A Destination-based filtering mechanism for preventing DoS attacks.
We will design and implement a simulation of a protocol to limit DoS attacks.
This simulation will use Berkeley Sockets and run on an isolated network.
We will measure the QoS to two different types of nodes (1) nodes under attack,
(2) nodes not under attack. We expect the overall QoS can potentially
improve under this system, and we will attempt to quantify these differences
Variants in our experiment include:
We'll also look at assumptions and trust models (there must be a certain amount of cooperation among entities -- what environments would this be useful, perhaps
large networks like Exodus or AOL, or maybe at the ISP / School / corporate
- Network topology (we'll try (a) a tree and (b) a regular network)
- Threshold (we'll vary the threshold that the filtering kicks in)
- Layering (we should have filtering on several different levels -- maybe filter
first on subnet id, then on host id; perhaps have different thresholds at
We will also provide a rudimentary analytical model based on Queuing theory.
Each node in our network will be modelled as an M/M/1 queue and we will
derive a formula for end-to-end bandwidth for legitimate traffic.
BPF+ Exploiting Global Data-flow Optimization in a Generalized Packet Filter
Architecture. Begel, et al.
On Computing Per-session Performance Bounds in High-Speed Multi-Hop
Computer Networks. Kurose.
- Security on Computer Networks. Costello.
Page last modified on 4/20/2000