Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,fil...Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,filter spoofed source addresses using Access Control Lists(ACL)or unicast Reverse Path Forwarding(uRPF),but they only provide coarse-grained filtering.Source Address Validation in intra-domain and inter-domain NETworks(SAVNET)has recently attracted much attention in both industry and the Internet Engineering Task Force(IETF),deploying SAV inside Internet Service Provider(ISP)networks and generating SAV tables by binding source address prefixes with incoming interfaces.However,SAVNET requires upgrading almost all routers across networks,which is impractical—especially in inter-domain scenarios.Moreover,due to policy routing and load balancing,determining the exact incoming interface for each source prefix is challenging.In this paper,we propose SAVNFV,a Network Functions Virtualization(NFV)based platform that provides SAV capabilities by building a“clean”virtual overlay network.SAVNFV randomly generates paths for each flow through a centralized controller,making the SAV table easy to obtain.The paths are periodically refreshed,and packets are transmitted through multiple routes,making it nearly impossible for attackers to identify the correct incoming interface.We formulate the multi-path transmission as an optimization problem and prove it to be NP-Complete,then design approximation algorithms with theoretical guarantees.Comprehensive simulations show that SAVNFV blocks 94.6%more malicious traffic than traditional solutions while maintaining acceptable path stretch.We also implement the system using open-source routing software and build a real-world experimental platform to further validate our design.展开更多
The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Bas...The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.展开更多
IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (S...IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.展开更多
基金supported by the National Key Research and Development Program of China(No.2022YFB3102302)the National Natural Science Foundation of China(Nos.U23B2026 and 62372305)+2 种基金the Guangdong Key Field Research and Development Program(No.2024A0101010001)the Shenzhen Science and Technology Program(Nos.KJZD20230923114809020 and 20220811110737003)the Research Team Cultivation Program of Shenzhen University(No.20230NT015).
文摘Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,filter spoofed source addresses using Access Control Lists(ACL)or unicast Reverse Path Forwarding(uRPF),but they only provide coarse-grained filtering.Source Address Validation in intra-domain and inter-domain NETworks(SAVNET)has recently attracted much attention in both industry and the Internet Engineering Task Force(IETF),deploying SAV inside Internet Service Provider(ISP)networks and generating SAV tables by binding source address prefixes with incoming interfaces.However,SAVNET requires upgrading almost all routers across networks,which is impractical—especially in inter-domain scenarios.Moreover,due to policy routing and load balancing,determining the exact incoming interface for each source prefix is challenging.In this paper,we propose SAVNFV,a Network Functions Virtualization(NFV)based platform that provides SAV capabilities by building a“clean”virtual overlay network.SAVNFV randomly generates paths for each flow through a centralized controller,making the SAV table easy to obtain.The paths are periodically refreshed,and packets are transmitted through multiple routes,making it nearly impossible for attackers to identify the correct incoming interface.We formulate the multi-path transmission as an optimization problem and prove it to be NP-Complete,then design approximation algorithms with theoretical guarantees.Comprehensive simulations show that SAVNFV blocks 94.6%more malicious traffic than traditional solutions while maintaining acceptable path stretch.We also implement the system using open-source routing software and build a real-world experimental platform to further validate our design.
基金the National Natural Science Foundation of China(Grant No.90704001)the National Basic Research Program of China(973 Program)(Grant No.2003CB314800)
文摘The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.
基金supported by the National Natural Science Foundation of China Nos.61772307 and 61402257the National Key Basic Research and Development(973) Program of China Nos.2009CB320500 and 2009CB320501Tsinghua University Self-determined Project under grant No.2014z21051
文摘IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.
