Cookies along trust-boundaries (CAT): accurate and deployable flood protection

Packet floods targeting a victim’s incoming bandwidth are notoriously difficult to defend against. While a number of solutions have been proposed, such as network capabilities, thirdparty traffic scrubbing, and overlay-based protection, most suffer from drawbacks that limit their applicability in practice. We propose CAT, a new network-based flood protection scheme. In CAT, all flows must perform a three-way handshake with an in-network element to obtain permission to send data. The three-way handshake dissuades source spoofing and establishes a unique handle for the flow, which can then be used for revocation by the receiver. CAT offers the protection qualities of network capabilities, and yet does not require major architectural changes. 1