ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
IP Easy-pass: a light-weight network-edge resource access control
Full text PdfPdf (722 KB)
Source IEEE/ACM Transactions on Networking (TON) archive
Volume 13 ,  Issue 6  (December 2005) table of contents
Pages: 1247 - 1260  
Year of Publication: 2005
ISSN:1063-6692
Authors
Haining Wang  Department of Computer Science, College of William and Mary, Williamsburg, VA
Abhijit Bose  Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Mohamed El-Gendy  Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Kang G. Shin  Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Publisher
IEEE Press  Piscataway, NJ, USA
Bibliometrics
Downloads (6 Weeks): 6,   Downloads (12 Months): 60,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: 10.1109/TNET.2005.860113

ABSTRACT

Providing real-time communication services to multimedia applications and subscription-based Internet access often requires that sufficient network resources be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at Internet Service Provider (ISP) edge routers cannot protect the reserved network resource from embezzlement. On the contrary to the usual expectation, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. In this paper, we propose a fast and lightweight IP network-edge resource access control mechanism, called IP Easy-pass, to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of the incoming IP packet very quickly and simply by checking its pass. We present the generation of Easy-pass, its embedding, and verification procedures. We implement the IP Easy-pass mechanism in the Linux kernel, and measure its overhead on our testbed. Finally, we demonstrate its effectiveness against packet forgery and resource embezzlement attempts by conducting a series of experiments.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
{1} The ARQoS Project {Online}. Available: http://arqos.csc.ncsu.edu/
 
2
{2} The Authenticated QoS Project {Online}. Available: http://www.citi.umich.edu/projects/qos/
 
3
Gaurav Banga , Peter Druschel , Jeffrey C. Mogul, Resource containers: a new facility for resource management in server systems, Proceedings of the third symposium on Operating systems design and implementation, p.45-58, February 1999, New Orleans, Louisiana, United States
 
4
Roberto Barbieri , Danilo Bruschi , Emilia Rosti, Voice over IPsec: Analysis and Solutions, Proceedings of the 18th Annual Computer Security Applications Conference, p.261, December 09-13, 2002
 
5
{5} S. Blake et al., "An architecture for differentiated services," RFC 2475, 1998.
6
Lee Breslau , Edward W. Knightly , Scott Shenker , Ion Stoica , Hui Zhang, Endpoint admission control: architectural issues and performance, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.57-69, August 28-September 01, 2000, Stockholm, Sweden
 
7
{7} CERT Advisory CA-2000.01, Denial-of-Service Development, http://www.cert.org/advisories/CA-2000-01.html, Jan. 2000.
 
8
{8} B. Davie et al., "An expedited forwarding PHB (per-hop behavior)," RFC 3246, 2002.
 
9
{9} W. Diffie and M. E. Hellman, "New directions in cryptography," IEEE Trans. Inf. Theory, vol. 22, no. 6, pp. 644-654, Nov. 1976.
 
10
{10} Distributed.net, Rc5-64 Project, http://www.distributed.net/rc5/, Jul. 2002.
 
11
Zhenhai Duan , Zhi-Li Zhang , Yiwei Thomas Hou, Service overlay networks: SLAs, QoS, and bandwidth provisioning, IEEE/ACM Transactions on Networking (TON), v.11 n.6, p.870-883, 01 December 2003  [doi>10.1109/TNET.2003.820436]
 
12
{12} M. El-Gendy, A. Bose, H. Wang, and K. G. Shin, "Statistical characterization for per-hop QoS," in Proc. IWQoS'2003, Monterey, CA, Jun. 2003, pp. 21-40.
 
13
{13} P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing," RFC 2267, 1998.
 
14
Mohamed G. Gouda , E. N. (Mootaz) Elnozahy , Chin-Tser Huang , Tommy M. McGuire, Hop integrity in computer networks, IEEE/ACM Transactions on Networking (TON), v.10 n.3, p.308-319, June 2002  [doi>10.1109/TNET.2002.1012363]
 
15
{15} G. Hadjichristofi, N. Davis IV, and C. Midkiff, "IPsec overhead in wireline and wireless networks for web and email applications," in Proc. IEEE Int. Performance, Computing, and Communications Conf. (IPCCC '2003), Phoenix, AZ, Apr. 2003, pp. 543-547.
 
16
Sugih Jamin , Peter B. Danzig , Scott J. Shenker , Lixia Zhang, A measurement-based admission control algorithm for integrated service packet networks, IEEE/ACM Transactions on Networking (TON), v.5 n.1, p.56-70, Feb. 1997  [doi>10.1109/90.554722]
17
Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948116]
 
18
{18} F. Kelly, P. Key, and S. Zachary, "Distributed admission control," IEEE J. Sel. Areas Commun., vol. 18, no. 12, pp. 2617-2628, Dec. 2000.
 
19
{19} S. Kent and R. Atkinson, "Security architecture for the Internet protocol," RFC 2401, 1998.
 
20
{20} J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source address validity enforcement protocol," in Proc. IEEE INFOCOM, New York, Jun. 2002, pp. 1557-1566.
21
Mingzhe Li , Mark Claypool , Robert Kinicki, MediaPlayer™ versus RealPlayer™: a comparison of network turbulence, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637221]
 
22
{22} J. Martin and A. Nilsson, "On service level agreements for IP networks," in Proc. IEEE INFOCOM, New York, Jun. 2002, pp. 855-863.
 
23
{23} A. Mena and J. Heidemann, "An empirical study of real audio traffic," in Proc. IEEE INFOCOM, Tel Aviv, Israel, Mar. 2000, pp. 101-110.
 
24
Stefan Miltchev , Sotiris Ioannidis , Angelos D. Keromytis, A Study of the Relative Costs of Network Security Protocols, Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference, p.41-48, June 10-15, 2002
 
25
{25} J. C. Mogul and S. E. Deering, "Path MTU discovery," RFC 1191, 1990.
 
26
{26} D. Moore, G. Voelker, and S. Savage, "Inferring Internet denial of service activity," in Proc. USENIX Security Symp., Washington, DC, Aug. 2001.
27
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
 
28
Adrian Perrig , J. D. Tygar , Dawn Song , Ran Canetti, Efficient Authentication and Signing of Multicast Streams over Lossy Channels, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.56, May 14-17, 2000
 
29
{29} A. Perrig, R. Canetti, J. D. Tygar, and D. Song, "The TESLA broadcast authentication protocol," RSA Crypto-bytes , vol. 5, no. 2, 2002.
30
Xiaohu Qie , Ruoming Pang , Larry Peterson, Defensive programming: using an annotation toolkit to build DoS-resistant software, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060295]
 
31
{31} J. Reumann, H. Jamjoom, and K. G. Shin, "Adaptive packet filters," in Proc. IEEE GLOBECOM, San Antonio, TX, Nov. 2001, pp. 2331-2335.
 
32
{32} R. L. Rivest, "The RC-5 encryption algorithm," in Lecture Notes in Computer Science. New York: Springer-Verlag, 1995, vol. 1008.
 
33
Colleen Shannon , David Moore , K. C. Claffy, Beyond folklore: observations on fragmented traffic, IEEE/ACM Transactions on Networking (TON), v.10 n.6, p.709-720, December 2002  [doi>10.1109/TNET.2002.805028]
 
34
Oliver Spatscheck , Larry L. Peterson, Defending against denial of service attacks in Scout, Proceedings of the third symposium on Operating systems design and implementation, p.59-72, February 1999, New Orleans, Louisiana, United States
 
35
Minho Sung , Jun Xu, IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks, Proceedings of the 10th IEEE International Conference on Network Protocols, p.302-311, November 12-15, 2002
 
36
{36} R. Thayer, N. Doraswamy, and R. Glenn, "IP security document roadmap," RFC 2411, 1998.
 
37
{37} H. Tschofenig and D. Kroeselberg, "Security threats for NSIS," IETF, draft-ietf-nsisthreats-01.txt, 2003.
 
38
{38} H. Wang and K. G. Shin, "Transport-aware IP routers: A built-in protection mechanism to counter DDoS attacks," IEEE Trans. Parallel Distrib. Syst., vol. 14, no. 9, pp. 873-884, Sep. 2003.
 
39
Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003
 
40
{40} H. Zhang, "Service disciplines for guaranteed performance service in packet-switching networks," Proc. IEEE, vol. 83, no. 10, pp. 1374-1396, Oct. 1995.
 
41
{41} L. Zhang, S. Deering, D. Estrin, S. Shenker, and D. Zappala, "RSVP: A new resource ReSerVation Protocol," IEEE Network, vol. 7, no. 5, pp. 8-18, Sep. 1993.
42
Zhi-Li Zhang , Zhenhai Duan , Lixin Gao , Yiwei Thomas Hou, Decoupling QoS control from core routers: a novel bandwidth broker architecture for scalable support of guaranteed services, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.71-83, August 28-September 01, 2000, Stockholm, Sweden

CITED BY
Maitreya Natu , Jelena Mirkovic, Fine-grained capabilities for flooding DDoS defense using client reputations, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network management

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.5 Local and Wide-Area Networks
          Subjects: Internet (e.g., TCP/IP)


General Terms:
Design, Experimentation, Measurement, Performance


Keywords:
network QoS, resource access control

Collaborative Colleagues:
Haining Wang: colleagues
Abhijit Bose: colleagues
Mohamed El-Gendy: colleagues
Kang G. Shin: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player