IP Easy-pass: a light-weight network-edge resource access control

Authors:
Haining Wang;Abhijit Bose;Mohamed El-Gendy;Kang G. Shin
Affiliations:
Department of Computer Science, College of William and Mary, Williamsburg, VA;Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI;Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI;Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2005

Citing 21
Cited 2

A measurement-based admission control algorithm for integrated service packet networks

IEEE/ACM Transactions on Networking (TON)
Resource containers: a new facility for resource management in server systems

OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Defending against denial of service attacks in Scout

OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Endpoint admission control: architectural issues and performance

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Decoupling QoS control from core routers: a novel bandwidth broker architecture for scalable support of guaranteed services

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Hop integrity in computer networks

IEEE/ACM Transactions on Networking (TON)
Beyond folklore: observations on fragmented traffic

IEEE/ACM Transactions on Networking (TON)
MediaPlayer™ versus RealPlayer™: a comparison of network turbulence

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A Study of the Relative Costs of Network Security Protocols

Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Voice over IPsec: Analysis and Solutions

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Efficient Authentication and Signing of Multicast Streams over Lossy Channels

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM conference on Computer and communications security
Service overlay networks: SLAs, QoS, and bandwidth provisioning

IEEE/ACM Transactions on Networking (TON)
Defensive programming: using an annotation toolkit to build DoS-resistant software

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Statistical characterization for per-hop QoS

IWQoS'03 Proceedings of the 11th international conference on Quality of service
Distributed admission control

IEEE Journal on Selected Areas in Communications
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks

IEEE Transactions on Parallel and Distributed Systems

Fine-grained capabilities for flooding DDoS defense using client reputations

Proceedings of the 2007 workshop on Large scale attack defense
The token based switch: per-packet access authorisation to optical shortcuts

NETWORKING'07 Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and sensor networks, wireless networks, next generation internet

Quantified Score

Hi-index	0.00

Visualization

Abstract

Providing real-time communication services to multimedia applications and subscription-based Internet access often requires that sufficient network resources be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at Internet Service Provider (ISP) edge routers cannot protect the reserved network resource from embezzlement. On the contrary to the usual expectation, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. In this paper, we propose a fast and lightweight IP network-edge resource access control mechanism, called IP Easy-pass, to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of the incoming IP packet very quickly and simply by checking its pass. We present the generation of Easy-pass, its embedding, and verification procedures. We implement the IP Easy-pass mechanism in the Linux kernel, and measure its overhead on our testbed. Finally, we demonstrate its effectiveness against packet forgery and resource embezzlement attempts by conducting a series of experiments.