Source Address Filtering for Large Scale Network: A Cooperative Software Mechanism Design

Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers. In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network. We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

[1]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[2]  Chen-Nee Chuah,et al.  Characterization of Failures in an Operational IP Backbone Network , 2008, IEEE/ACM Transactions on Networking.

[3]  Ibrahim Matta,et al.  BRITE: Boston University Representative Internet Topology gEnerator: A Flexible Generator of Internet Topologies , 2000 .

[4]  Abhay Roy,et al.  OSPF Link-Local Signaling , 2009, RFC.

[5]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[6]  Athina Markopoulou,et al.  Predictive Blacklisting as an Implicit Recommendation System , 2009, 2010 Proceedings IEEE INFOCOM.

[7]  Eric Torng,et al.  TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs , 2010, TNET.

[8]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[9]  Christoph H. Lampert,et al.  Bayes Optimal DDoS Mitigation by Adaptive History-Based IP Filtering , 2008, Seventh International Conference on Networking (icn 2008).

[10]  F. Soldo,et al.  Filtering sources of unwanted traffic , 2008, 2008 Information Theory and Applications Workshop.

[11]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[12]  Kimberly C. Claffy,et al.  Toward Topology Dualism: Improving the Accuracy of AS Annotations for Routers , 2010, PAM.

[13]  Shu Yang,et al.  Source Address Filtering for Large Scale Network: A Cooperative Software Mechanism Design , 2012, ICCCN.

[14]  Fred W. Glover,et al.  Tabu Search - Part I , 1989, INFORMS J. Comput..

[15]  Katerina J. Argyraki,et al.  Optimal Filtering of Source Address Prefixes: Models and Algorithms , 2009, IEEE INFOCOM 2009.

[16]  Cristian Estan,et al.  On Filtering of DDoS Attacks Based on Source Address Prefixes , 2006, 2006 Securecomm and Workshops.

[17]  Vyas Sekar,et al.  Network-wide deployment of intrusion detection and prevention systems , 2010, CoNEXT.

[18]  Fred Glover,et al.  Tabu Search - Part II , 1989, INFORMS J. Comput..

[19]  Katerina J. Argyraki,et al.  Scalable network-layer defense against internet bandwidth-flooding attacks , 2003, TNET.

[20]  Wanlei Zhou,et al.  Source-based filtering scheme against DDOS attacks , 2008 .

[21]  V. Srinivasan,et al.  Fast address lookups using controlled prefix expansion , 1999, TOCS.

[22]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[23]  Viktor K. Prasanna,et al.  Beyond TCAMs: An SRAM-Based Parallel Multi-Pipeline Architecture for Terabit IP Lookup , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[24]  Yin Zhang,et al.  On selfish routing in Internet-like environments , 2003, IEEE/ACM Transactions on Networking.

[25]  Azer Bestavros,et al.  On the marginal utility of network topology measurements , 2001, IMW '01.