David G. Andersen
4th Usenix Symposium on Internet Technologies and Systems, Seattle, WA, March 2003
Mayday is an architecture that combines
overlay networks with lightweight packet filtering
to defend against denial of service attacks.
The overlay nodes perform client authentication and
protocol verification, and then relay the requests
to a protected server. The server is protected from
outside attack by simple packet filtering rules
that can be efficiently deployed even in backbone
routers.
Mayday generalizes earlier work on Secure Overlay Services.
Mayday improves upon this prior work by
separating the overlay routing and the filtering,
and providing a more powerful set of choices
for each.
Through this generalization,
Mayday supports several different schemes that provide different
balances of security and performance,
continuum, and supports mechanisms that achieve
better security or better performance than earlier systems.
To evaluate both Mayday and
previous work, we also present several practical attacks,
two of them novel, that are effective against filtering-based systems.
On-line HTML version
[PostScript (235KB)] [Gzipped PostScript (75KB)]
Bibtex Entry:
@inproceedings{andersen2003mayday,
author = "David G. Andersen",
title = "{Mayday: Distributed Filtering for Internet Services}",
booktitle = {4th Usenix Symposium on Internet Technologies and Systems},
year = {2003},
month = {March},
address = {Seattle, WA}
}