DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications

2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS) Pub Date : 2022-06-10 DOI:10.1109/IWQoS54832.2022.9812889

Marc Wyss, Giacomo Giuliari, M. Legner, A. Perrig

{"title":"DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications","authors":"Marc Wyss, Giacomo Giuliari, M. Legner, A. Perrig","doi":"10.1109/IWQoS54832.2022.9812889","DOIUrl":null,"url":null,"abstract":"In recent years, much progress has been made in the field of Internet bandwidth reservation systems. While early designs were neither secure nor scalable, newer proposals promise attack resilience and Internet-wide scalability by using cryptographic access tokens (capabilities) that represent permissions to send at a guaranteed rate. Once a capability-based bandwidth reservation is established, the corresponding traffic is protected from both naturally occurring congestion and distributed denialof-service attacks, with positive consequences on the end-to-end quality of service (QoS) of the communication. However, high network utilization—possibly caused by adversaries—can still preclude the initial unprotected establishment of capabilities. To prevent such denial-of-capability (DoC) attacks, we present DoCile, a framework for the protection of capability establishment on Internet paths, irrespective of network utilization. We believe that DoCile, deployed alongside a capability-based bandwidth reservation system, can be the foundation of the next generation of secure and scalable QoS protocols.","PeriodicalId":353365,"journal":{"name":"2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWQoS54832.2022.9812889","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

In recent years, much progress has been made in the field of Internet bandwidth reservation systems. While early designs were neither secure nor scalable, newer proposals promise attack resilience and Internet-wide scalability by using cryptographic access tokens (capabilities) that represent permissions to send at a guaranteed rate. Once a capability-based bandwidth reservation is established, the corresponding traffic is protected from both naturally occurring congestion and distributed denialof-service attacks, with positive consequences on the end-to-end quality of service (QoS) of the communication. However, high network utilization—possibly caused by adversaries—can still preclude the initial unprotected establishment of capabilities. To prevent such denial-of-capability (DoC) attacks, we present DoCile, a framework for the protection of capability establishment on Internet paths, irrespective of network utilization. We believe that DoCile, deployed alongside a capability-based bandwidth reservation system, can be the foundation of the next generation of secure and scalable QoS protocols.

查看原文本刊更多论文

驯服域间通信中的拒绝能力攻击

近年来，在互联网带宽预约系统领域取得了很大的进展。虽然早期的设计既不安全也不可扩展，但较新的建议通过使用代表以保证速率发送的权限的加密访问令牌(功能)来保证攻击弹性和互联网范围的可伸缩性。一旦建立了基于功能的带宽预留，就可以保护相应的流量免受自然发生的拥塞和分布式拒绝服务攻击，从而对通信的端到端服务质量(QoS)产生积极影响。然而，高网络利用率(可能是由对手造成的)仍然会阻碍最初无保护的能力建立。为了防止这种拒绝能力(DoC)攻击，我们提出了DoCile，这是一个框架，用于保护互联网路径上的能力建立，而不考虑网络利用率。我们相信，DoCile与基于功能的带宽预留系统一起部署，可以成为下一代安全和可扩展的QoS协议的基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)

自引率

0.00%

发文量