Lightweight source authentication and path validation

Kim, Tiffany Hyun-Jin; Băsescu, Cristina; Jia, Limin; Lee, Soo Bum; Hu, Yih-Chun; Perrig, Adrian

doi:10.1145/2740070.2626323

Cited by 41 publications

(73 citation statements)

References 29 publications

(29 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although our work is not comparable with other software switching proposals for today's networks (e.g., IP or SDN) [16,18,19], our design and implementation can prove beneficial to proposals, such as IC-ING [20] and OPT [21], that leverage symmetric-key cryptography on the data plane.…”

Section: Related Workmentioning

confidence: 96%

See 1 more Smart Citation

Source-Based Path Selection

Lee

Pappas

Băsescu

et al. 2015

The 10th International Conference on Future Internet

Self Cite

View full text Add to dashboard Cite

In source-based path selection, the sender chooses the path to the destination from a set of available paths and embeds the forwarding information in the packets. Future Internet proposals have employed this scheme to realize the benefits of source routing without the inherent scalability problems of path computation at the source. Furthermore, to address the security concerns of packet-carried forwarding state, these proposals leverage cryptographic primitives (e.g., Message Authentication Codes) per packet in the data plane. However, the implications on the forwarding performance of these novel routing schemes have not been studied in detail.In this paper, we study the data plane of source-based path selection schemes. We take SCION-a future Internet proposal-as an example and sketch its data plane implementation. We implement a software switch that can forward up to 140 million minimum-sized packets per second (limited by the hardware I/O subsystem) and can achieve line-rate throughput of 120 Gbps.

show abstract

Section: Related Workmentioning

confidence: 96%

“…OPT [21] proposes light-weight protocols for source authentication and path validation. OPT also leverages symmetric-key cryptography at each router to generate a local secret key per packet and perform MAC computations.…”

Section: Related Workmentioning

confidence: 99%

Source-Based Path Selection

Lee

Pappas

Băsescu

et al. 2015

The 10th International Conference on Future Internet

Self Cite

View full text Add to dashboard Cite

show abstract

“…Umbrella maintains per-sender state in the congestion resolving layer, and consequently relies on the correctness of source addresses. Such correctness can be assured by the more complete adoption of Ingress Filtering [25], [26] or the source authentication schemes [27], [28]. On our way to achieve complete spoof elimination 1 , Umbrella requires victim's additional participation to minimize the chance of source spoofing.…”

Section: A Problem Spacementioning

confidence: 99%

Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services

Liu

Cao

Zhu

et al. 2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacypreserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the user-specific layer allows DDoS victims to enforce selfdesired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

show abstract

“…According to Equation 19 and the fact that α 1.0 decreases fast as the n (k) decreases by the factor of m, P worst (m, n (k) , α) for n (k) < n γ does not affect the product much for the most of α values. Therefore, we can approximate P r worst (A α ) as follows: , when n < nγ (20) , where size of {k|n (k) ≥ n γ } is log m (n/n γ ) + 1, because n (k) = n (k−1) /m. According to Theorem 2, approximately P worst (m, n, α) ≥ 1−Q(K, n m ) where K = n m + 2 n m log n − α .…”

Section: C2 Proof Sketch For Rlfd Total Detection Probabilitymentioning

confidence: 99%

CLEF: Limiting the Damage Caused by Large Flows in the Internet Core

Hsiao

Asoni

et al. 2018

Cryptology and Network Security

Self Cite

View full text Add to dashboard Cite

2[0000−0002−5100−1519] , Hsu-Chun Hsiao 3[0000−0001−9592−6911] , Daniele E. Asoni 4[0000−0001−5699−9237] , Simon Scherrer 4[0000−0001−9557−1700] , Adrian Perrig 4[0000−0002−5280−5412] , and Yih-Chun Hu 1[0000−0002−7829−3929]Abstract. The detection of network flows that send excessive amounts of traffic is of increasing importance to enforce QoS and to counter DDoS attacks. Large-flow detection has been previously explored, but the proposed approaches can be used on high-capacity core routers only at the cost of significantly reduced accuracy, due to their otherwise too high memory and processing overhead. We propose CLEF, a new large-flow detection scheme with low memory requirements, which maintains high accuracy under the strict conditions of high-capacity core routers. We compare our scheme with previous proposals through extensive theoretical analysis, and with an evaluation based on worst-case-scenario attack traffic. We show that CLEF outperforms previously proposed systems in settings with limited memory.Keywords: Large-flow detection, damage metric, memory and computation efficiency 5 As in prior literature [15,42], the term large flow denotes a flow that sends more than its allocated bandwidth. arXiv:1807.05652v1 [cs.NI] 16 Jul 2018 (2) * c 168.6 63.75 31.92 26.56 21.96 10.68 7.59 * Time unit is second.

show abstract

Lightweight source authentication and path validation

Cited by 41 publications

References 29 publications

Source-Based Path Selection

Source-Based Path Selection

Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services

CLEF: Limiting the Damage Caused by Large Flows in the Internet Core

Contact Info

Product

Resources

About