Capability-based DoS Defense

Xiaowei Yang

Denial of Service (DoS) attacks have become a serious security concern over past several years. These attacks are fundamentally difficult to tackle with because they are a network problem. By the time DoS traffic arrives at a host, the attack has already succeeded.

In this talk, I will describe a capability-based network architecture that can effectively fend off DoS attacks. Capabilities transform a destination's access control policy to network filtering actions. A destination grants capabilities to legitimate users. These users send packets with valid capabilities. Network filters traffic based on capabilities, thereby shielding the destination from unwanted traffic.