This paper generalizes the firewall concept of filtering/authorizing
traffic to a host/organization. SOS is an overlay network that pushes the
firewall boundary "deep into the network." This can be used prevent DoS
attacks by filtering them out at more capable routers, i.e., since the
firewall boundary is closer to the core of the network, routers can easily
handle DoS proportions of traffic. The SOS overlay has a set of SOAP's, or
access points that receive packets from authorized senders. Packets are
routed to beacons, which are then forwarded to "secret servlets" and then
finally to the end host.

The main contributions of this paper are:
Overview of an overlay architecture to prevent certain kinds of DoS
attacks.
Detailed analysis on how various parameters would affect the performance
and security
Shows how current "off the shelf" protocols can be used to implement such
a system.

Some of the issues raised:
It seems interesting that the paper is so high level, and only mentions
actual security technologies in passing. The scenarios that were analyzed
seem far too unrealistic with respect to no. of nodes. Tens or a few
hundred nodes would have been more realistic to study. Also, there were
concerns about the scalability of the system. Especially since there will
be state explosion at the SOS routers if it is shared by multiple servers.
This is akin to the shared multicast tree problem.

SR 0, WR 3, WA 2, SA 2