FastPass: Providing First-Packet Delivery

This paper introduces FastPass, an architecture that thwarts flooding attacks by providing destinations with total control over their upstream network capacity. FastPass explores an extreme design point, providing complete resistance to directed flooding attacks. FastPass builds upon prior work on network capabilities and addresses the oft-noted problem that in such schemes, a sender must first get one packet through with no protection against DoS. FastPass provides cryptographic availability tokens to senders that routers verify before expiditing their delivery. We present two variants of the tokens. The first uses light-weight public key cryptography and is practical in high-speed routers with modest hardware additions. The second uses a symmetric hashchaining scheme and is easily implemented in software. In sharp contrast to prior systems, our evaluation shows that hosts using FastPass can quickly communicate regardless of the size of the attack directed against the nodes.