1,040 research outputs found
Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance
The way in which addressing and forwarding are implemented in the Internet
constitutes one of its biggest privacy and security challenges. The fact that
source addresses in Internet datagrams cannot be trusted makes the IP Internet
inherently vulnerable to DoS and DDoS attacks. The Internet forwarding plane is
open to attacks to the privacy of datagram sources, because source addresses in
Internet datagrams have global scope. The fact an Internet datagrams are
forwarded based solely on the destination addresses stated in datagram headers
and the next hops stored in the forwarding information bases (FIB) of relaying
routers allows Internet datagrams to traverse loops, which wastes resources and
leaves the Internet open to further attacks. We introduce PEAR (Provenance
Enforcement through Addressing and Routing), a new approach for addressing and
forwarding of Internet datagrams that enables anonymous forwarding of Internet
datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and
prevents Internet datagrams from looping, even in the presence of routing-table
loops.Comment: Proceedings of IEEE Globecom 2016, 4-8 December 2016, Washington,
D.C., US
A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks
Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack. © 1998-2012 IEEE
FAIR: Forwarding Accountability for Internet Reputability
This paper presents FAIR, a forwarding accountability mechanism that
incentivizes ISPs to apply stricter security policies to their customers. The
Autonomous System (AS) of the receiver specifies a traffic profile that the
sender AS must adhere to. Transit ASes on the path mark packets. In case of
traffic profile violations, the marked packets are used as a proof of
misbehavior.
FAIR introduces low bandwidth overhead and requires no per-packet and no
per-flow state for forwarding. We describe integration with IP and demonstrate
a software switch running on commodity hardware that can switch packets at a
line rate of 120 Gbps, and can forward 140M minimum-sized packets per second,
limited by the hardware I/O subsystem.
Moreover, this paper proposes a "suspicious bit" for packet headers - an
application that builds on top of FAIR's proofs of misbehavior and flags
packets to warn other entities in the network.Comment: 16 pages, 12 figure
- …