Security problems in the TCP/IP protocol suite
ACM SIGCOMM Computer Communication Review
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Building And Integrating Virtual Private Networks With Openswan
Building And Integrating Virtual Private Networks With Openswan
Survey of network-based defense mechanisms countering the DoS and DDoS problems
ACM Computing Surveys (CSUR)
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
The spoofer project: inferring the extent of source address filtering on the internet
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Keeping Denial-of-Service Attackers in the Dark
IEEE Transactions on Dependable and Secure Computing
An Empirical Study of Denial of Service Mitigation Techniques
SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
Multiple vulnerabilities in SNMP
Computer
Review: TCP/IP security threats and attack methods
Computer Communications
LOT: A Defense Against IP Spoofing and Flooding Attacks
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
We present LOT, a lightweight 'plug and play' tunneling protocol installed (only) at edge gateways. Two communicating gateways A and B running LOT would automatically and securely establish efficient tunnel, encapsulating packets sent between them. This allows B to discard packets which use A's network addresses but were not sent via A (i.e. are spoofed) and vice verse. LOT is practical: it is easy to manage 'plug and play', no coordination between gateways), deployed incrementally and only at edge gateways (no change to core routers or hosts), and has negligible overhead in terms of bandwidth and processing, as we validate by experiments on a prototype implementation. LOT storage requirements are also modest. LOT can be used alone, providing protection against blind (spoofing) attackers, or to opportunistically setup IPsec tunnels, providing protection against Man In The Middle (MITM) attackers.