insert the network capabilities into packets sent to the server while getting them. Routers in inter-network validate the packets. From the experiment result, it show that the attack can affect the legitimate traffic in limited extend.2. Unfortunately, the public servers can not distinguish legitimate users from the attackers. Thus, the attackers send mount of request packets for causing severe packet lost. We call this "denial-of-capabilities". This thesis divide traffic flows into different region based on IP address and use address aggregate queuing to serve the request packets. The experiment show that it can not affect the traffics in other region when DDOS attack occurs in a region. In contrast, current internet architecture, a flooding attack on the server will disrupt ongoing connections as well.