Hierarchical Anti-Spoofing Alliance Construction Approach
Author:
Affiliation:

Clc Number:

TP393

Fund Project:

National Natural Science Foundation of China (61601107, 61402094); the Natural Science Foundation of Hebei Province (F2015501122, F2015501105); the Doctoral Scientific Research Foundation of Liaoning Province (F201501143)

  • Article
  • | |
  • Metrics
  • |
  • Reference [24]
  • |
  • Related [20]
  • | | |
  • Comments
    Abstract:

    IP spoofing, as one of the most threatening security flaws in the current Internet, can bring a series of issues about network management and telecommunications billing. For this reason, the researchers propose the mutual egress filtering based defense mechanism, which uses the best current anti-spoofing practice, i.e., egress filtering, to clean the anonymous packets with high-efficiency, and simultaneously increase the incentive deployment through constructing the anti-spoofing alliance. However, the existing work has the following disadvantages:the flat and plain architecture leads to the higher overhead on the filter and communication; the inefficient data processing and non-member identification leads to the higher computation overhead and the lower precision of filter optimization. Therefore, this study proposes a hierarchical anti-spoofing alliance construction approach based on mutual egress filtering. Extensive mathematical analysis and simulations are performed to evaluate the proposed approach. The results show that the proposed approach significantly outperforms the prior approaches in terms of the filter overhead, communication overhead, computation overhead, and the precision of filter optimization.

    Reference
    [1] Park KH, Heejo L. On the effectiveness of route-based packet filtering for distributed DoS Attack prevention in power-law Internets. ACM SIGCOMM Computer Communication Review, 2001,31(4):15-26.[doi:10.1145/383059.383061]
    [2] Hai DZ, Xin Y, Jaideep C. Controlling IP spoofing through interdomain packet filters. IEEE Trans. on Dependable and Secure Computing, 2008,5(1):22-36.[doi:10.1109/TDSC.2007.70224]
    [3] Jun L, Jelena M, Qiu WM. SAVE:Source address validity enforcement protocol. In:Proc. of the IEEE INFOCOM. 2002. 1557-1566.[doi:10.1109/INFCOM.2002.1019407]
    [4] Barr A, Band Levy H. Spoofing prevention method. In:Proc. of the IEEE INFOCOM. 2005. 536-547.[doi:10.1109/INFCOM. 2005.1497921]
    [5] Li J, Wu JP, Xu K, Chen WL. An hierarchical inter-domain authenticated source address validation solution. Chinese Journal of Computers, 2012,35(1):85-100(in Chinese with English abstract).
    [6] Liu X, Li A, Yang X. Passport:Secure and adoptable source authentication. In:Proc. of the USENIX Symp. 2008. 365-378.
    [7] Cisco IOS. Unicast reverse path forwarding. 1999.
    [8] Ferguson P, Senie D. Network ingress filtering:Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, 2000.
    [9] Liu BY, Athanasios VV. Toward incentivizing anti-spoofing deployment. IEEE Trans. on Information Forensics and Security, 2014, 9(3):436-450.[doi:10.1109/TIFS.2013.2296437]
    [10] Halabi B. Internet Routing Architectures. 2nd ed., Beijing:Posts & Telecom Press, 2003.
    [11] Liu BY. Deployability evaluation model and method design for inter-domain source address validation on the Internet[Ph.D. Thesis]. Beijing:Tsinghua University, 2014(in Chinese with English abstract).
    [12] Lu N, Wang YL, Shi WB. Filtering location optimization for defending against large-scale BDoS attacks. Chinese Journal of Electronics, 2017,26(2):435-444.[doi:10.1049/cje.2017.01.016]
    [13] Soldo F, Argyraki K, Markopoulou A. Optimal source-based filtering of malicious traffic. IEEE/ACM Trans. on Networking, 2012, 20(2):381-395.[doi:10.1109/TNET.2011.2161615]
    [14] Wang LJ, Wu JP, Xu K. BGP extension to support inter-domain distributed packets filtering. Ruan Jian Xue Bao/Journal of Software, 2007,18(12):3048-3059(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/18/3048.htm[doi:10.1360/jos183048]
    [15] Internet topology collection. 2012. URL:http://irl.cs.ucla.edu/topology
    [16] Quoitin B. C-BGP. 2012. URL:http://c-bgp.sourceforge.net
    [17] Lu N, Wang SG, Li F, Shi WB, Yang FC. An efficient and precise approach for single-packet traceback. Ruan Jian Xue Bao/Journal of Software, 2017,28(10):2737-2756(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5149.htm[doi:10.13328/j.cnki.jos.005149]
    [18] Lu N, Wang YL, Su S, Yang FC. A novel path-based approach for single-packet IP traceback. Security and Communication Networks, 2013,7(2):309-321.[doi:10.1002/sec.741]
    [19] Gill P, Schapira M, Goldberg S. Let the market drive deployment:A strategy for transitioning to BGP security. In:Proc. of the ACM SIGCOMM. 2011. 14-25.[doi:10.1145/2043164.2018439]
    附中文参考文献:
    [5] 李杰,吴建平,徐恪,陈文龙.Hidasav:一种层次化的域间真实源地址验证方法.计算机学报,2012,35(1):85-100.
    [11] 刘冰洋.互联网域间源地址验证的可部署性评价模型与方法设计[博士学位论文].北京:清华大学,2014.
    [14] 王立军,吴建平,徐恪.支持域间分布式分组过滤的BGP扩展.软件学报,2007,18(12):3048-3059. http://www.jos.org.cn/1000-9825/18/3048.htm[doi:10.1360/jos183048]
    [17] 鲁宁,王尚广,李峰,史闻博,杨放春.一种高精度、低存储的单包溯源方法.软件学报,2017,28(10):2737-2756. http://www.jos.org.cn/1000-9825/5149.htm[doi:10.13328/j.cnki.jos.005149]
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

鲁宁,李峰,王尚广,史闻博,杨放春.层次化反匿名联盟构建方法.软件学报,2019,30(9):2791-2814

Copy
Share
Article Metrics
  • Abstract:2647
  • PDF: 4042
  • HTML: 1488
  • Cited by: 0
History
  • Received:August 22,2017
  • Revised:October 09,2017
  • Online: May 02,2018
You are the first2043735Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063