FastPass: An Internet Architecture Resilient to Network DDoS

Dan Wendlandt, Dave G. Andersen, Adrian Perrig

Overview of Fastpass

FastPass is a next-generation network architecture that thwarts bandwidth flooding attacks by providing destinations with fine-grained control over their upstream network capacity. Prior attempts to achieve network flood resilience have required destinations to successfully receive an initial unprotected packet (capability-based designs) or have relied upon global cooperation (filtering-based designs). FastPass requires neither. Instead, it allows destinations to distribute cryptographic availability tokens to potential senders that instruct routers to prioritize a limited rate of traffic from the sender in the case of network congestion. In contrast to prior architectures, we show that availability tokens provide two highly desirable DoS resilience properties: (1) hosts capable of identifying legitimate users can quickly communicate regardless of the size of the attack directed against them; and (2) hosts unable to differentiate between legitimate and malicious senders can strictly limit the ability of attackers to overwhelm incoming network capacity.

In Fall 2006, Masters students George Nychis, Priya Sankaralingam, and Gaurang Sardesai have begun implementing a significant part of Fastpass router functionality in hardware on the Intel IXP Network Processor . See the documents below.

Documents & Slides

Hardware Implementation Presentation (11/2006)

Hardware Implementation Design (9/2006)

Updated and Short Version (5/2006)

Full CyLab Tech Report (3/2006)

Early & Outadated FastPass presentation (1/2006)

Source Code

Our latest source release is available below. It includes Click elements (and scripts to generate configs using them) for both the router and endhost functionality related to FastPass. Additionally, there are utilities for generating keys, making tokens, and validating tokens without Click, and simple TCP and UDP servers to provide connecting clients with tokens.

Currently, the user-level implementation is complete. Each directory has an associated README, but an overall document describing the code, the build process, and how to run experiments is in the works.

All code is open-source under the GPL License


This page was last updated 11/14/2006