On power-law relationships of the Internet topology
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
On the marginal utility of network topology measurements
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Measuring ISP topologies with rocketfuel
IEEE/ACM Transactions on Networking (TON)
Network Algorithmics,: An Interdisciplinary Approach to Designing Fast Networked Devices (The Morgan Kaufmann Series in Networking)
Bayes Optimal DDoS Mitigation by Adaptive History-Based IP Filtering
ICN '08 Proceedings of the Seventh International Conference on Networking
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Characterization of failures in an operational IP backbone network
IEEE/ACM Transactions on Networking (TON)
Towards 100G packet processing: Challenges and technologies
Bell Labs Technical Journal - Core and Wireless Networks
Scalable network-layer defense against internet bandwidth-flooding attacks
IEEE/ACM Transactions on Networking (TON)
Understanding the efficacy of deployed internet source address validation filtering
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs
IEEE/ACM Transactions on Networking (TON)
Predictive blacklisting as an implicit recommendation system
INFOCOM'10 Proceedings of the 29th conference on Information communications
Toward topology dualism: improving the accuracy of AS annotations for routers
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
Network-wide deployment of intrusion detection and prevention systems
Proceedings of the 6th International COnference
CNGI-CERNET2: an IPv6 deployment in China
ACM SIGCOMM Computer Communication Review
| Hi-index | 0.24 |
Source address filtering is very important for protecting networks from malicious traffic. Most networks use hardware-based solutions such as TCAM-based filtering, however, they suffer from limited capacity, high power consumption and high monetary cost. Although software, such as SRAM, is larger, cheaper and consumes less power, the software-based solutions need multiple accesses in memory, which as a result bear much more additional lookup burden. In this paper, we propose a new software-based mechanism. In our mechanism, routers cooperate with each other, and each only checks a few bits rather than all bits in source addresses. Our mechanism can guarantee the correctness, i.e., filtering all malicious traffic. We formulate it as an optimization problem where the loads across the network can be optimally balanced. We solve the problem by dynamic programming. With the increasing number of filters, storage could also become a bottleneck for source address filtering. Our mechanism improves this by distributing filters among different routers. We re-formulate the problem by adding an additional storage constraint. Then we prove that the problem is NP-Complete, and propose a heuristic algorithm to solve it. At last, using comprehensive simulations with various topologies, we show that the mechanism greatly improves both lookup burden and storage space. We conduct a case study on China Education and Research Network 2 (CERNET2), the largest pure-IPv6 network in the world. Using CERNET2 configurations, we show that our algorithm checks less than 40bits on each router, compared with 128bits in IPv6 addresses.