EC: an edge-based architecture against DDoS attacks and malware spread

20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06) Pub Date : 2006-04-18 DOI:10.1109/AINA.2006.159

R. Karrer

{"title":"EC: an edge-based architecture against DDoS attacks and malware spread","authors":"R. Karrer","doi":"10.1109/AINA.2006.159","DOIUrl":null,"url":null,"abstract":"The ability to limit unsolicited traffic in the Internet is important to defy DDoS attacks and to contain the spread of worms and viruses. The concept of capabilities, which requires that sources must acquire tokens prior to sending data, has been successfully applied on an end-to-end base to protect end systems. In this paper, we propose edge-based capabilities (EC), an architecture that prevents DDoS attacks and malware spread at the edge. EC introduces a novel network element termed gate. The gate controls IP packets that have previously been authenticated by an end-to-end mechanism. Authenticated traffic carries a session-specific tag in the IP header. Packets with valid tags are forwarded by the gate whereas traffic without or with wrong tags is treated with low priority or even dropped. EC achieves efficiency and scalability by defining a single lock against which tags are compared, removing the need to store per-flow information in the gate. Compared to related proposals, EC is easy to deploy as the gate can be added incrementally and EC requires only a single network element to be added at the edge","PeriodicalId":185969,"journal":{"name":"20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AINA.2006.159","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

The ability to limit unsolicited traffic in the Internet is important to defy DDoS attacks and to contain the spread of worms and viruses. The concept of capabilities, which requires that sources must acquire tokens prior to sending data, has been successfully applied on an end-to-end base to protect end systems. In this paper, we propose edge-based capabilities (EC), an architecture that prevents DDoS attacks and malware spread at the edge. EC introduces a novel network element termed gate. The gate controls IP packets that have previously been authenticated by an end-to-end mechanism. Authenticated traffic carries a session-specific tag in the IP header. Packets with valid tags are forwarded by the gate whereas traffic without or with wrong tags is treated with low priority or even dropped. EC achieves efficiency and scalability by defining a single lock against which tags are compared, removing the need to store per-flow information in the gate. Compared to related proposals, EC is easy to deploy as the gate can be added incrementally and EC requires only a single network element to be added at the edge

查看原文本刊更多论文

EC:针对DDoS攻击和恶意软件传播的基于边缘的架构

限制互联网中未经请求的流量的能力对于抵抗DDoS攻击和遏制蠕虫和病毒的传播非常重要。功能的概念要求源必须在发送数据之前获取令牌，这一概念已经成功地应用于端到端基础上，以保护终端系统。在本文中，我们提出了基于边缘的功能(EC)，这是一种防止DDoS攻击和恶意软件在边缘传播的架构。电子商务引入了一种称为门的新型网络元件。gate控制先前通过端到端机制进行身份验证的IP数据包。通过身份验证的流量在IP头中携带一个特定于会话的标记。具有有效标签的数据包由网关转发，而没有或带有错误标签的流量则被低优先级处理，甚至被丢弃。EC通过定义单个锁来比较标签，从而消除了在gate中存储每个流信息的需要，从而实现了效率和可伸缩性。与相关方案相比，EC易于部署，因为栅极可以增量添加，并且EC只需要在边缘添加单个网元

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06)

自引率

0.00%

发文量