Bypassing Network Flooding Attacks using FastPass

We describe the design and implementation of FastPass, a next-generation network architecture that thwarts band- width flooding attacks by providing destinations with fine- grained control over their upstream network capacity. Prior attempts to achieve network flood resilience have required destinations to successfully receive an initial unprotected packet (capability-based designs) or have relied upon global cooperation (filtering-based designs). FastPass requires nei- ther. Instead, it allows destinations to distribute crypto- graphic availability tokens to potential senders that instruct routers to prioritize a limited rate of traffic from the sender in the case of network congestion. In contrast to prior ar- chitectures, we show that availability tokens provide two highly desirable DoS resilience properties: (1) hosts capa- ble of identifying legitimate users can quickly communicate regardless of the size of the attack directed against them; and (2) hosts unable to differentiate between legitimate and malicious senders can strictly limit the ability of attackers to overwhelm incoming network capacity. bad users could require senders to commit something of value (e.g., a deposit or proof of work) before they could send traffic at even a low rate. Compared to the Internet's original sender-driven design, this "default off" approach to network forwarding priority places the destination in a significantly more powerful position to defend itself against network flooding attacks, while maintaining the traditional open architecture when no congestion exists. FastPass provides hosts with an efficient and simple mechanism to leverage arbitrary destination-specific poli- cies to prioritize and rate-limit incoming network traffic at routers in the case that links become congested. Each Inter- net destination, a public web-site, corporate VPN server, or a real-time device, can utilize its particular domain knowl- edge about incoming clients to vet incoming traffic while keeping the actual network infrastructure generic to the type of admission control performed. Furthermore, we provide these properties without introducing additional trust or co- operation requirements beyond what is assumed in today's Internet. At a high level, FastPass enabled destinations distribute small (80 bytes) availability tokens to clients who are in- vited to open a connection to the server. Tokens are efficient cryptographic signatures created with the destination's pri- vate key. The corresponding public key is distributed with the destination's routing advertisements so that it reaches all Internet routers to be used for token verification. Tokens can be provided to the clients in advance or via an out-of-band channel. Potential token distribution mechanisms include: • A user obtains a token from a large, distributed token provider, similar to today's content delivery networks. While the service being protected may be difficult to split or copy, token granting can easily be replicated and distributed for DDoS resilience. • After a customer makes a purchase, an e-commerce site supplies the client host with a supply of tokens guaranteeing future access to the site at a limited rate. • An online brokerage customer obtains a cryptographic authentication dongle from the company in order to securely access her account. The user's computer se- curely obtains a token from this dongle.