Self-routing denial-of-service resistant capabilities using in-packet bloom filters

Christian Esteve Rothenberg, Petri Jokela, Pekka Nikander, Mikko Sarela, Jukka Ylitalo

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional inpacket flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.

Original languageEnglish
Title of host publicationEC2ND 2009 - European Conference on Computer Network Defense
Number of pages6
ISBN (Print)9780769539836
Publication statusPublished - 30 Jul 2010
MoE publication typeA4 Article in a conference publication
EventEuropean Conference on Computer Network Defense - Milano, Italy
Duration: 9 Nov 200910 Nov 2009


ConferenceEuropean Conference on Computer Network Defense
Abbreviated titleEC2ND


Dive into the research topics of 'Self-routing denial-of-service resistant capabilities using in-packet bloom filters'. Together they form a unique fingerprint.

Cite this