Using overlays to improve network security

As we increase our dependency upon networked communication, the incentive to compromise and degrade network performance increases for those who wish to disrupt the flow of information. Attacks that lead to such compromise and degradation can come in a variety of forms, including distributed denial of service (DDoS) attacks, cutting wires, jamming transmissions, and monitoring/eavesdropping. Users can protect themselves from monitoring by applying cryptographic techniques, and the recent work has explored developing networks that react to DDoS attacks by locating the source(s) of the attack. However, there has been little work that addresses preventing the other kinds of attacks as opposed to reacting to them. Here, we discuss how network overlays can be used to complicate the job of an attacker that wishes to prevent communication. To amplify our point, we focus briefly on a study of preventing DDoS attacks by using overlays.

[1]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[2]  Christophe Diot,et al.  Deployment issues for the IP multicast service and architecture , 2000, IEEE Netw..

[3]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[4]  Kirk L. Johnson,et al.  Overcast: reliable multicasting with on overlay network , 2000, OSDI.

[5]  Steven McCanne,et al.  RMX: reliable multicast for heterogeneous networks , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[6]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[7]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[8]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[9]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[10]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[11]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Stephen E. Deering,et al.  Multicast routing in datagram internetworks and extended LANs , 1990, TOCS.

[13]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[14]  Antony I. T. Rowstron,et al.  Storage management and caching in PAST, a large-scale, persistent peer-to-peer storage utility , 2001, SOSP.

[15]  Matt Bishop,et al.  Attack class: address spoofing , 1997 .

[16]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[17]  David R. Cheriton,et al.  IP multicast channels: EXPRESS support for large-scale single-source applications , 1999, SIGCOMM '99.

[18]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[19]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[20]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[21]  Srinivasan Seshan,et al.  Enabling conferencing applications on the internet using an overlay muilticast architecture , 2001, SIGCOMM '01.

[22]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[23]  Stefan Savage,et al.  The end-to-end effects of Internet path selection , 1999, SIGCOMM '99.

[24]  Mark Handley,et al.  A scalable content-addressable network , 2001, SIGCOMM '01.

[25]  Paul Francis,et al.  Core based trees (CBT) , 1993, SIGCOMM '93.

[26]  Hari Balakrishnan,et al.  Resilient overlay networks , 2001, SOSP.

[27]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[28]  Srinivasan Seshan,et al.  A case for end system multicast , 2002, IEEE J. Sel. Areas Commun..