Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters

In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.

[1]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[2]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[3]  Adrian Farrel,et al.  A Path Computation Element (PCE)-Based Architecture , 2006, RFC.

[4]  Pekka Nikander,et al.  LIPSIN: line speed publish/subscribe inter-networking , 2009, SIGCOMM '09.

[5]  Adrian Perrig,et al.  SNAPP: stateless network-authenticated path pinning , 2008, ASIACCS '08.

[6]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[7]  Kris Gaj,et al.  Comparison of FPGA-Targeted Hardware Implementations of eSTREAM Stream Cipher Candidates , 2008 .

[8]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[9]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[10]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[11]  Sasu Tarkoma,et al.  RTFM: Publish/Subscribe Internetworking Architecture , 2008 .

[12]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Tilman Wolf A Credential-Based Data Path Architecture for Assurable Global Networking , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[14]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[15]  Scott Shenker,et al.  Routing as a Service , 2006 .

[16]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[17]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[18]  Hong Yan,et al.  Tesseract: A 4D Network Control Plane , 2007, NSDI.

[19]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[20]  Alex C. Snoeren,et al.  A system for authenticated policy-compliant routing , 2004, SIGCOMM 2004.

[21]  A. Zahemszky,et al.  Exploring the Pub/Sub Routing & Forwarding Space , 2009, 2009 IEEE International Conference on Communications Workshops.

[22]  Christof Paar,et al.  Security on FPGAs: State-of-the-art implementations and attacks , 2004, TECS.

[23]  Adrian Perrig,et al.  FastPass: Providing First-Packet Delivery , 2006 .

[24]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..