Topology-assisted deterministic packet marking for IP traceback

A novel deterministic packet marking (DPM) for IP traceback against denial of service (DoS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.     

Detecting disruptive routers: a distributed network monitoringapproach

An attractive target for a computer system attacker is the router. An attacker in control of a router can disrupt communication by dropping or misrouting packets passing through the router. We present a protocol called WATCHERS which detects and reacts to routers that drop or misroute packets. WATCHERS is based on the principle of conservation of flow in a network: all data bytes sent into a node, and not destined for that node, are expected to exit the node. WATCHERS tracks this flow, and detects routers that violate the conservation principle. We show that WATCHERS has several advantages over existing network monitoring techniques. We discuss WATCHERS response to several different types of bad router behavior. We demonstrate that in ideal conditions WATCHERS makes no false positive diagnoses, and we describe how WATCHERS can be tuned to perform nearly as well in realistic conditions. Also, we argue that WATCHERS impact on router performance and WATCHERS memory requirements are reasonable for many environments     

Defense Against Spoofed IP Traffic Using Hop-Count Filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements     

A low-state packet marking framework for approximate fair bandwidth allocation

Misbehaving, non-congestion-reactive traffic is on the rise in the Internet. One way to control misbehaving traffic is to enforce local fairness among flows. Locally fair policies, such as fair-queueing and other fair AQM schemes, are inadequate to simultaneously control misbehaving traffic and provide high network utilization. We thus need to enforce globally fair bandwidth allocations. However, such schemes have typically been stateful and complex to implement and deploy. In this letter, we present a low state, lightweight scheme based on stateless fair packet marking at network edges followed by RIO queueing at core nodes, to control misbehaving flows with more efficient utilization of network bandwidth. Additionally, with low-state feedback from bottleneck routers, we show that, in practice, we can approximate global max-min fairness within an island of routers. We show, using simulations, that we can indeed control misbehaving flows and provide more globally fair bandwidth allocation.     

All-Optical Wavelength-Bypassing Ring Communications Networks

We introduce an all-optical WDM packet communication network that performs wavelength bypassing at the routers. Packets that arrive at a wavelength (optical cross-connect) router at designated wavelengths are switched by the router without having their headers examined. Thus, the processing element of the router is bypassed by such packets. For packet traffic that uses wavelengths that do not bypass a switch, the headers of such packets are examined to determine if this switch is the destination for the flow. If latter is the case, the packet is removed. Otherwise, the packet is switched to a pre-determined output without incurring (network internal) queueing delays. We study a ring network with routers that employ such a WDM bypassing scheme. We present methods to construct wavelength graphs that define the bypassing pattern employed by the routers to guide the traffic flows distributed at each given wavelength. Performance is measured in terms of the network throughput and the average processing path length (i.e., the average number of switches not being bypassed). For a fixed total processing capacity, we show that a WDM bypassing ring network provides a higher throughput level than that exhibited by a non-bypassing ring network, using the same value of total link capacity. By using WDM bypassing, the average processing path length (and thus the packet latency) is reduced. We study a multitude of network loading configurations, corresponding to distinct traffic matrices and client-server scenarios. Higher throughput levels are obtained for network configurations driven by non-uniform traffic matrices. The demonstrated advantages of WDM bypassing methods shown here for WDM ring networks are also applicable to more general network topological layouts.     

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2–4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi.     

Distributed control and resource marking using best-effort routers

We present a method for creating differential QoS where control is in the hands of the end system or user, and the network distributes congestion feedback information to users via packet marking at resources. Current proposals for creating differential QoS in the Internet often rely on classifying packets into a number of classes with routers treating different classes appropriately. The router plays a critical role in guaranteeing performance. In contrast, there is a growing body of work that seeks to place more of the control in the hands of the end system or user, with simple functionality in the router. This is the approach outlined in this tutorial article: using insights from economics and control theory we show how cooperation between end systems and the network can be encouraged using a simple packet marking scheme. The network distributes congestion feedback information to users via packet marking at resources, and users react accordingly to obtain differential QoS     

Design and experimental demonstration of a variable-length optical packet routing system with unified contention resolution

This paper presents theoretical design, network simulation, implementation, and experimental studies of optical packet routing systems supporting variable-length packets. The optical packet switching network exploits unified contention resolution in core routers in three optical domains (wavelength, time, and space) and in edge routers by traffic shaping. The optical router controller and lookup table, implemented in a field-programmable gate array (FPGA), effectively incorporates the contention resolution scheme with pipelined arbitration of asynchronously arriving variable-length packets. In addition, real-time performance monitoring based on the strong correlation between the bit-error rates of the optical label and those of the data payload indicates its application in optical time-to-live detection for loop mitigations. Successful systems integration resulted in experimental demonstration of the all-optical packet switching system with contention resolution for variable-size packets.     

Design-dimensioning model for transparent WDM packet-switchedirregular networks

A detailed analytical traffic model for all-optical wavelength division multiplexing (WDM) photonic packet-switched networks is presented and the requirements for buffer size and link dimensions are analyzed. This paper shows that due to the topology, packets may generate traffic bottlenecks produced by a tendency of the routing scheme to send packets with different destinations through preferred paths. This effect increases the traffic load and, hence, the probability of blocking at the output links of specific routers in the network and, therefore, a large buffer depth or an increment in the number of fibers per link is required. Three router architectures are analyzed and it is shown that WDM all-optical router architectures with shared contention resolution resources are the best candidates to reduce hardware volume and cost of all-optical networks. It is shown that routers with a bank of completely shared wavelength converters (WCs) require a fraction of WCs compared to router architectures that use a WC per wavelength. This fraction depends on the location of the router, the network topology, and the traffic load in the network. However, in general terms, about 50% to 90% of WCs can be saved by architectures with shared wavelength-conversion resources. Also, it is shown that limited wavelength conversion degrees d=8 and d=10 in packet-switching routers with 16 and 32 wavelengths give the same probability of packet loss performance as full wavelength conversion     

基于流量强度的DDoS攻击源追踪快速算法

DDoS攻击以其破坏力大、易实施、难检测、难追踪等特点,而成为网络攻击中难处理的问题之一。攻击源追踪技术是阻断攻击源、追踪相关责任、提供法律证据的必要手段。基于网络拓扑理论和路由器流量特性原理以及可编程式路由器的体系结构,提出了一种追踪DDoS攻击源的分布式快速算法,该算法可以准确、协调、高效地判断路由器的数据流量值,受害者可以根据流量强度推断出恶意攻击数据流的来源,从而快速追溯和定位DDoS攻击源。     

On wavelength-converted optical routers employing flow routing

Optical networks have been extensively investigated in recent years to provide high capacity for the Internet traffic. Among them the optical packet-switching network deploying buffering, wavelength conversion and multipath routing could be the most suitable one. It cannot only provide high capacity transport for Internet traffic but also achieve high utilization of the network resources. However due to the packet-oriented routing and switching, such a network can result in a large amount of packets out-of-order, packet loss and/or with various delays upon arriving at end systems, causing TCP flows that comprise those packets corrupted. Large amount of corrupted flows can increase the burstiness of the Internet traffic and cause higher-layer protocol to malfunction. This paper presents a novel routing and switching method for optical IP networks-flow routing. Without using a complicate control mechanism flow routing deals with packet-flows to reduce the amount of corrupted flows. The performance of the wavelength-converted optical flow router is investigated, based on a novel analytical model. A performance metric, i.e., good-throughput, is used, measuring the ratio of the amount of packets comprised in the noncorrupted flows to total amount of packets. Comparing with optical packet-switching routers, a remarkable improvement of good-throughput can be obtained by using optical flow routers. More important, using wavelength conversion can greatly improve the good-throughput of optical flow routers.     

ALPi: A DDoS Defense System for High-Speed Networks

Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.     

基于区分服务的边缘路由器的服务质量

Internet real-time multimedia communication brings a further challenge to Quality of Service （QoS）. A higher QoS in communication is required increasingly. As a new framework for providing QoS services, Differentiated Services （DiffServ） is undergoing a speedily standardization process at the IETF. DiffServ not only can offer classified level of services, but also can provide guaranteed QoS in a certain extent. In order to provide QoS, DiffServ must be properly configured. The traditional DiffServ mechanism provides classifier for edge router to mark the different traffic streams, and then the core router uses different Drop Packet Mechanisms to drop packets or transmit data packets according to these classified markers. When multiple edge routers or other core routers transmit data packets high speedily to a single core router, the core router will emerge bottleneck bandwidth. The most valid solution to this problem is that the edge router adopts drop packet mechanism. This paper proposes an Modified Edge Router Mechanism that let the edge router achieve marking, dropping and transmitting packets of hybrid traffic streams based on DiffServ in a given bandwidth, the core router will only transmits packets but won＇t drop packets. By the simulation of ns2, the modified mechanism ensure the QoS of high priority traffics and simplify the core router, it is a valid method to solve the congestion of the core router.     

SOS: an architecture for mitigating DDoS attacks

We propose an architecture called secure overlay services (SOS) that proactively prevents denial of service (DoS) attacks, including distributed (DDoS) attacks; it is geared toward supporting emergency services, or similar types of communication. The architecture uses a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by: 1) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic and 2) introducing randomness and anonymity into the forwarding architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels. Our performance measurements using a prototype implementation indicate an increase in end-to-end latency by a factor of two for the general case, and an average heal time of less than 10 s.     

Design and performance analysis of an efficient single flow IP traceback technique in the AS level

Network security is a major challenge for big and small companies. The Internet topology is vulnerable to Distributed Denial of Service (DDoS) attacks as it provides an opportunity to an attacker to send a large volume of traffic to a victim, which can limit its Internet availability. The main problem in the prevention of the DDoS attack, also known as the flooding attack, is how to find the source of traffic flooding. This is because the spoofed source Internet protocol (IP) address of packets is not affected on its routing. As a result, IP traceback techniques are proposed to find the source of attack and in general, to find the source of any packet. Doing so, the IP traceback techniques can help us to prevent the Denial of Service (DoS) and DDoS attacks. In this paper, we propose an efficient Single Flow IP Traceback (SFT) technique in the Autonomous System (AS) level. Furthermore, a path signature generation algorithm is presented for detecting and filtering the spoofed traffic. Our solution assumes a secure Border Gateway Protocol (BGP)‐routing infrastructure for exchanging authenticated messages in order to learn the path signatures, and it uses a marking algorithm in the flow level for transmission of the traceback messages. Because in our technique less bits are required to mark the IP header packet, the required storage space for any unique path to the victim is significantly decreased. Compared with the other existing techniques, the obtained results demonstrate that our technique has the least marking rate, overhead processing on the middle nodes, and destination's computational cost while offering the highest accuracy in tracebacking attack.     

Research on DDoS detection in multi-tenant cloud based on entropy change

An attacker compromised a number of VMs in the cloud to form his own network to launch a powerful distrib-uted denial of service (DDoS) attack.DDoS attack is a serious threat to multi-tenant cloud.It is difficult to detect which VM in the cloud are compromised and what is the attack target,especially when the VM in the cloud is the victim.A DDoS detection method was presented suitable for multi-tenant cloud environment by identifying the malicious VM at-tack sources first and then the victims.A distributed detection framework was proposed.The distributed agent detects the suspicious VM which generate the potential DDoS attack traffic flows on the source side.A central server confirms the real attack flows.The feasibility and effectiveness of the proposed detection method are verified by experiments in the multi-tenant cloud environment.     

Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks.     

A random early demotion and promotion marker for assured services

The differentiated services (DiffServ) model, proposed to evolve the current best-effort Internet to a quality-of-service-aware Internet, provides packet level service differentiation on a per-hop basis. The end-to-end service differentiation may be provided by extending the per-hop behavior over multiple network domains through service level agreements between domains. The edge routers of each of the domains monitor the aggregate flow of the incoming packets and demote packets when the aggregate incoming traffic exceeds the negotiated interdomain service agreement. A demoted packet may encounter other edge routers on its path that have sufficient resources to route the packet with its original marking. In this paper, we propose a random early demotion and promotion (REDP) technique that works at the aggregate traffic level and allows (1) fair demotion of packets belonging to different flows, and (2) easy and fair detection and promotion of the demoted packets. Using early and random decisions on packets REDP ensures fairness in promotion and demotion. It uses a three color marking mechanism, reserving one color fur differentiating between a demoted packet and a packet with the original out-of-profile marking. We experiment with the proposed REDP scheme using the ns2 simulator for both TCP and UDP streams. The results demonstrate the fairness of REDP scheme in demoting and promoting packets. Furthermore, we show a variety of results that demonstrates that REDP provides better assured services compared to the previously proposed RIO scheme with or without the provision of promotion     

Analysis of area-congestion-based DDoS attacks in ad hoc networks

Increased instances of distributed denial of service (DDoS) attacks on the Internet have raised questions on whether and how ad hoc networks are vulnerable to such attacks. This paper studies the special properties of such attacks in ad hoc networks. We examine two types of area-congestion-based DDoS attacks – remote and local attacks – and present in-depth analysis on various factors and attack constraints that an attacker may use and face. We find that (1) there are two types of congestion – self congestion and cross congestion – that need to be carefully monitored; (2) the normal traffic itself causes significant packet loss in addition to the attack impacts in both remote and local attacks; (3) the number of flooding nodes has major impacts on remote attacks while, the load of normal traffic and the position of flooding nodes are critical to local attacks; and (4) given the same number of flooding nodes and attack loads, a remote DDoS attack can cause more damage to the network than a local DDoS attack.