LIPS: a lightweight permit system for packet source origin accountability

Authors:
Yingfei Dong;Changho Choi;Zhi-Li Zhang
Affiliations:
Department of Electrical and Computer Engineering, University of Hawaii, Honolulu, HI;Department of Computer Science, University of Minnesota, Minneapolis, MN;Department of Computer Science, University of Minnesota, Minneapolis, MN
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2006

Citing 9
Cited 0

The design philosophy of the DARPA internet protocols

SIGCOMM '88 Symposium proceedings on Communications architectures and protocols
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Handbook of Applied Cryptography

Handbook of Applied Cryptography
Hop integrity in computer networks

IEEE/ACM Transactions on Networking (TON)
SOS: secure overlay services

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
A Study of the Relative Costs of Network Security Protocols

Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Active internet traffic filtering: real-time response to denial-of-service attacks

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Mayday: distributed filtering for internet services

USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Kerberos: an authentication service for computer networks

IEEE Communications Magazine

Quantified Score

Hi-index	0.00

Visualization

Abstract

One of key security issues on the current Internet is unwanted traffic, the forerunner of unauthorized accesses, scans, and attacks. It is vitally important but extremely challenging to fight such unwanted traffic. We need a series of defensive mechanisms to identify unwanted packets, filter them out, and further defeat their associated attacks. In this paper, we propose a lightweight, scalable packet authentication mechanism, named Lightweight Internet Permit System (LIPS), as a first line of defense to effectively filter out the most common forms of unwanted traffic, spoofed and unsolicited packets, such that in-depth security schemes can take care of the remaining issues more efficiently. LIPS is a simple extension of IP, in which each packet carries an access permit issued by its destination host or gateway, and the destination verifies the access permit to determine to accept or drop the packet. LIPS provides preliminary traffic-origin accountability that supports two salient features to confine unwanted traffic: (1) filter out the most common forms of unwanted packets and defeat associated attacks; (2) help us identify compromised hosts/domains such that we are able to build active defense schemes to deal with various attacks through real-time inter-domain collaboration. In this paper, we first present the design and prototype implementation of LIPS on Linux 2.4 kernel, and then use analysis, simulations, and experiments to demonstrate the efficacy of LIPS in protecting critical resources with light overheads.