The design philosophy of the DARPA internet protocols
SIGCOMM '88 Symposium proceedings on Communications architectures and protocols
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Hop integrity in computer networks
IEEE/ACM Transactions on Networking (TON)
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
A Study of the Relative Costs of Network Security Protocols
Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Active internet traffic filtering: real-time response to denial-of-service attacks
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Kerberos: an authentication service for computer networks
IEEE Communications Magazine
Hi-index | 0.00 |
One of key security issues on the current Internet is unwanted traffic, the forerunner of unauthorized accesses, scans, and attacks. It is vitally important but extremely challenging to fight such unwanted traffic. We need a series of defensive mechanisms to identify unwanted packets, filter them out, and further defeat their associated attacks. In this paper, we propose a lightweight, scalable packet authentication mechanism, named Lightweight Internet Permit System (LIPS), as a first line of defense to effectively filter out the most common forms of unwanted traffic, spoofed and unsolicited packets, such that in-depth security schemes can take care of the remaining issues more efficiently. LIPS is a simple extension of IP, in which each packet carries an access permit issued by its destination host or gateway, and the destination verifies the access permit to determine to accept or drop the packet. LIPS provides preliminary traffic-origin accountability that supports two salient features to confine unwanted traffic: (1) filter out the most common forms of unwanted packets and defeat associated attacks; (2) help us identify compromised hosts/domains such that we are able to build active defense schemes to deal with various attacks through real-time inter-domain collaboration. In this paper, we first present the design and prototype implementation of LIPS on Linux 2.4 kernel, and then use analysis, simulations, and experiments to demonstrate the efficacy of LIPS in protecting critical resources with light overheads.