A measurement-based admission control algorithm for integrated service packet networks
IEEE/ACM Transactions on Networking (TON)
Resource containers: a new facility for resource management in server systems
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Defending against denial of service attacks in Scout
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Endpoint admission control: architectural issues and performance
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Hop integrity in computer networks
IEEE/ACM Transactions on Networking (TON)
Beyond folklore: observations on fragmented traffic
IEEE/ACM Transactions on Networking (TON)
MediaPlayer™ versus RealPlayer™: a comparison of network turbulence
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A Study of the Relative Costs of Network Security Protocols
Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Voice over IPsec: Analysis and Solutions
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Efficient Authentication and Signing of Multicast Streams over Lossy Channels
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Service overlay networks: SLAs, QoS, and bandwidth provisioning
IEEE/ACM Transactions on Networking (TON)
Defensive programming: using an annotation toolkit to build DoS-resistant software
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Statistical characterization for per-hop QoS
IWQoS'03 Proceedings of the 11th international conference on Quality of service
IEEE Journal on Selected Areas in Communications
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks
IEEE Transactions on Parallel and Distributed Systems
Fine-grained capabilities for flooding DDoS defense using client reputations
Proceedings of the 2007 workshop on Large scale attack defense
The token based switch: per-packet access authorisation to optical shortcuts
NETWORKING'07 Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and sensor networks, wireless networks, next generation internet
Hi-index | 0.00 |
Providing real-time communication services to multimedia applications and subscription-based Internet access often requires that sufficient network resources be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at Internet Service Provider (ISP) edge routers cannot protect the reserved network resource from embezzlement. On the contrary to the usual expectation, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. In this paper, we propose a fast and lightweight IP network-edge resource access control mechanism, called IP Easy-pass, to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of the incoming IP packet very quickly and simply by checking its pass. We present the generation of Easy-pass, its embedding, and verification procedures. We implement the IP Easy-pass mechanism in the Linux kernel, and measure its overhead on our testbed. Finally, we demonstrate its effectiveness against packet forgery and resource embezzlement attempts by conducting a series of experiments.