Combating Denial of Service Attacks with Trustworthy Source Addresses

Professor Xiaowei Yang, Computer Science Department, Duke University


Large scale Denial of Service (DoS) attacks are an increasing threat to the reliability of the Internet. Attackers that control millions of bot machines can easily take down any site on Internet. A factor that complicates measures to stop DoS flooding attacks is the possibility of source address spoofing, in which compromised hosts place incorrect source addresses on their packets to impersonate other hosts or obscure their locations. A DoS defense mechanism that uses source addresses to limit attack traffic will inevitably inflict collateral damage to legitimate traffic.

In this talk, I will present the design, evaluation, and applications of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetric-key cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a source address is valid. It leverages the routing system to efficiently distribute the symmetric keys used for verification, and is incrementally deployable without upgrading hosts. Our evaluation shows that Passport is plausible for multi-gigabit links and provides stronger security and deployment incentives than alternatives such as ingress filtering. Passport also enables a variety of effective DoS defense systems.


Xiaowei Yang is an assistant professor in the Department of Computer Science at Duke University and a recipient of an NSF CAREER award. She received a PhD and an MS in Computer Science from Massachusetts Institute of Technology, and a BE in Electronic Engineering from Tsinghua University, Beijing, China.