Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters
In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as cap...
Saved in:
Published in | 2009 European Conference on Computer Network Defense pp. 46 - 51 |
---|---|
Main Authors | , , , , |
Format | Conference Proceeding |
Language | English |
Published |
IEEE
01.11.2009
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Abstract | In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures. |
---|---|
AbstractList | In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures. |
Author | Nikander, Pekka Sarela, Mikko Jokela, Petri Rothenberg, Christian Esteve Ylitalo, Jukka |
Author_xml | – sequence: 1 givenname: Christian Esteve surname: Rothenberg fullname: Rothenberg, Christian Esteve email: chesteve@dca.fee.unicamp.br organization: Sch. of Electr. & Comput. Eng., Univ. of Campinas, Campinas, Brazil – sequence: 2 givenname: Petri surname: Jokela fullname: Jokela, Petri email: Petri.Jokela@ericsson.com organization: NomadicLab, Ericsson Res., Finland – sequence: 3 givenname: Pekka surname: Nikander fullname: Nikander, Pekka email: Pekka.Nikander@ericsson.com organization: NomadicLab, Ericsson Res., Finland – sequence: 4 givenname: Mikko surname: Sarela fullname: Sarela, Mikko email: Mikko.Sarela@ericsson.com organization: NomadicLab, Ericsson Res., Finland – sequence: 5 givenname: Jukka surname: Ylitalo fullname: Ylitalo, Jukka email: Jukka.Ylitalo@ericsson.com organization: NomadicLab, Ericsson Res., Finland |
BookMark | eNotj71OwzAYRY0ACVoyMrH4BRz873iEtIVKFUhNmSsn_YwMaRLFBqlvTxDc5S5HV-fO0EXXd4DQLaM5Y9TeL0v-ssg5pTZn8gxl1hTUaKuELYQ-RzMmuZSaSsuvUBbjB50ilVCsuEZVBa0n2_4rhe4dL6ALriW9JxWM36EBvIUYYnJdwqUbXB3akAJE_BZ_8XVHBtd8QsKPbd8f8Sq0CcZ4gy69ayNk_z1Hu9VyVz6TzevTunzYkGBpIt6YwtdKw_SBUncQtbLGT-JGWdUUuqk91N6A585pAGMML-jBMlZrJyw3Yo7u_mYDAOyHMRzdeNoraaUQTPwA7zhRpw |
ContentType | Conference Proceeding |
DBID | 6IE 6IL CBEJK RIE RIL |
DOI | 10.1109/EC2ND.2009.14 |
DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Xplore Digital Library IEEE Proceedings Order Plans (POP All) 1998-Present |
DatabaseTitleList | |
Database_xml | – sequence: 1 dbid: RIE name: IEEE Xplore Digital Library url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
DeliveryMethod | fulltext_linktorsrc |
EISBN | 9780769539836 0769539831 9781424460502 1424460506 |
EndPage | 51 |
ExternalDocumentID | 5494331 |
Genre | orig-research |
GroupedDBID | 6IE 6IF 6IG 6IK 6IL 6IM 6IN AAJGR AARBI ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK IERZE OCL RIE RIL RIO |
ID | FETCH-LOGICAL-i90t-f778fb56e11000ad3b597f0767595c86cbfebf7ef2aa6ee777280d911b6a39273 |
IEDL.DBID | RIE |
ISBN | 1424460492 9781424460496 |
IngestDate | Wed Jun 26 19:23:01 EDT 2024 |
IsPeerReviewed | false |
IsScholarly | false |
Language | English |
LinkModel | DirectLink |
MergedId | FETCHMERGED-LOGICAL-i90t-f778fb56e11000ad3b597f0767595c86cbfebf7ef2aa6ee777280d911b6a39273 |
PageCount | 6 |
ParticipantIDs | ieee_primary_5494331 |
PublicationCentury | 2000 |
PublicationDate | 2009-Nov. |
PublicationDateYYYYMMDD | 2009-11-01 |
PublicationDate_xml | – month: 11 year: 2009 text: 2009-Nov. |
PublicationDecade | 2000 |
PublicationTitle | 2009 European Conference on Computer Network Defense |
PublicationTitleAbbrev | EC2ND |
PublicationYear | 2009 |
Publisher | IEEE |
Publisher_xml | – name: IEEE |
SSID | ssj0000453518 ssib015831760 |
Score | 1.5853518 |
Snippet | In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The... |
SourceID | ieee |
SourceType | Publisher |
StartPage | 46 |
SubjectTerms | Bandwidth Bloom filters capabilities Computer architecture Computer crime Computer networks Cryptography Denial-of-Service Filters Information security Network topology publish subscribe Resistance Routing source routing |
Title | Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters |
URI | https://ieeexplore.ieee.org/document/5494331 |
hasFullText | 1 |
inHoldings | 1 |
isFullTextHit | |
isPrint | |
link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV09b8IwELWAqVNbQdVveehYQ0hiO1nLh2glUFWoxIZi5ywhUKhKsvTX9-wkUFUduiWeEse-exe_946QB66VbRdtcKelGgsUETIV48aTHPGr8YROuRUKT2di8h6-LPmyQR4PWhgAcOQz6NpLd5af7nRhf5X1sJaxAp8maUaeX2q16rXT5xFmwgrquygc8oD3o1rLJRAJ-7XFU3Uvjp6bvdHAnw1L-0or6PnRacUlmvEpmdaPWPJLNt0iV1399cu98b_vcEY6R0kffT0kq3PSgKxN5nPYGmZJQThGh5Z3t2U7w6oAQt9gb-FlltMB5lRHo8XCmjqaAX3OGNbbG8jp0xbRNx2v7cH7vkMW49FiMGFVlwW2jr2cGSkjo7gA6x3nJWmgsMQwnvV4ibmOhFYGlJFg_CQRAFLaflYphkglEsRWMrggrWyXwSWhEWgeY0EZQuCFoZ8mvok112D6MUBgzBVp2_lYfZQ-GqtqKq7_Hr4hJ-7kxun-bkkr_yzgDgFAru7dl_8G6eKq2Q |
link.rule.ids | 310,311,786,790,795,796,802,27958,55109 |
linkProvider | IEEE |
linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PT8IwFG4QD3pSA8bf9uDRwtjWbrvKj4ACMYIJN7J2rwmBDCPj4l_va7eBMR68bT11Tfve99bv-x4hD1xJ0y5a40lLFBYowmcywoMXcMSv2hEq4UYoPBqL_rv_POOzCnncaWEAwJLPoGEe7V1-slZb86usibWMEfgckEPM806Uq7XK3dPiIebCAuzbOOxzj7fCUs0lEAu7pclT8S72rpvNbtsdd3IDSyPp-dFrxaaa3gkZlZPMGSbLxjaTDfX1y7_xv19xSup7UR993aWrM1KBtEYmE1hpZmhBOEY7hnm3YmvNihBC32BjAGaa0TZmVUukxdKaWqIBHaQMK-4lZPRphfib9hbm6n1TJ9Ned9rus6LPAltETsZ0EIRacgHGPc6JE09ikaEd4_IScRUKJTVIHYB241gABIHpaJVgkJQiRnQVeOekmq5TuCA0BMUjLCl98Bzfd5PY1ZHiCnQrAvC0viQ1sx7zj9xJY14sxdXfw_fkqD8dDefDwfjlmhzbexyrArwh1exzC7cIBzJ5Z3fBNyOnri8 |
openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2009+European+Conference+on+Computer+Network+Defense&rft.atitle=Self-Routing+Denial-of-Service+Resistant+Capabilities+Using+In-packet+Bloom+Filters&rft.au=Rothenberg%2C+Christian+Esteve&rft.au=Jokela%2C+Petri&rft.au=Nikander%2C+Pekka&rft.au=Sarela%2C+Mikko&rft.date=2009-11-01&rft.pub=IEEE&rft.isbn=9781424460496&rft.spage=46&rft.epage=51&rft_id=info:doi/10.1109%2FEC2ND.2009.14&rft.externalDocID=5494331 |
thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424460496/lc.gif&client=summon&freeimage=true |
thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424460496/mc.gif&client=summon&freeimage=true |
thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424460496/sc.gif&client=summon&freeimage=true |