Mingwei Xu,Shu Yang,Dan Wang,Fuliang Li,Jianping Wu

DOI: https://doi.org/10.1016/j.comcom.2013.09.013

IF: 5.047

2014-01-01

Computer Communications

Abstract:Source address filtering is very important for protecting networks from malicious traffic. Most networks use hardware-based solutions such as TCAM-based filtering, however, they suffer from limited capacity, high power consumption and high monetary cost. Although software, such as SRAM, is larger, cheaper and consumes less power, the software-based solutions need multiple accesses in memory, which as a result bear much more additional lookup burden.

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2012.6289219

2012-01-01

Abstract:Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers.In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network.We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Fabio Soldo,Athina Markopoulou,Katerina Argyraki

DOI: https://doi.org/10.48550/arXiv.0811.3828

2008-11-24

Abstract:How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this paper, we develop, for the first time, a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operator's policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from <a class="link-external link-http" href="http://Dshield.org" rel="external noopener nofollow">this http URL</a> and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.

Networking and Internet Architecture

Qin Xin,Jianping Wu,Ke Xu,Shu Yang,Jisheng Pei

2015-01-01

Abstract:Routers must perform packet filtering at high speeds to implement critical functions in todays networked computing systems, i.e., firewalls. With serious security situations, and more and more kinds of validation and filter-ing rules emerging, the routers and firewalls now undertake more burden than ever. In routers for large networks, the filtering table, e.g., access control list, gets larger and larger, which easily exceed the limited capacity and brings high power consumption and financial cost. Therefore we are motivated to seek a kind of effective mechanism to solve these problems, which needs to be very easy for deployment, and has strong and proven ability for security filtering. We propose a distributed and cooperative mechanism of software filtering based on finite state machine in which the filtering tasks are split and shared by all the routers rather than relying only on the ingress routers for computation.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icccn.2013.6614204

2013-01-01

Abstract:While making the Internet totally trustworthy is intractable, making as trustworthy as possible is a crucial problem. Within this landscape, authentication of the IP source address remains one important topic in need of further study. However, most source address validation methods are difficult to implement in practice because of deployment difficulties. This research designs an efficient inter-domain distributed source address validation solution (CatchIt). By employing a novel routing choice notification scheme, CatchIt makes the deployed ASes intelligent by allowing them cooperate to acquire the valid incoming path information of packets. With such knowledge, the deployed ASes can accurately authenticate the source address without the need for any modifications to the de facto routing protocol and packet structure. Moreover, CatchIt helps the deployed ASes proactively and quickly filter spoofed packets before they imperil the network. CatchIt also avoids any false positive, even under partial deployment. Our evaluation also shows that CatchIt is effective and accurate when catching spoofed packets while incurring a low overhead; CatchIt maintains an early deploy and rapidly benefit incremental deployment incentive mechanism.

Derek Pao,Peng Zhou,Bin Liu,Xin Zhang

2007-01-01

Abstract:Filter encoding can effectively enhance the efficiency of TCAM-based packet classification. However, additional complexity will be incurred in the filter table update operations. It has been shown that the average update cost of the prefix inclusion coding (PIC) scheme is very low but the worst case update cost can be significantly higher. In this paper we shall present a domain segmentation approach to enhance the performance of PIC. By dividing the field value domain into multiple segments, the mapping of field values to code points can be more structural and help to avoid massive code-point relocation in the event of new insertions. Moreover, the codeword lookup for the address fields can be largely simplified and can be implemented in SRAM rather than using TCAM. The lookup rate of the search engine can be improved to handle 40Gbps OC-768 line rate.

Guohong Zhao,Shuhui Chen,Baokang Zhao,Ilsun You,Jinshu Su,Wanrong Yu

DOI: https://doi.org/10.1007/978-3-319-10975-6_20

2014-01-01

Abstract:Current software based Content Filtering Systems are too computing intensive in large scale packets payload detection and cannot meet the performance requirements of modern networks. Thus, hardware architectures are desired to speed up the detection process. In this paper, hardware based Conjoint Network Content Filtering System (CNCFS) is proposed to solve the problem. In CNCFS, a TCAM based algorithm named Linking Shared Multi-Match (LSMM) is implemented, which can speed up large scale Multi-Pattern Multi-Matching greatly. Also, this system can also be used in high speed mobile networks which need to deal with the security of fast handover of mobile users. The results of performance evaluation show that our solution can provide 5 Gbps wire speed processing capability.

XIAO Jun,YUN Xiao-Chun,ZHANG Yong-Zheng

DOI: https://doi.org/10.3724/sp.j.1001.2011.03882

2011-01-01

Journal of Software

Abstract:Distributed Denial-of-Service(DDoS) attack,using random spoofed source addresses,is popular because it can protect the attacker's anonymity. It is very difficult to defent against this attack because it is very hard to differentiate bad traffic from the normal. In this paper,based on the source addresses distribution statistical feature,an effective defense scheme,which can differentiate vicious traffic from normal traffic,is presented. Based on a novel Extended Counting Bloom Filter(ECBF) data structure,this paper proposes an algorithm to identify normal addresses accurately. Once a normal address is sought out,packets from it will be forwarded with high priority,thus,normal traffic is protected. The simulation results show that this scheme can identify legitimate addresses accurately,protect legitimate traffic effectively,and give better protection to valuable long flows. Because the time complexity of the method is O(1) ,and it needs several MB memory space,it can be implemented in edge routers or network secure devices like firewalls to defend against random spoofed source address DDoS attacks.

Shijin Kong,Tao He,Xiaoxin Shao,Changqing An,Xing Li

DOI: https://doi.org/10.1109/icc.2006.255093

2006-01-01

Abstract:Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a doublefilter structure to find out pairs which connect to more than N pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline.

Xiaofan Chen,Shunzheng Yu

2016-01-01

Abstract:SDN is now suffer from not only the attacks in legacy network, e.g. DDoS and IP scan, but also the SDN-specific attack, e.g. data-to-control plan saturation attack. It is imperative to develop effective SDN-supported approaches for intrusion containment. We propose CAM, i.e. a counting bloom filter based attack mitigation system for SDN, to protect SDN from such attacks. CAM used counting bloom filter to block suspicious source and destination IP pairs at low cost. It can mitigate more than one attack types at the source side, including the legacy attacks and SDN-specific attacks. It is robust for its distributed architecture. The simulation validates its effectiveness.

Ying Wan,Haoyu Song,Yang Xu,Yilun Wang,Tian Pan,Chuwen Zhang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/tnet.2021.3098320

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Ternary Content Addressable Memory (TCAM) is widely used by modern routers and switches to support policy-based forwarding due to its incomparable lookup speed and flexible matching patterns. However, the limited TCAM capacity does not scale with the ever-increasing rule table size due to the high hardware cost and high power consumption. At present, using TCAM just as a rule cache is an appealing solution, but one must resolve several tricky issues including the rule dependency and the associated TCAM updates. In this paper, we propose a new approach which can generate dependency-free rules to cache. By removing the rule dependency, the complex TCAM update problem also disappears. We provide the complete T-cache system design including slow path processing and cache replacement, and implement a T-cache prototype on Barefoot Tofino switches. We conduct comprehensive software simulations and hardware experiments based on real-world and synthesized rule tables and packet traces to show that T-cache is efficient and robust for network traffic in various scenarios.

D Pao,YK Li,P Zhou

DOI: https://doi.org/10.1109/icact.2006.206010

2006-01-01

Abstract:Multi-field packet classification is necessary to support advanced Internet functions, such as network security, quality of service provisioning, traffic policing, virtual private networking, etc. Ternary content addressable memory (TCAM) is currently the dominant solution method used by the industry because of its speed and the simplicity of filter table management. High cost and high power consumption are the two major drawbacks of TCAM-based lookup engines. Adoption of IPv6 with increased address length will further exacerbate the challenges. In this paper, we present a filter encoding method, called prefix inclusion coding (PIC) to improve the efficiency of TCAM-based lookup engines. Filters are stored in an encoded format to reduce storage requirement. Codeword assignment in PIC preserves the inclusion relationship among prefixes/ranges. By doing so, a prefix will be represented by a single codeword, and unnecessary filter replication can be avoided. Codeword lookup is equivalent to finding the longest matching prefix in the codeword table. Hence, a pure-TCAM lookup engine can be built without the needs of other semi-custom ASICs in the system. Our method can reduce the TCAM storage requirement by 70% to over 90%. The reduction in TCAM storage requirement also helps to alleviate the high power dissipation problem. The proposed method can be applied to both IPv4 and IPv6

Menghao Zhang,Guanyu Li,Xiao Kong,Chang Liu,Mingwei Xu,Guofei Gu,Jianping Wu

DOI: https://doi.org/10.1109/tdsc.2022.3161015

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we identify the opportunity of using programmable switches to improve the state of the art in spoofed IP traffic filtering, and propose NetHCF , a line-rate in-network system to filter spoofed traffic. One key challenge in the design of NetHCF is to handle the restrictions stemmed from the limited computational model and memory resources of programmable switches. We address this by decomposing the HCF scheme into two complementary parts, by aggregating the IP-to-Hop-Count (IP2HC) mapping table for efficient memory usage, and by designing adaptive mechanisms to handle routing changes, IP popularity changes, and network activity dynamics. We implement an open-source prototype of NetHCF , and conduct extensive evaluations. The evaluation results demonstrate that NetHCF is able to process most legitimate traffic in 1 $\mu$ s, filter spoofed IP traffic effectively under network dynamics, with less than 30% of switch resource occupation.

Zeyu Luan,Qing Li,Yi Wang,Yong Jiang

DOI: https://doi.org/10.1109/ipdps54959.2023.00017

2023-01-01

Abstract:Ternary Content Addressable Memory (TCAM) is an essential hardware component in SDN-enabled switches, which supports fast lookup speed and flexible matching patterns. However, TCAM's limited storage capacity has long been a scalability challenge to enforce fine-grained forwarding policies in SDN. Based on the observation of traffic locality, the rule-caching mechanism employs a combination of TCAM and Random Access Memory (RAM) to maintain the forwarding rules of large and small flows, respectively. However, previous works cannot identify large flows timely and accurately, and suffer from high computational complexity when addressing rule dependencies in TCAM. Worse still, TCAM only caches the forwarding rules of large flows but ignores the latency requirements of small flows. Small flows encounter cache-miss in TCAM and then will be diverted to RAM, where they have to experience slow lookup processes. To jointly optimize the performance of both high-throughput large flows and latency-sensitive small flows, we propose a hybrid rule-caching framework, H-Cache, to scale traffic-aware forwarding policies in SDN. H-Cache identifies large flows through a collaboration of learning-based and threshold-based methods to achieve early detection and high accuracy, and proposes a time-efficient greedy heuristic to address rule dependencies. For small flows, H-Cache establishes default paths in TCAM to speed up their lookup processes, and also reduces their TCAM occupancy through label switching and region partitioning. Experiments with both real-world and synthetic datasets demonstrate that H-Cache increases TCAM utilization by an average of 11% and reduces the average completion time of small flows by almost 70%.

LI Dan,QIN Lancheng,WU Jianping,SU Yingying,XU Mingwei,SHI Xingang,GU Yunan,LIN Tao

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020289

2020-01-01

Abstract:At the beginning of the design of the Internet architecture,it assumed that all network members were trusted,and did not fully consider the security threat brought by the untrusted network members.For a long time,routers only forward packets based on the destination IP address of the packet,and do not carry out any verification on the source IP address of the packet.The lack of packet level authenticity on the Internet results in the header being maliciously altered.A real source address verification mechanism with routing synchronization and dynamic filtering were proposed.This mechanism constructs the filter table based on the prefix-topology mapping synchronization,the problem of inconsistent state between the filter table and the route caused by routing asymmetry were solved,false positives and false negatives was avoided,and a low-overhead and low-latency source address verification of the IP address prefix level granularity in the address domain were realized.

Guang Jin,Jian-gang Yang,Wei Wei,Ya-bo Dong

DOI: https://doi.org/10.3724/sp.j.1146.2007.00460

2008-01-01

Abstract:Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.

Changlin Jiang,Dan Li,Mingwei Xu,Kai Zheng

DOI: https://doi.org/10.1109/ICDCSW.2012.70

2012-01-01

Abstract:As the key infrastructure of cloud computing, data center network provides routing and transport services for cloud applications. To ensure reliable data delivery, TCP has been used in data centers as the de facto transport layer protocol. However, recently researchers found that when a client has a barrier-synchronized requirement and requests data from many servers, the good put may experience collapse. This phenomenon is well-known as TCP In cast. The main cause of TCP In cast is the scare buffer size in low end switches as well as the mismatch between RTO and RTT in data centers. So existing solutions focus on either minimizing the effect of TCP's RTO, or preventing flows from aggressively utilizing the switch buffer. Different from the previous approaches, in this paper we employ coding-based UDP to replace TCP as the transport protocol for the many-to one applications. Specifically, we use LT Codes to ensure reliable data delivery, and adopt TCP Friendly Rate Control (TFRC) to achieve congestion control. The NS based simulation shows that our approach can significantly enhance the application good put in a typical TCP In cast scenario.