NetFence: Preventing Internet Denial of Service from Inside Out

Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders’ traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System).

💡 Research Summary

The paper introduces NetFence, a novel network‑level architecture designed to mitigate denial‑of‑service (DoS) attacks while preserving scalability. Traditional DoS defenses often rely on per‑host state, traffic filtering, or coarse‑grained rate limiting, which become ineffective when attackers generate massive volumes of traffic or collude to overload specific network links. NetFence addresses these shortcomings by embedding a Secure Congestion Policing Feedback (SCPF) token directly into packet headers.

When a bottleneck router detects congestion, it signs a token with a secret key and inserts it into the packet. The token cryptographically encodes the current congestion level, the allowed transmission quota, and the identifier of the sender’s autonomous system (AS). Upstream “access” routers validate the token on each arriving packet; if the token is missing, forged, or indicates that the sender has exceeded its quota, the packet is dropped. Crucially, routers do not keep per‑host tables; they only need to store the secret key and, at most, a small amount of per‑AS state governing quota allocation.

Two adversarial models are examined. First, a state‑exhaustion attack attempts to force routers to allocate memory for a huge number of bogus hosts. Because NetFence’s policing relies on the token rather than host‑specific counters, the router’s memory footprint remains bounded, rendering the attack ineffective. Second, a colluding pair attack involves a compromised sender and victim that coordinate to congest a particular link. The authors provide a formal proof that, under NetFence’s token‑issuance policy, each AS receives a fair share of the congested link’s capacity, regardless of how many malicious hosts it controls. This fairness guarantee stems from the fact that token quotas are allocated on an AS‑level basis and cannot be exceeded without a new, freshly signed token from the bottleneck router.

Implementation and evaluation are carried out through a Linux kernel module prototype and extensive ns‑2 simulations. Experiments demonstrate that NetFence reduces the memory required at a congested router from O(number of hosts) to O(number of ASes), achieving more than a 90 % reduction in state. In realistic DDoS scenarios, normal traffic loss stays below 1 % while malicious traffic is largely suppressed. Security analysis shows that token forgery is infeasible under standard cryptographic assumptions (HMAC‑SHA256), and replay attacks are mitigated by embedding timestamps and sequence numbers within the token.

The paper also discusses practical deployment considerations. Because SCPF tokens are carried in existing packet header fields (e.g., optional IPv4/IPv6 extensions), no fundamental changes to the IP protocol are required. The architecture can be incrementally rolled out: only routers that implement NetFence need to understand the token, while legacy routers simply forward packets unchanged. Moreover, the capability‑style nature of the tokens enables victims to selectively distribute “good‑traffic” tokens to trusted clients, effectively creating a whitelist without centralized coordination.

In summary, NetFence proposes a secure, token‑based congestion feedback loop that allows routers to enforce fair bandwidth allocation and block DoS traffic without maintaining per‑host state. Its combination of cryptographic authentication, AS‑level quota management, and provable fairness makes it a compelling candidate for large‑scale deployment in today’s increasingly hostile Internet environment.