Date of Original Version



Technical Report

Abstract or Description

Distributed Denial-of-Service (DDoS) attacks typically originate from exploited endhosts controlled by a remote attacker. Current network-based DDoS defenses can only filter out malicious traffic based on the traffic’s inherent properties; they cannot filter based on properties of the endhost that generated the traffic. We observe that the identity of the code that has generated a packet offers powerful predicates for filtering, and we develop a secure, general architecture, Assayer, for in-network filtering based on endhost properties. Our proposed Assayer architecture leverages hardwarebased attestation mechanisms to enable legitimate endhosts to embed secure proofs of code identity in packets. Receivers can specify traffic policies, which are enforced by on-path prioritizers. We design Assayer to achieve scalability, efficiency, and incremental deployability. We implement and evaluate a basic Assayer prototype and find that the perceived application overhead, felt only during periods of significant network congestion, is less than 12%. Our simulations indicate that our architecture, even when deployed only at the victim’s ISP, provides excellent protection against a botnet of 100,000 attacking hosts.