Abstract
In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional inpacket flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.
| Original language | English |
|---|---|
| Title of host publication | EC2ND 2009 - European Conference on Computer Network Defense |
| Publisher | IEEE |
| Pages | 46-51 |
| Number of pages | 6 |
| ISBN (Print) | 9780769539836 |
| DOIs | |
| Publication status | Published - 30 Jul 2010 |
| MoE publication type | A4 Conference publication |
| Event | European Conference on Computer Network Defense - Milano, Italy Duration: 9 Nov 2009 → 10 Nov 2009 |
Conference
| Conference | European Conference on Computer Network Defense |
|---|---|
| Abbreviated title | EC2ND |
| Country/Territory | Italy |
| City | Milano |
| Period | 09/11/2009 → 10/11/2009 |