Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters

2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI:10.1109/EC2ND.2009.14

Christian Esteve Rothenberg, P. Jokela, P. Nikander, M. Sarela, J. Ylitalo

{"title":"Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters","authors":"Christian Esteve Rothenberg, P. Jokela, P. Nikander, M. Sarela, J. Ylitalo","doi":"10.1109/EC2ND.2009.14","DOIUrl":null,"url":null,"abstract":"In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"60","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 European Conference on Computer Network Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EC2ND.2009.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 60

Abstract

In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.

查看原文本刊更多论文

使用包内布隆过滤器的自路由拒绝服务抵抗能力

在本文中，我们提出并分析了一种基于包内布隆过滤器的源路由架构，以抵抗分布式拒绝服务攻击。该方法基于转发标识符，这些标识符同时充当路径标识符，即定义数据包应该采取的路径，以及功能，即有效地允许路径沿线的转发节点执行安全策略，仅转发显式授权的数据包。紧凑的表示是基于一个小的布隆过滤器，它的候选元素(即链接名称)在包转发时使用一个松散同步的基于时间的共享秘密和额外的包内流信息(例如，不变的包内容)动态计算。因此，这些功能是可过期的且依赖于流的，但不需要任何逐流网络状态或内存查找，这些已经被额外的(尽管是可接受的)逐包计算所取代。我们的初步安全分析表明，自路由功能可以成为抗ddos网络架构的有效构建块。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 European Conference on Computer Network Defense

自引率

0.00%

发文量