Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair Shares
Marc Wyss
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Network Security
Today's internet has no mechanism to enforce fair bandwidth allocation -- aggressive congestion control algorithms dominate quieter ones, and volumetric DDoS attackers disregard all congestion signals entirely. While enforcing fairness directly in network routers has been a long-standing vision, existing systems either provide modest security with easy deployment or strong security with complex deployment. This talk presents **Fractional Fair Shares (FFS)**, a cryptography-free algorithm that enforces fair bandwidth allocations directly in the network, providing communication guarantees even under **volumetric DDoS attacks** and **address spoofing attacks**.
AI review
A clean network architecture contribution that enforces fair bandwidth allocation without cryptography. The probabilistic forwarding approach is elegant, the formal security proofs are rigorous, and the 160 Gbps DPDK implementation proves practicality. However, this is network engineering rather than security research -- no new attack techniques, no vulnerabilities discovered, and the real-world deployment challenges (ISP adoption incentives, fairness matrix configuration) are handwaved.