Source address filtering for large scale networks

Source address filtering is very important for protecting networks from malicious traffic. Most networks use hardware-based solutions such as TCAM-based filtering, however, they suffer from limited capacity, high power consumption and high monetary cost. Although software, such as SRAM, is larger, cheaper and consumes less power, the software-based solutions need multiple accesses in memory, which as a result bear much more additional lookup burden. In this paper, we propose a new software-based mechanism. In our mechanism, routers cooperate with each other, and each only checks a few bits rather than all bits in source addresses. Our mechanism can guarantee the correctness, i.e., filtering all malicious traffic. We formulate it as an optimization problem where the loads across the network can be optimally balanced. We solve the problem by dynamic programming. With the increasing number of filters, storage could also become a bottleneck for source address filtering. Our mechanism improves this by distributing filters among different routers. We re-formulate the problem by adding an additional storage constraint. Then we prove that the problem is NP-Complete, and propose a heuristic algorithm to solve it. At last, using comprehensive simulations with various topologies, we show that the mechanism greatly improves both lookup burden and storage space. We conduct a case study on China Education and Research Network 2 (CERNET2), the largest pure-IPv6 network in the world. Using CERNET2 configurations, we show that our algorithm checks less than 40bits on each router, compared with 128bits in IPv6 addresses.

[1]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Jianping Wu,et al.  CNGI-CERNET2: an IPv6 deployment in China , 2011, CCRV.

[3]  Cristian Estan,et al.  On Filtering of DDoS Attacks Based on Source Address Prefixes , 2006, 2006 Securecomm and Workshops.

[4]  Vyas Sekar,et al.  Network-wide deployment of intrusion detection and prevention systems , 2010, CoNEXT.

[5]  Eric Torng,et al.  TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs , 2010, TNET.

[6]  Christoph H. Lampert,et al.  Bayes Optimal DDoS Mitigation by Adaptive History-Based IP Filtering , 2008, Seventh International Conference on Networking (icn 2008).

[7]  Katerina J. Argyraki,et al.  Optimal Filtering of Source Address Prefixes: Models and Algorithms , 2009, IEEE INFOCOM 2009.

[8]  F. Soldo,et al.  Filtering sources of unwanted traffic , 2008, 2008 Information Theory and Applications Workshop.

[9]  Michalis Faloutsos,et al.  A simple conceptual generator for the Internet graph , 2009, 2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).

[10]  Shu Yang,et al.  Source Address Filtering for Large Scale Network: A Cooperative Software Mechanism Design , 2011, 2012 21st International Conference on Computer Communications and Networks (ICCCN).

[11]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[12]  Katerina J. Argyraki,et al.  Scalable network-layer defense against internet bandwidth-flooding attacks , 2003, TNET.

[13]  Luca Foschini,et al.  Balanced Partitions of Trees and Applications , 2012, Algorithmica.

[14]  Brian Zill,et al.  Constructing optimal IP routing tables , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[15]  Wanlei Zhou,et al.  Source-based filtering scheme against DDOS attacks , 2008 .

[16]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[17]  Chen-Nee Chuah,et al.  Characterization of Failures in an Operational IP Backbone Network , 2008, IEEE/ACM Transactions on Networking.

[18]  Noria Foukia,et al.  DDoS Defense Mechanisms: A New Taxonomy , 2009, DPM/SETOP.

[19]  Azer Bestavros,et al.  On the marginal utility of network topology measurements , 2001, IMW '01.

[20]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[21]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[22]  Viktor K. Prasanna,et al.  Beyond TCAMs: An SRAM-Based Parallel Multi-Pipeline Architecture for Terabit IP Lookup , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[23]  Rabi N. Mahapatra,et al.  TCAM architecture for IP lookup using prefix properties , 2004, IEEE Micro.

[24]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[25]  Doughan Turk,et al.  Configuring BGP to Block Denial-of-Service Attacks , 2004, RFC.

[26]  George Varghese,et al.  Network Algorithmics-An Interdisciplinary Approach to Designing Fast Networked Devices , 2004 .

[27]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[28]  Stephan Bunse,et al.  Towards 100G packet processing: Challenges and technologies , 2009 .

[29]  Athina Markopoulou,et al.  Predictive Blacklisting as an Implicit Recommendation System , 2009, 2010 Proceedings IEEE INFOCOM.

[30]  Kimberly C. Claffy,et al.  Toward Topology Dualism: Improving the Accuracy of AS Annotations for Routers , 2010, PAM.

[31]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[32]  Carl M. Harris,et al.  Fundamentals of queueing theory , 1975 .