Networks without user observability—design options
Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology---EUROCRYPT '85
Network security: private communication in a public world
Network security: private communication in a public world
UTLB: a mechanism for address translation on network interfaces
Proceedings of the eighth international conference on Architectural support for programming languages and operating systems
Anonymous Web transactions with Crowds
Communications of the ACM
Implementing a distributed firewall
Proceedings of the 7th ACM conference on Computer and communications security
End-to-end arguments in system design
ACM Transactions on Computer Systems (TOCS)
Untraceable electronic mail, return addresses, and digital pseudonyms
Communications of the ACM
The disadvantages of free MIX routes and how to overcome them
International workshop on Designing privacy enhancing technologies: design issues in anonymity and unobservability
Chord: A scalable peer-to-peer lookup service for internet applications
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
A new approach to DNS security (DNSSEC)
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Tarzan: a peer-to-peer anonymizing network layer
Proceedings of the 9th ACM conference on Computer and communications security
Internet indirection infrastructure
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Sustaining Availability of Web Services under Distributed Denial of Service Attacks
IEEE Transactions on Computers
ISDN-MIXes: Untraceable Communication with Small Bandwidth Overhead
Kommunikation in Verteilten Systemen, Grundlagen, Anwendungen, Betrieb, GI/ITG-Fachtagung
Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems
IHW '01 Proceedings of the 4th International Workshop on Information Hiding
SNDSS '96 Proceedings of the 1996 Symposium on Network and Distributed System Security (SNDSS '96)
Mixminion: Design of a Type III Anonymous Remailer Protocol
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Taming IP packet flooding attacks
ACM SIGCOMM Computer Communication Review
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Countering DoS attacks with stateless multipath overlays
Proceedings of the 12th ACM conference on Computer and communications security
Spread-Identity mechanisms for DOS resilience and Security.
SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
Active internet traffic filtering: real-time response to denial-of-service attacks
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Tor: the second-generation onion router
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Empirical study of tolerating denial-of-service attacks with a proxy network
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
LADS: large-scale automated DDOS detection system
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Usability of anonymous web browsing: an examination of Tor interfaces and deployability
Proceedings of the 3rd symposium on Usable privacy and security
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Passport: secure and adoptable source authentication
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
WebSOS: an overlay-based system for protecting web servers from denial of service attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
PET'02 Proceedings of the 2nd international conference on Privacy enhancing technologies
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Dynamic virtual credit card numbers
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Using Web-Referral Architectures to Mitigate Denial-of-Service Threats
IEEE Transactions on Dependable and Secure Computing
Computer Networks
SOS: an architecture for mitigating DDoS attacks
IEEE Journal on Selected Areas in Communications
Hi-index | 0.00 |
We present and experimentally evaluate Spread Identity SI --a new dynamic network address remapping mechanism that provides anonymity and DDoS defense capabilities for Internet communications. For each session between a source and destination host, the trusted source gateway dynamically and randomly assigns an IP address for the source host from the pool of all routable IP addresses allocated to the source organization. Similarly, in response to a name resolution query from the source gateway, the trusted authoritative DNS server for the destination organization dynamically assigns an IP address for the destination host from the pool of all routable IP addresses allocated to the destination organization. These assignments depend upon the state of the server including load, residual capacity, time of day and policy. Different hosts can share the same IP address when communicating with distinct peers. Each gateway creates a NAT entry, valid for the communication session, based on the dynamic assignment by its organization.An eavesdropper listening to packets flowing through the Internet between the source and destination gateways learns only the source and destination domains; the eavesdropper cannot see the actual complete IP addresses of the source and destination hosts. In addition, SI enhances DDoS defense capabilities by enabling packet filtering based on destination addresses. With multiple IP addresses for the same destination, filtering based on destination addresses can block attackers without necessarily blocking legitimate users. Deploying SI requires changes to organizational gateways and, possibly, to the edge-routers that interface with organizational gateways; but network mechanisms farther upstream, including the core routers in the Internet, remain unchanged. Likewise, the installed base of operating systems running individual hosts in the internal network, together with the end-user application suites they support, remain untouched. SI mechanisms are backward compatible, incrementally deployable, and robustly scalable. A naïve implementation of SI can increase the DNS traffic; however, when SI is implemented at both the source and the destination ends, it is possible for SI to reduce DNS traffic.Ns-2 simulations and experiments on the DeterLab test bed corroborate the main hypotheses and demonstrate advantages of the SI paradigm. Ns-2 simulations demonstrate that file transfer success rates for our SI DDoS protection mechanism are similar to those of filter-and capability-based approaches, with lower file transfer times than for filter-based approaches. DeterLab trials demonstrate that SI consumes similar resources connection establishment time, network address translation table size, packet forwarding rate and memory to those of a typical single NAT system, though with higher name resolution times.