Fine-Grained Capabilities for Flooding DDoS Defense Using Client Reputations

Fine-Grained Capabilities for Flooding DDoS Defense Using Client Reputations ABSTRACT Maitreya Natu University of Delaware 103 Smith Hall Newark, DE 19716, USA natu@is.udel.edu Reently proposed apability mehanisms offer one part of the answer to the DDoS problem. They empower the vitim to ontrol the traffi it reeives by seletively granting aess to well-behaved lients via short-lived tikets. One major question still remains unanswered: how an vitims distinguish between well-behaved and ill-behaved lients during the tiket-granting proess. This paper offers one possible answer to this question, while also refining the basi apability mehanism. We propose the following novel features: (1) Reputationbased tiket-granting long-term behavior of a lient influenes whether future tikets will be granted, (2) Finegrained apabilities, whih authorize aess to the vitim at a speified priority level based on a lient s prior behavior, (3) Destination-based apabilities, granted by the defense loated at the vitim; this redues operational ost, and breaks dependene of tikets on routes. Categories and Subjet Desriptors: K.6.5 Management of Computing and Information Systems: Seurity and Protetion General Terms: Management, Measurement, Seurity. Keywords: Distributed denial of servie defense, Paket apabilities, Dynami paket stamping, Traffi poliing. 1. INTRODUCTION With the inrease in the network usage for business, leisure and time-ritial ativities, distributed denial-of-servie (DDoS) attaks have beome an inreasing threat. Numerous researh and ommerial endeavors to design effetive DDoS defenses have lead to the following insights: (1) A defense needs to be deployed at or near the vitim, where the eonomi inentive lies. Further, a vitim is in the best position to determine if a lient s traffi is maliious or benign, and thus has the most aurate information about what to filter. (2) A vitim-end defense must be lightweight to support fast paket proessing during an attak; otherwise it may Permission to make digital or hard opies of all or part of this work for personal or lassroom use is granted without fee provided that opies are not made or distributed for profit or ommerial advantage and that opies bear this notie and the full itation on the first page. To opy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speifi permission and/or a fee. LSAD 07, August 27, 2007, Kyoto, Japan. Copyright 2007 ACM 978-1-59593-785-8/07/0008...$5.00. Jelena Mirkovi University of Delaware 103 Smith Hall Newark, DE 19716, USA sunshine@is.udel.edu beome a target of the attak itself. (3) Beause a vitim may be overwhelmed by a large-sale attak, mehanisms are needed to failitate attak traffi filtering by upstream routers. This means that a vitim must somehow ommuniate to the routers information needed to disriminate between benign and maliious traffi. The disrimination proess must also be lightweight, minimizing router CPU and memory ost. Reently proposed apability mehanisms, suh as SIFF [8] and TVA [9] embody these desirable DDoS defense properties in the following manner. Routers on the path to the vitim build tikets (apabilities) ooperatively by appending a hash of the soure and destination address, and a router seret, to eah paket that does not already arry a tiket. A destination deides to grant the aess to a lient based on some private poliy, and returns tikets to hosen lients. Tikets are granted for a limited period of time (time-based) [8] or for a limited amount of traffi (traffi-based) [9] and arry expiration information. An aepted lient appends the tiket to future pakets, and routers verify tikets and provide high-priority handling to tiketed traffi. Tiket verifiation is lightweight sine a router only needs to realulate the hash and verify that it is equal to the router s portion of the tiket ontained in the paket. Thus routers pay moderate CPU ost. Memory ost is only paid in ase of traffi-based tikets to keep statistis of tiket usage. Timebased tikets inur no memory ost. While urrent apability mehanisms show great promise with regard to defense effetiveness and a reasonable operational ost, they suffer from the following defiienies that we address in this paper: 1. Lak of mehanisms for automated tiket granting: Neither SIFF [8] nor TVA [9] address the question of mehanisms for distinguishing between legitimate and maliious lients. This is a hallenging task in ase of publi servers, where all lients are equal and no prior trust exists between a given lient and the server. The only possible approah in this ase is to grant short-term aess to eah new lient and evaluate its behavior during this time. Well-behaved lients earn right to future tikets, while ill-behaved lients are shunned. We propose one possible approah to reord a long-term lient s behavior and inorporate this knowledge into the tiket-granting proess. We assoiate degrees of trust with the lients by assigning a redit and a penalty to eah lient based on its long-term behavior. Credit is used to identify aggressive attakers; during ongestion, the redit of an a-

Figure 1: Components of the proposed defense tive lient is dereased proportionally to the amount of traffi it ontributes to the ongestion. However, redit assignment alone annot deal with distributed attaks where eah maliious lient sends traffi at a very low rate. To handle suh attaks, we assume that a legitimate lient s response to paket drops will be more prominent than the maliious lient s, and we assign penalties to lients that do not respond appropriately to paket drops. Jointly, the lient s redit and the penalty are used for its traffi poliing and to deide whether future tikets should be granted. 2. Binary apabilities: Possession of a tiket grants full aess to the vitim while the tiket is valid, thus all admitted lients have equal priority. This enables sophistiated attaks where maliious lients first obtain tikets and then launh attaks. If attakers send traffi at a low rate, they may even be granted future tikets, perpetuating the attak. We propose fine-grained apabilities that arry a priority label, dependent on a lient s long-term behavior. This enables us to penalize lients for any suspiious behavior, and provide guaranteed high-quality servie to onsistently wellbehaved lients in ase of sophistiated attaks. 3. Route-dependent apabilities: Beause routers on the path partiipate in tiket generation, tikets are route-dependent and will lead to legitimate traffi drops in ase of a route hange or multipath routing, both of whih are frequent in today s Internet. Our tiketgeneration mehanism involves only the traffi destination, making tikets route-independent. Upstream routers remain inative unless expliitly authorized by the attak vitim to aid in traffi filtering. This further redues defense operational ost ompared to [8, 9]. 2. RELATED WORK IP Easy-pass [6] attahes a soure identifier to eah paket and uses it to reliably identify lients. Some existing resoure reservation protool (e.g., RSVP) is assumed for aess ontrol. In the past, work has been done on identifying flows by assigning a unique handle [2], and on reliably and aurately identifying the traffi soure [5]. In this paper, we address the issue of distinguishing a well-behaved lient from an ill-behaved lient during the tiket granting proess, thus our work is orthogonal to work on lient identifiation. Anderson et. al. [1] propose apabilities (tikets) attahed to eah lient paket, that guarantee privileged aess to a resoure. They assume a separate overlay for transmitting tiket requests, whih inurs high setup ost. SIFF [8] refines the apability approah by eliminating the need for a separate overlay hannel. Instead, routers build apabilities ollaboratively using a seret key to hash some paket fields and plaing the output in tiket request pakets. Destination grants aess to lients based on some internal poliy and returns the apability from request pakets to these lients that attah it as a tiket to future pakets. The tikets are time-based. TVA [9] improves the design from SIFF [8] by using traffi-based tikets and by rate limiting and prioritizing tiket-request traffi. As disussed in Setion 1, SIFF and TVA have ertain limitations that we aim to improve. 3. CAPABILITY MECHANISM Figure 1 illustrates steps in a soure s aess to a destination. Communiation between a soure and a destination is preeded with a tiket request. If the soure ommuniated with the destination in reent past, the tiket request will arry the ontext of the old ommuniation inluding the old redit and penalty values. The lient s redit and penalty serve as inputs to the tiket-granting proess, and tikets are returned to aepted lients. Unlike the past work on apabilities [1, 8, 9], a possession of a tiket does not translate into an absolute privilege to aess the destination. Instead we assoiate a degree of trust with eah lient, expressed via its redit and penalty values and attahed to its urrent tiket. We use this trust information to prioritize aess to a ritial resoure (Setion 3.3), thus favoring wellbehaved lients over unknown lients, and favoring unknown over known-maliious lients. 3.1 Tiket Struture A destination generates a lient-tiket for eah lient to whom it wishes to grant aess, and the lient uses this information to generate a paket-tiket attahed to eah future paket sent to this destination. Our generation of lienttikets and paket-tikets has the following properties: Client-tikets are bound to the lient: To prevent tiket falsifiation and stealing, the destination generates the lient-tiket by hashing the lient s redit, penalty and IP address with the destination s seret. Client-tiket struture is shown in Figure 2. Inluding the lient s IP in the hash binds the tiket to the speifi lient, thus ensuring that attakers annot use stolen tikets to buy a passage for their traffi. A similar mehanism exists in TVA [9]. However, the attaker ould use a stolen tiket to generate spoofed traffi with lient s IP address as an alleged soure. To prevent this we must prevent tiket stealing from a destination s reply to the tiket request, and later from pakets with valid tikets. To prevent tiket stealing from a destination s reply we

Figure 2: Struture of the tiket-request, tiket-reply, lient-tiket and paket-tiket deploy the Diffie-Hellman key exhange [3] to generate a session seret between the soure and the destination, and use this seret to enrypt tiket information in the reply. We assume a general knowledge of numbers g and n. In its tiket requests, the soure inludes g S mod n, where S is a random number seleted by the soure. In the tiket reply, the destination returns r = E K(tiket) g D mod n, where E K denotes enryption with key K, using some lightweight symmetri enryption protool, D is a random number seleted by the destination, K = g S D mod n is the shared seret and denotes onatenation. The shared seret an be alulated by the soure and the destination only, beause they possess one part of this seret (the random number S or D). Both parties store the seret and use it for future tiket exhanges. Old serets an be removed after a period of inativity. The struture of the tiket reply is also shown in Figure 2. TVA [9] does not enrypt tiket information in replies and is thus sensitive to tiket stealing. Our urrent design uses IP address of a host as an identifier, whih does not address the presene of NATs in the network, or the dynami addressing. We plan to investigate these issues in our future work. Paket-tikets are bound to pakets: To prevent tiket stealing from pakets, a lient generates paket-tikets by binding the lient-tiket to eah paket. This is done by first alulating the hash of the paket s ontents and immutable header fields, and then hashing this result with the lient-tiket to produe a perpaket pass. This pass, along with the lient s redit and penalty values represents the paket-tiket and is inserted into the IP identifiation field, as shown in Figure 2. SIFF [8] and TVA [9] do not bind tikets to pakets, enabling misuse of stolen tikets to spoof legitimate lient s traffi. Client-tikets are short-lived: If tikets were valid for a long time, a mutable attaker that behaves well to obtain a tiket, and then turns hostile ould inflit muh harm. Short tiket life limits the damage from a mutable attak, and is also employed in SIFF [8], while TVA [9] employs ostly aounting to limit the amount of traffi sent using a single tiket, i.e. it uses traffi-based apabilities. We opted for time-based vs. traffi-based apabilities, to redue the operational ost. Tikets expire periodially when the destination hanges the seret used for tiket generation. We all this interval the tiket-validity interval. Delayed pakets are handled by aepting the pakets with tikets valid during one previous interval. Tiket verifiation is lightweight: All the information needed to verify validity of a tiket (paket or lient) is enoded in the tiket, thus no memory is needed to store lient information at the destination. The destination does pay a small memory ost to reord the blaklist of worst offenders, and to keep behavior statistis for urrently ative lients (Setion 3.2). 3.2 Calulating Credits and Penalties Credits and penalties are used to reflet a lient s behavior by desribing the aggressiveness of its sending pattern. Credit and penalty alulations are performed at the end of eah tiket-validity interval. 3.2.1 Credit Calulation A lient s redit reflets its ontribution to ongestion during a flooding attak the higher redit represents the lower ontribution, i.e. well-behaved lients will have high redits. The redit is a number ranging from LOW to HIGH. A new lient is assigned a redit value of MID, whih lies in the middle of [LOW, HIGH] range. If no resoure overload is observed during an interval, then an ative lient in that interval is rewarded by an additive inrease in its redit: redit new = min(redit old + α, HIGH) (1) where α is the redit inrease fator. During resoure overload periods, if a lient is identified as non-aggressive, its redit is also alulated using the Eq. 1. The redit of an aggressive lient is dereased multipliatively and proportionally to its ontribution to resoure demand: redit new = max(redit old (1 E Pi Ti ), LOW ) (2) where T i is total traffi sent by the lient i in units that represent a ritial resoure (e.g., bytes for bandwidth, servie requests for server-speifi resoure, pakets for CPU), and E is the exess traffi the lient sent above its fair share, whih we all a quota, and denote with Q. The sum of T i is alulated over all ative lients. Multipliative derease ensures prompt ation to the observed aggressiveness. Values of T i, E i and Q i are alulated for a window of several intervals to avoid overreation to variations in lient traffi. The quota of a lient is alulated as: Q = max(redit penalty, LOW ) R, (3) max(rediti penaltyi, LOW ) Pi where R is the amount of the ritial resoure (e.g., bandwidth, number of pakets or servie requests that an be proessed per seond, et.), the maximum is alulated over the window for a given lient, and the sum is alulated over all ative lients. A lient is onsidered aggressive if

it exeeds its quota in an interval, and its redit is dereased using the Eq. 2, where E = T Q. The defense proatively renews tikets of all ative lients at the end of eah tiket-validity interval. A lient that has been inative during an interval must issue a new tiket request. To enable well-behaved lients to benefit from their past good reputation, a new tiket request arries the last reeived redit and penalty values, along with the lient-tiket and the timestamp of the last ativity. Using the timestamp, the server loates the seret, whih was valid at the given time, and uses it to verify the lient-tiket and thus the authentiity of the delared redit and penalty values. Upon suess, it uses the past redit value to alulate starting redit for the lient as: redit new = max(redit old β N, MID), (4) where β is the redit derease fator, and N is the number of intervals sine the lient s last ommuniation. We deploy redit aging to disount stale information beause a longer inativity period inreases the possibility of a lient s ompromise. The lowest redit assigned to an old lient is MID, ensuring that a very old lient is treated the same as a previously unknown lient. The penalty value of an old lient is onservatively set to the past penalty value, delared in its tiket request. A previously unknown lient reeives the lowest penalty value. 3.2.2 Penalty Calulation Consider a senario when many attakers flood a network, but eah attaker sends traffi at a low rate. In suh senario, a legitimate lient s ontribution to ongestion is larger than that of an attaker, so redit alulation alone annot help us preisely identify maliious lients. To retify this situation, we use an observation that a legitimate lient will redue its sending rate upon a traffi loss, while an automated attaker will not. One soure of rate redution is the TCP s ongestion ontrol mehanism that responds to traffi loss by an exponential derease in the sending rate. If a maliious lient uses modified version of the TCP protool to send aggressively, its response to ongestion will be milder than that of legitimate lients. Even if a maliious lient uses unmodified TCP, it will open multiple onnetions to the destination to send suffiient traffi for servie denial making it more aggressive than an average legitimate lient. We postulate that another soure of rate redution ould be human response to low servie quality a person that does not reeive a response to their servie request is unlikely to maintain or inrease the rate of request generation. Further study with human subjets is needed to verify this hypothesis and is part of our future work. We assign penalties to lients that experiene persistent paket drops in the following manner. Let D be the sum of dropped bytes from lient during the window. If D > δ T, the lient is onsidered maliious and its penalty is inreased as: penalty new = min(penalty old + γ, HIGH), (5) where δ is the estimate of the legitimate lient s aggressiveness in fae of persistent drops, and γ is the penalty inrease fator. If the lient is not identified as maliious its penalty is dereased as: penalty new = max(penalty old γ, LOW ). (6) 3.2.3 Aggressive Client Blaklisting To redue the memory ost of the defense, lient redits and penalties are arried in tikets. This opens a potential vulnerability sine a lient with a low redit (or a high penalty) would benefit from posing as a new lient, i.e. it would omit the redit and penalty information from its tiket requests. Legitimate lients would then have to ontend for bandwidth with attakers, just as is the ase in SIFF [8] and TVA [9]. To amend this situation the defense should keep a blaklist of worst offenders. Clients with lowest redits or highest penalties would be stored in this list, with their redit and penalty information, and eah new tiket request would be heked against this list. 3.3 Traffi Poliing Previous work on apabilities [1, 8, 9] allowed absolute aess to the destination to all tiket-arrying traffi. As disussed in Setion 1, this approah an inflit large harm to legitimate lients in ase of mutable attakers. To minimize this harm, we use lient redits and penalties to prioritize aess to the ritial resoure. Eah lient is assigned to the lient lass identified as: lientclass = max(redit penalty, LOW ), (7) and eah lass is assigned a ertain share of the resoure. A lient an aess the resoure share assigned to its lass and that assigned to lower lasses. If all suh resoures are depleted, the lient s request is dropped. This failitates good servie to well-behaved lients during an attak that deploys many previously unknown attakers. These attakers fall into the same redit lass as previously unknown legitimate lients, and ompete with them for the resoure, but annot deplete resoures assigned to the higher-redit lasses that ontain known, well-behaved lients. One approah to resoure assignment would be to uniformly distribute the ritial resoure among all redit lasses. However, this design ould lead to under-utilization, in ases when most users lie in low or middle redit ranges. We propose a more sophistiated sheme that estimates future resoure requirements of a lient lass based on the weighted average of its past demand as follows: R new = (1 λ) R old + λ demand, (8) where R old was the estimate at the end of the previous interval, demand is the total resoure usage of this lient lass in the urrent interval and λ is the weight assigned to new observations. Traffi poliing is performed by the defense loated at or near the vitim. If the defense is overwhelmed, whih is likely during high-rate attaks, it an request help from upstream routers for paket filtering. The help request ontains at the minimum the previous and the urrent destination seret, to enable the router to validate tiket information. Future serets ould also be inluded in the help request, or they ould be ommuniated periodially through future help requests. It would further be helpful to inlude the blaklist of reent offenders in the help request, to enable the router to filter new tiket requests from known-maliious lients. Help requests must be authentiated to prevent denial of servie through fake help requests that ontain invalid serets and are sent by a third party. Authentiation assumes an existene of a trust relationship between the de-

fense and an upstream router. Sine distributed trust is diffiult to enfore unless there is an existing business relationship, we envision that help requests would only be propagated one hop upstream, to routers of the vitim s ISP. This is a ommon business pratie today, but requests are delivered through human hannels, whih impose large delays, and they ontain impreise filtering information obtained from intrusion detetion systems. The proposed apability mehanism would automate this proess and improve filtering auray and the response time. Parameter Value Tiket-validity interval 3 s Window size 4 intervals α 1 β 0.3 γ 0.4 δ 1 HIGH LOW 20 Table 1: Parameter values 3.4 Parameter Settings We use several parameters to guide the defense operation, whose values are shown in Table 1. We now briefly disuss tradeoffs in setting their values. In real deployment optimal parameter values will greatly depend on legitimate traffi dynamis in a given network, and should be determined through traffi analysis, training and tuning over several days or weeks. Credit range [LOW, HIGH]: A larger range provides a finer granularity for lient differentiation and thus better defense, but will ause additional omputational and memory ost during traffi poliing. Credit and penalty hange fators (α, γ): Large values of α and γ make redits and penalties very sensitive to traffi variations, whih an lead to penalizing normal variations in legitimate traffi. Too small values on the other hand, prolong response time of the defense. Estimate of legitimate lient s aggressiveness (δ): A large value of δ will inrease penalty only for large drop rates, allowing moderately aggressive attakers to evade the defense. A small δ value penalizes small, normal traffi variations of legitimate lients. Sore aging fator (β): A small value of β preserves history of past good behavior for a long time, while a large value rapidly disounts reent good behavior. 4. COST We now summarize the ost of the proposed defense. While issuing and updating tikets, the defense performs Diffie- Hellman key exhange one for every new or reently inative lient, followed by tiket enryption one eah tiket-validity interval. While Diffie-Hellman key exhange is ostly, it is only performed for lients that have not been ative reently. The ost of the exhange an thus be ontrolled by inreasing the memory for storage of shared serets. Symmetri enryption and deryption are moderately ostly, but the frequeny of these operations is low one eah several seonds. An attaker ould attempt to exhaust the defense s resoures by sending a lot of new tiket requests and we disuss this ase in the Setion 5. Tikets are kept small and tiket validation is not ostly. A sender attahes the paket-tiket to eah paket and the defense verifies it. Both require two hash operations per paket and an be done at high speed, as shown in [9]. Note that there should be a signifiant redution in deployment ost between our defense and SIFF [8] or TVA [9] beause our defense is loated at the destination only and the help of upstream routers an be invoked on need basis, while SIFF and TVA require onstant support from upstream routers. Tikets arry the lient information needed for tiket validation and traffi poliing, requiring no additional storage at the defense. Defense inurs a storage ost for storing traffi statistis and the quota of eah ative lient during an interval, for omputing redits and penalties. In ase of a large number of lients, it is suffiient to store statistis only of aggressive senders that dominate the values in sore and penalty omputation. Statistis are also stored for eah lient lass, thus the size of the [LOW, HIGH] range determines the ost of this storage. The defense also inurs a small memory ost for a blaklist of worst offenders. It may pay off to propagate this list to some upstream routers that are lose to destination, when their help is requested, in whih ase the upstream routers will inur the memory ost to store this information. The typial size of botnets today is at most 100,000 hosts [4], making the memory ost for storing a blaklist 3.2 MB. 5. SECURITY We now briefly disuss the seurity of the proposed defense. As our experiments illustrate in the next setion, the defense an suessfully identify large and persistent senders, but its performane degrades in ase of pulsing attaks. If an attaker used a large number of zombies in smaller groups, suh that a single group ats maliiously at a given time and is then replaed by a fresh group, the attak ould ontinuously deny servie. All DDoS defenses to date that use a lient s identity for traffi prioritization will be ineffetive against suh attak. Another possible attak would engage zombies that do respond to ongestion, thus avoiding high penalty values. We believe that in this ase human behavior (rate of request generation) would differ from the behavior of zombies ausing legitimate lient s traffi to derease below maliious lient s traffi. We plan to study this in our future work. Tikets annot be falsified beause seret hash failitates integrity heks. Our defense is resistant to sniffing due to deployment of ryptographi tehniques to protet tikets. It is also resistant to IP spoofing beause it enrypts lienttikets and binds paket-tiket values to the pakets. Cryptographi operations make defense vulnerable to flood of bogus tiket requests, that initiate ostly Diffie-Hellman key exhange. One way to address this problem is to limit the resoures spent for tiket-granting. This ensures that well-behaved and ative lients will reeive good servie, sine their seret information is ahed. New legitimate lients will have to ontend for the aess to tiket-granting mehanism along with attakers. 6. EVALUATION We implemented the proposed apability mehanism in a

Linux software router as a loadable kernel module. Our tests onsist of live-traffi experiments in the Emulab testbed [7]. We used the topology shown in Figure 3. Vitim node V is onneted to the rest of the topology via a bottlenek link of 100 Kbps, whih represents our ritial resoure. All other links in the topology have 100 Mbps bandwidth. There are two legitimate lients L1 and L2 and seven attakers A1 A7. Legitimate traffi is generated by invoking a harater generator program at the lient nodes, and tunneling its output to the vitim node via SSH. The harater generator emulates Telnet traffi it generates one message per seond, whose length is randomly hosen in a predetermined range. A message an be split into several pakets. We all the average rate of the harater generator the legitimate lient s nominal rate. Depending on the TCP s ongestion ontrol mehanism, legitimate lient s traffi will flow into the network at, above or below the nominal rate. As explained in Setion 5, to use a real TCP traffi for attak, the attakers would need a large number of zombies due to the ongestion responsive nature of TCP. Hene, attak traffi is generated using raw sokets to send TCP pakets at a speified rate. The attak rate may vary in some test senarios in an attempt to trik the defense. We do not show a simple senario where the attak traffi does not arry a tiket all suh traffi will be orretly dropped sine only tiket-arrying traffi is allowed to reah the vitim. We also omit a senario where a mutable attaker aquires a tiket and then inreases its sending rate to a large value. Suh attaker will be quikly identified as aggressive and its redit is dereased, providing effetive defense. We fous instead on sophistiated attaks involving mutable attakers that send at a relatively low rate to maintain impression of a good behavior and ensure reeipt of future tikets. of legitimate TCP lient dereases briefly after the attak s onset, beause the traffi omputations are performed over statistis olleted in a sliding window. One the TCP s ongestion ontrol redues the sending rate, several intervals are needed for this to suffiiently impat the average rate value in the window. Similarly, Figure 5 shows a legitimate lient s and an attaker s penalty. While a legitimate lient s penalty remains low throughout the attak, an attaker s penalty quikly reahes the maximum value due to the absene of ongestion response in attak traffi. Figure 4: Credits of legitimate and attak lients Figure 3: Network topology used for evaluation 6.1 Balaned Attak To blend in with legitimate lients, eah attaker first aquires the highest redit by sending traffi at a low rate (800 bps) for a long time this behavior does not reate resoure overload. Afterwards, attakers turn maliious and send at the legitimate lient s nominal rate (24 Kbps). Figure 4 shows the redits of one legitimate lient and of one attaker; redits of other lients follow the same trend. Before the attak, redits of legitimate and attak lients are at the HIGH value. Soon after the attak starts, an attaker s redit is dereased, thanks to our aggressive sender identifiation and the multipliative redit derease. The redit Figure 5: Penalties of legitimate and attak lients Figure 6 shows the aeptane ratio the perentage of bytes sent by a lient that suessfully reah the vitim. Note that this is different than bandwidth alloation between lients. An aeptane ratio of 100% means that no traffi from this lient was dropped, either due to ongestion or by defense. The aeptane ratio gives no information about the bandwidth division between the legitimate and the attak traffi. A legitimate lient s aeptane ratio is temporarily lowered when the attak starts, but quikly onverges to 100%, while an attaker s aeptane ratio is redued to around 5%. For omparison, Figure 7 shows the aeptane ratio

without the defense all traffi drops our due to the ongestion. A legitimate lient s aeptane ratio flutuates, and frequently reahes zero, as the legitimate traffi s sending rate flutuates due to TCP s ongestion ontrol. The attaker s aeptane ratio is around 40% beause the bottlenek link bandwidth is 40% of the total traffi arriving at the link. The legitimate traffi is seriously damaged during the attak without the defense, while it is effiiently proteted when the defense is present. For spae reasons we will only show the aeptane ratio for the following tests. of servie, our defense identifies these attakers via their inreased penalties, sine their traffi does not exhibit ongestion response. The aeptane ratio graph resembles the one in the balaned attak ase. After the first 20 intervals, all legitimate traffi reahes the vitim. An attaker s aeptane ratio is quikly redued to 10%. A lower maliious lient rate leads to penalties that take longer time to inrease, thus the attak interferes with the legitimate traffi longer. An even lower-rate, more distributed attak would inflit damage to legitimate traffi for a longer period of time, but the defense will eventually onverge and protet legitimate traffi. Figure 6: Aeptane ratio during the balaned attak Figure 7: Aeptane ratio during the balaned attak without defense 6.2 Low-rate Attak In this test eah attaker sends at 80% of the legitimate lient s nominal rate (19.2 Kbps), thus attempting to avoid being identified as an aggressive sender. Our results, shown in Figure 8, demonstrate that even when a large number of attakers send at a low individual rate to reate a denial Figure 8: Aeptane ratio during the low-rate attak 6.3 Pulsing Attak We next test the pulsing attak in whih the attaker periodially sends heavy traffi (legitimate lient s nominal rate=24 Kbps), and then sends low traffi (800 bps) to build up the trust until the next pulse. The aeptane ratio is shown in Figure 9. While the attakers redits inrease during low-rate periods, the defense quikly identifies attakers as aggressive during high-rate periods and suppresses their traffi. For the legitimate lient, the aeptane ratio drops at the onset of high-rate periods (labeled as High in the graph) but then returns to 100% where it remains for the rest of the period, and during low-rate periods. The attaker s aeptane ratio is high during low-rate periods beause no overload is reated. During high-rate periods the aeptane ratio quikly drops to about 5%, whih is onsistent with our results for the balaned attak. 6.4 Binary Capabilities We motivated our design of apabilities with multiple degrees of trust by arguing that binary apabilities annot protet legitimate traffi during mutable attaks. We now support this laim by repeating the balaned attak experiment with binary apabilities. We keep our alulation of redits and penalties the same, but the lient s fair share of the resoure is obtained by dividing the resoure equally among all ative lients, regardless of their redit or penalty. Traffi poliing omponent aepts all traffi with the redit greater

show that our defense provides exellent protetion to the legitimate traffi, whose throughput is very lose to 100%. Experiment Throughput (%) Balaned attak w defense 98.06 Balaned attak w/o defense 2.91 Low-rate attak w defense 98.69 Pulsing attak w defense 99.98 Balaned attak w binary ap. 85.96 Table 2: Legitimate traffi throughput during attak Figure 9: Aeptane ratio during the pulsing attak or equal to MID/2. Figure 10 shows the aeptane ratio for this experiment. While the attaker s aeptane ratio eventually drops to zero, the legitimate lient s traffi experienes signifiant drops and its aeptane ratio exhibits large variations, frequently reahing 0%. Comparing the Figures 6 and 10, the protetion offered to legitimate traffi by binary apabilities is muh worse than the protetion offered by our proposed defense. In the absene of a sophistiated traffi poliing, the legitimate lient reeives the same bandwidth share as the attaker, ausing the lient s redit to flutuate between high and low redit values based on its traffi variations in response to ongestion. This leads to large variations in the legitimate lient s aeptane ratio. Figure 10: Aeptane ratio during the balaned attak with binary apabilities Table 2 summarizes experiment results showing the perentage of legitimate traffi throughput during an attak ompared to the throughput without an attak. The results 7. CONCLUSIONS We proposed several improvements to the original apability design that failitate automati tiket-granting and improve seurity and ost of the defense. Our experiments show that the proposed defense suessfully handles sophistiated attaks, offering a onsistent good protetion to legitimate traffi and quikly identifying and penalizing attak traffi. In our future work we plan to investigate human response to low servie quality, and improve our penalty alulation with models derived from this researh. We also plan to explore a dynami setting of parameter values based on the pereived attak severity, and to engage in larger-sale experimentation to validate our proposed defense. Finally, we plan to address remaining seurity issues related to use of ryptography during tiket issue. 8. REFERENCES [1] T. Anderson, T. Rosoe, and D. Wetherall. Preventing Internet Denial of Servie with Capabilities. In Pro. of HotNets-II, 2004. [2] M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker. Cookies Along Trust-boundaries (CAT): Aurate and Deployable Flood Protetion. In Pro. of 2nd Conferene on Steps To Reduing Unwanted Traffi on the Internet, 2006. [3] W. Diffie and M. E. Hellman. New Diretions in Cryptography. IEEE Transations on Information Theory, 22(6):644 654, 1976. [4] Honeynet Projet and Researh Alliane. Know your enemy: Traking botnets. http://www.honeynet.org/papers/bots/. [5] D.R. Simon, S. Agarwal, and D. A. Maltz. AS-Based Aountability as a Cost-Effetive DDoS Defense. In Winter International Symposium on Information and Communiation Tehnologies, 2004. [6] H. Wang, A. Bose, M.A. El-Gendy, and K. G. Shin. IP Easy-pass: A Light-Weight Network-Edge Resoure Aess Control. IEEE/ACM Transations on Networking, 13(6):1247 1260, 2005. [7] B. White, J. Lepreau, L. Stoller, R. Rii, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Pro. of OSDI, pages 255 270, Deember 2002. [8] A. Yaar, A. Perrig, and D. X. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attaks. In Pro. of IEEE Symposium on Seurity and Privay, 2004. [9] X. Yang, D. Wetherall, and T. Anderson. A DoS-limiting network arhiteture. In Pro. of ACM SIGCOMM, pages 241 252, 2005.