ASTVA: DDoS-Limiting Architecture for Next Generation Internet


Article Preview

Security is an important consideration in next generation Internet, where Distributed Denial of Service (DDoS) attack is still a serious threat, especially when Internet of Things is taken into account. To defend against DDoS, capability based Traffic Validation Architecture (TVA) is an excellent candidate. However, there are some shortcomings which make it not so practical, e.g., it has large capability overhead and some DoS attacks could escape from it. To overcome these problems, we proposed the autonomic system based architecture: ASTVA, which created and verified capability using autonomic system as the basic defense unit. In ASTVA, two kinds of sub-capabilities were provided and serveral system security levels were given by mixing the two kinds of sub-capabilities; several key parameters were adjusted dynamically to enhance system flexibility; and an anti-shrew function was added to TVA to make it more robust against low-rate DoS attacks. Finally, we gave out several simulation tests and the results show that ASTVA is more robust and flexible than TVA and is more practical to real world security.



Advanced Materials Research (Volumes 542-543)

Edited by:

Runhua Tan, Jibing Sun and Qingsuo Liu




W. Wei et al., "ASTVA: DDoS-Limiting Architecture for Next Generation Internet", Advanced Materials Research, Vols. 542-543, pp. 1275-1281, 2012

Online since:

June 2012




[1] K. K. K. Wan, R. K. C. Chang. Engineering of a global defense infrastructure for ddos attacks, Proceedings of 10th IEEE International Conference on Networks. (2002).


[2] R. Mahajan, S. M. Bellovin, S. Floyd. Controlling high bandwidth aggregates in the network, Computer Communication Review, vol. 32(3), ACM SIGCOMM, 2002, pp.62-73.


[3] A. Yaar A, A. Perrig, D. Soong. Pi: a path identification mechanism to defend against ddos attacks, Proceedings of Symposium on Security and Privacy. San Diego, (2003).


[4] K. Park, H. Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets, Computer Communication Review, vol. 31(4), ACM SIGCOMM, 2001, pp.15-26.


[5] D. K. Y. Yau, J. C. S. Lui, F. Liang, Y. Yam. Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles, IEEE/ACM Transactions on Networking, vol 13(1), IEEE computer society, 2005, pp.74-86.


[6] X. Liu, X. W. Yang, Y. B. Lu. To filter or to authorize: network-layer dos defense against multimillion-node botnets, Proceedings of ACM SIGCOMM conference, (2008).


[7] T. Anderson, T. Roscoe and D. Wetherall. Preventing Internet Denial-of-Service with Capabilities, Proceedings of ACM HotNets II, (2003).

[8] A. Yaar, A. Perrig and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Proceedings of IEEE Symposium on Security and Privacy, (2004).


[9] X. Yang, D. Wetherall and T. Anderson. TVA: A DoS-limiting Network Architecture, IEEE/ACM Transactions on Networking, vol 16(6), IEEE computer society, 2008, pp.1267-1280.


[10] X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and Adoptable Source Authentication , Proceedings of USENIX/ACM Symposium on Networked Systems Design and Implementation (NSDI), (2008).

[11] B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs and Y. Hu. Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks , Proceedings of ACM SIGCOMM conference, (2007).


[12] M. Casado, T. Garfinkel, A. Akella, et al. SANE: A Protection Architecture for Enterprise Networks, Proceedings of Usenix Security Symposium, (2006).

[13] Kuzmanovic A, Knightly E. Low-rate TCP-Targeted Denial of Service Attacks and Counter Strategies, IEEE/ACM Transactions on Networking, vol. 14(4), IEEE computer society, 2006, pp.683-696.


[14] A. Li, X. Liu, X. Yang. Bootstrapping accountability in the internet we have, Proceedings of the 8th USENIX conference on Networked systems design and implementation, (2011).