As the Internet plays a significant role in all facets of our lives, network security has come to be an important problem. Security and performance have long been thought to be orthogonal, or perhaps even opposing, goals. In this talk, I will discuss two areas where feedback from Network Performance can bring improved availability, one of the classical security properties.
First, I will describe MiddlePolice, an approach that mitigates volumetric DDoS attacks, which overwhelm the bandwidth of a destination, and are amongst the most common DDoS attacks today. Most previous work either scrubs DDoS traffic inside the cloud using a one-size-fits-all scrubbing algorithm, or use network capabilities that restrict source sending rates to receiver-determined levels consent, but which require the network to enforce these capabilities. MiddlePolice seeks the best of both worlds: the deployability of DDoS-protection-as-a-service solutions and the destination-based control of network capability systems. I will present results showing that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.
Second, I will describe Secure MAC, a Medium Access Control protocol that is resilient to adversarial attacks. A Medium Access Control protocol is designed to help wireless transmitters avoid simultaneous transmission, increasing the system capacity by improving the signal-to-noise ratio. Previous MAC work considered model where all stations are selfish; the Nash equilibrium is that all stations transmit simultaneously. We consider a different model, in which most nodes are legitimate and protocol-compliant, where the balance of nodes are malicious and aim to minimize the capacity of the legitimate nodes. Despite this, we develop a MAC that converges to the best-possible performance under these circumstances; that is, we eventually relegate the malicious insider adversaries to outsider attackers that have no knowledge of the MAC layer in use.
