Xiaohua Tian,Wei Liu,Yu Cheng

2015-01-01

Abstract: Bloom filter (BF) based forwarding is an effective approach to implement scalable multicasting in distributed systems. The forwarding BF carried by each packet can encode either multicast tree or destination IP addresses, which are termed as tree oriented approach (TOA) and destination oriented approach (DOA), respectively. Recent studies have indicated that TOA based protocols have serious vulnerabilities under some distributed denial-of-service (DDoS) attacks, and raised doubt about deployability of BF based multicasting. However, security analysis for DOA based protocols is still unavailable. In this paper, we present a systematic analysis of security performance of BF based multicasting. Important DDoS attacks and the corresponding defending mechanisms are studied in the context of DOA. We have positive findings that DOA, with convenient enhancement, has a robust performance in resisting a variety of DDoS attacks that can deny service of TOA based protocols. Moreover, we reveal that TOA based protocols are prone to flow duplication attack when applied in the data center network (DCN). We propose a dynamic-sized BF mechanism to defend against flow duplication attack for TOA based protocols in the DCN. Simulation results are presented to validate our theoretical analysis.

Xiaohua Tian,Wei Liu,Yu Cheng

2015-01-01

Abstract:This paper analyze security issues of Bloom filter based multicast forwarding mechanisms. Tree oriented approaches and destination oriented approaches are studied. We analyze the possible distributed denail of service (DDoS) against the Bloom filter based multicast with the destination oriented approach, which has never been analyzed before. We reveal some attack patterns that have not been studied in the literature. We also analyze the possible DDoS attacks against Bloom filter based multicast in the DCN context.

Xiaohua Tian,Yu Cheng

DOI: https://doi.org/10.1109/INFCOM.2012.6195596

2012-01-01

Abstract:Recently, several Bloom filter based multicast schemes have been proposed, in which multicast routing information is carried with an in-packet Bloom filter. Since routers have no need to maintain forwarding states on a per-group basis, the Bloom filter based multicast protocols have desirable scalability. However, a critical issue is that these schemes may incur forwarding loops due to the false positive inherent in the Bloom filter. Existing solutions can only conditionally mitigate the probability of the forwarding loop, instead of fully preventing such events which (once occurred) will cause severe damage to the network. In this paper, we resolve this issue in the context of a destination-oriented multicast (DOM) scheme, a Bloom filter based multicast protocol carrying destinations IP addresses with the in-packet Bloom filter. With a theoretical analysis of the loop issue in DOM context developed, we reveal that the DOM design natively supports automatical elimination of permanent forwarding loops in all cases except a subtle one termed as conservation of bits. Based on the conclusion, we derive a probability upper bound on the loop occurrence in DOM. Furthermore, we propose an accurate tree branch pruning scheme, which equips the DOM the capability to completely and efficiently remove the false-positive forwarding loop. We present simulation results over a practical topology to demonstrate the performance of the loop mitigating DOM, with comparison to a representative Bloom filter based multicast scheme FRM and traditional IP multicast.

Dan Li,Henggang Cui,Yan Hu,Yong Xia,Xin Wang

DOI: https://doi.org/10.1109/icnp.2011.6089061

2011-01-01

Abstract:Multicast benefits data center group communications in saving network bandwidth and increasing application throughput. However, it is challenging to scale Multicast to support tens of thousands of concurrent group communications due to limited forwarding table memory space in the switches, particularly the low-end ones commonly used in modern data centers. Bloom Filter is an efficient tool to compress the Multicast forwarding table, but significant traffic leakage may occur when group membership testing is false positive. To reduce the Multicast traffic leakage, in this paper we bring forward a novel multi-class Bloom Filter (MBF), which extends the standard Bloom Filter by embracing element uncertainty. Specifically, MBF sets the number of hash functions in a per-element level, based on the probability for each Multicast group to be inserted into the Bloom Filter. We design a simple yet effective algorithm to calculate the number of hash functions for each Multicast group. We have prototyped a software based MBF forwarding engine on the Linux platform. Simulation and prototype evaluation results demonstrate that MBF can significantly reduce Multicast traffic leakage compared to the standard Bloom Filter, while causing little system overhead.

Xiaohua Tian,Yu Cheng

DOI: https://doi.org/10.1109/mnet.2013.6678932

IF: 10.294

2013-01-01

IEEE Network

Abstract:Bloom filter based multicast has recently been proposed as a promising methodology for scalable multicasting. The basic idea underpinning this family of multicast mechanisms is to encode the multicast routing information into a Bloom filter carried in the packet. Thus, the routers are relieved from maintaining per-group forwarding states and able to support multicasting with improved scalability, compared to traditional IP multicast. In this article, we first review the evolution path of multicast protocols to shed light on the impetus that had driven the multicasting technology forward. We then discuss several representative Bloom filter based multicast protocols, with revealing their core design issues. While multicast is normally considered the most efficient way for delivering multimedia services, how to fully leverage the advantages of Bloom filter based multicast protocols to facilitate multimedia delivery is still an open issue. In this regard, we present a design that exploits a Bloom-filter based multicast protocol to accelerate the channel zapping in an IPTV system. Moreover, we point out the open research issues hoping to promote new development in the field.

Jun Yu,Ling Chen,Gen-Cai Chen

DOI: https://doi.org/10.1109/DS-RT.2006.29

2006-01-01

Abstract:The "priority-based directed minimum? spanning tree" (PST) is designed for Distributed Interactive Applications (DIAs) in which the data are delivered to the receiver node according to their priority; however PST can not balance the bandwidth usage among the nodes and the system will be unstable when its scale, increases. This paper proposes a novel overlay multicast protocol named Priority Based Overlay Multicast (POM), which uses the priority, delay and available bandwidth to construct the multicast tree, besides a filtering mechanism is proposed to rebuild the tree when the available bandwidth shortage appears. The effectiveness of our protocol is demonstrated in the simulation results, showing that POM uses the available bandwidth efficiently, besides it keeps the system stable when its scale increases.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Deke Guo,Yuan He,Panlong Yang

DOI: https://doi.org/10.1016/j.comnet.2009.10.002

IF: 5.493

2010-01-01

Computer Networks

Abstract:Bloom filter (BF) is a space-efficient data structure that represents a large set of items and supports efficient membership queries. It has been widely proposed to employ Bloom filters in the routing entries so as to facilitate data-centric routing in network applications. The existing designs of Bloom filters, however, cannot effectively support in-network queries. Given a query for a data item at a node in the network, the noise in unrelated routing entries very likely equals to the useful information of the item in the right routing entries. Consequently, the majority of queries are routed towards many wrong nodes besides those destinations, wasting large quantities of network traffic. To address this issue, we classified the existing designs as CUBF (Cumulative Bloom filters) and ABF (Aggregated Bloom filters), and then evaluate their performance in routing queries under the noisy environments. Based on the evaluation results, we propose a receiver-oriented design of Bloom filters to sufficiently restrict the probability of a wrong routing decision. Moreover, we significantly decrease the delay of a routing decision in the case of CUBF by using the bit slice approach, and reduce the transmission size of each BF in the case of ABF by using the compression approach. Both the theoretical analysis and experimental results demonstrate that our receiver-oriented design of Bloom filters apparently outperforms the existing approaches in terms of the success probability of routing and network traffic cost.

Xiaohua Tian,Yu Cheng,Bin Liu

DOI: https://doi.org/10.1109/TMM.2009.2026104

IF: 7.3

2009-01-01

IEEE Transactions on Multimedia

Abstract:This paper develops an efficient and scalable multicast scheme for high-quality multimedia distribution. The traditional IP multicast, a pure network-layer solution, is bandwidth efficient in data delivery but not scalable in managing the multicast tree. The more recent overlay multicast establishes the data-dissemination structure at the application layer; however, it induces redundant traffic at the network layer. We propose an application-oriented multicast (AOM) protocol, which exploits the application-network cross-layer design. With AOM, each packet carries explicit destinations information, instead of an implicit group address, to facilitate the multicast data delivery; each router leverages the unicast IP routing table to determine necessary multicast copies and next-hop interfaces. In our design, all the multicast membership and addressing information traversing the network is encoded with bloom filters for low storage and bandwidth overhead. We theoretically prove that the AOM service model is loop-free and incurs no redundant traffic. The false positive performance of the bloom filter implementation is also analyzed. Moreover, we show that the AOM protocol is a generic design, applicable for both intra-domain and inter-domain scenarios with either symmetric or asymmetric routing.

Xiaohua Tian,Yu Cheng

DOI: https://doi.org/10.1109/iccchina.2012.6356983

2012-01-01

Abstract:Scalable multicast protocol design based on the Bloom filter has received much attention from the research community recently. With the Bloom filter-based design, routing information is carried by the multicast data packet in the format of a Bloom filter. As the network node has no need maintaining a forwarding state for each group it is supporting, the Bloom filter-based multicast protocols are more scalable compared with the traditional IP multicast. However, as these protocols require networking nodes involved to perform special Bloom filter-based processing and the legacy routers can not be all upgraded over night, the incremental deployment solution for the Bloom filter-based multicast protocols is still an open technical issue. This paper presents such a solution for the Bloom filter-based multicast protocol that the new protocol is able to work with even only a small fraction of upgraded routers in the network, where the correctness will not be affected but some efficiency may be influenced. The basic idea of the solution is to consider the unicast path connecting two upgraded routers as a logical interface, and the corresponding packet processing and forwarding state maintenance are based on the logical interface. The topology information of the upgraded routers are not required, since the multicast joining messages will automatically set up the multicasting tree connecting upgraded routers. We show that the incremental solution will not affect favored scalability property of the Bloom filter-based multicast protocol, and can work with the fast joining scheme. Simulation results are given to evaluate the influence of the incremental deployment solution on the scalability, bandwidth efficiency and joining delay.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Xiaohua Tian,Yu Cheng

DOI: https://doi.org/10.1109/tc.2013.42

2014-01-01

Abstract:In this paper, we develop a scalable destination-oriented multicast (DOM) protocol for computer networks where the routers have enhanced intelligence to process packets. The basic idea of DOM is that each multicast data packet carries explicit destinations information, instead of an implicit group address, to facilitate the data delivery. Based on such destinations information, each router can compute necessary multicast copies and next-hop interfaces. A fundamental issue in DOM is to constrain the bandwidth overhead due to explicit addressing, which is tackled with a Bloom-filter based design. Our design incorporates the reverse path forwarding (RPF) concept and the BGP routing information, so that DOM can work efficiently in practical networking scenarios especially with asymmetric inter-domain routing. A critical issue in Bloom-filter based design is the issue of forwarding loop due to false positives. We propose an accurate tree branch pruning scheme, which equips the DOM the capability to completely and efficiently remove the false-positive forwarding loop. Furthermore, we study how the DOM can be deployed in an incremental manner over a network, in which only a small fraction of the routers have DOM-aware intelligence while others are legacy routers. We present extensive simulation results over a practical topology to demonstrate the performance of DOM, with comparison to the traditional IP multicast and the free riding multicast (FRM) protocols.

Tong Zhao,Zhongyi Liu,Wei Yan,Xiaoming Li

DOI: https://doi.org/10.1109/CCNC.2011.5766516

2011-01-01

Abstract:Data dissemination is an important technology for most VANET applications. Due to the physical factors like traffic lights, the density of vehicles is usually uneven. Areas near intersections often have a high node density while areas near the center of streets can have a very low node density. The uneven distribution of nodes and the movement pattern of vehicles cause intermittent connections and redundant transmissions, which we call MIRT (Mobility Induced Redundant Transmission). Existing data dissemination algorithms did not pay enough attention to MIRT and the intermittent connections of the network, which makes them unsuitable for realistic VANET scenarios. In this paper, we propose the Bloom Filter based Buffering Data Dissemination (BFBD) algorithm. BFBD copes with MIRT by using decayed bloom filter as the structure to record the data dissemination history and handles the intermittent connectivity by a carefully designed buffering mechanism. Extensive simulations show the performance of BFBD is superior over contrastive algorithms in terms of reliability, dissemination efficiency and delay.

Emmanuel A. Massawe,Suguo Du,Haojin Zhu

DOI: https://doi.org/10.1109/icdcsw.2013.32

2013-01-01

Abstract:Currently, there are numbers of different architectural proposals for future internet that focus on content-centric networking as the alternative of the existing location-based networking. These architectures give more emphasis on the security part of their paradigms and pay little attention or ignore on issues of privacy in their architectural designs. In this paper we propose the Scalable and Privacy Preserving Routing Protocol in Named Data Networking (SP-NDN) by utilizing the multiple Bloom filters in order to ameliorate user's interest packet flow privacy and security during the transit. In contrast to existing schemes, we present a content-dependent key tree based on multicast key management protocol to integrate Bloom filter and multicast encryption that mitigates the leakage of the original user's keywords and precluding unauthorized users (eavesdroppers) from guessing the key words. Our schemes guarantee the high security and privacy of user's interest packet during the transmission and at the same time trying to minimize the possible increase number of false positives likely to happen when a content is queried.

Yushintia Pramitarini,Ridho Hendra Yoga Perdana,Kyusung Shim,Beongku An

DOI: https://doi.org/10.3390/s23187960

2023-09-18

Abstract:The network area is extended from ground to air. In order to efficiently manage various kinds of nodes, new network paradigms are needed such as cell-free massive multiple-input multiple-output (CF-mMIMO). Additionally, security is also considered as one of the important quality-of-services (QoS) parameters in future networks. Thus, in this paper, we propose a novel deep learning-based secure multicast routing protocol (DLSMR) in flying ad hoc networks (FANETs) with cell-free massive MIMO (CF-mMIMO). We consider the problem of wormhole attacks in the multicast routing process. To tackle this problem, we propose the DLSMR protocol, which utilizes a deep learning (DL) approach to predict the secure and unsecured route based on node ID, distance, destination sequence, hop count, and energy to avoid wormhole attacks. This work also addresses key concerns in FANETs such as security, scalability, and stability. The main contributions of this paper are as follows: (1) We propose a deep learning-based secure multicast routing protocol (DLSMR) to establish a high-stability multicast tree and improve security performance against wormhole attacks. In more detail, the DLSMR protocol predicts whether the route is secure based on network information such as node ID, distance, destination sequence, hop count, and remaining energy or not. (2) To improve the node connectivity and manage multicast members, we propose a top-down particle swarm optimization-based clustering (TD-PSO) protocol to maximize the cost function considering node degree, cosine similarity, cosine distance, and cluster head energy to guarantee convergence to the global optima. Thus, the TD-PSO protocol provides more strong connectivity. (3) Performance evaluations verify the proposed routing protocol establishes a secure route by avoiding wormhole attacks as well as by providing strong connectivity. The TD-PSO clustering supports connectivity to enhance network performance. In addition, we exploit the impact of the mobility model on the network metrics such as packet delivery ratio, routing delay, control overhead, packet loss ratio, and number of packet losses.

Huafeng Bian,Xiaobo Ma,Pengyu Pan

DOI: https://doi.org/10.1109/dsa52907.2021.00043

2021-01-01

Abstract:DoS attacks are currently one of the main security issues threatening the Internet. The harm caused by DDoS attacks and effective countermeasures have been research hot topics in the field of network security. However, how DDoS attacks affect different congest control mechanisms has not been investigated. In this paper, through theoretical analysis of congestion control algorithms in the TCP/IP protocol, we analyze the performance and fairness of multiple congestion control algorithms in the DDoS environment. Experiments show that the Cubic algorithm can make full use of network bandwidth and has good fairness under DDoS attacks. This finding is of great significance for further understanding of DDoS attacks and effective countermeasures.

XIAO Jun,YUN Xiao-Chun,ZHANG Yong-Zheng

DOI: https://doi.org/10.3724/sp.j.1001.2011.03882

2011-01-01

Journal of Software

Abstract:Distributed Denial-of-Service(DDoS) attack,using random spoofed source addresses,is popular because it can protect the attacker's anonymity. It is very difficult to defent against this attack because it is very hard to differentiate bad traffic from the normal. In this paper,based on the source addresses distribution statistical feature,an effective defense scheme,which can differentiate vicious traffic from normal traffic,is presented. Based on a novel Extended Counting Bloom Filter(ECBF) data structure,this paper proposes an algorithm to identify normal addresses accurately. Once a normal address is sought out,packets from it will be forwarded with high priority,thus,normal traffic is protected. The simulation results show that this scheme can identify legitimate addresses accurately,protect legitimate traffic effectively,and give better protection to valuable long flows. Because the time complexity of the method is O(1) ,and it needs several MB memory space,it can be implemented in edge routers or network secure devices like firewalls to defend against random spoofed source address DDoS attacks.

Qinghe Du,Wanyu Li,Houbing Song

DOI: https://doi.org/10.1007/978-3-319-60033-8_44

2017-01-01

Abstract:Harnessing the broadcast nature of wireless channels towards efficient multicast faces very challenging security issues, because reliability assurance for each multicast receiver often result vast frequent retransmissions, thus increasing the chance for eavesdropping. This paper proposes a dynamic fountain code design for security enhancement in wireless multicast against passive eavesdropping. The main features of the proposed scheme include two folds: (i) adaptive encoding structure based on legitimate receivers' feedback, which aims at degrading the signal quality at the eavesdropper; (ii) benefit the legitimate receivers' reception as maximally as possible, thus increasing the transmission efficiency compared with the conventional non-adaptive designs. Simulation results are presented to demonstrate that the proposed scheme can effectively decreasing intercepting probability while achieving the higher transmission efficiency, thus facilitating wireless connections in support of multicast services.

Yunhao Liu,Xiaomei Liu,Chen Wang,Li Xiao

DOI: https://doi.org/10.1109/icpp.2007.31

2007-01-01

Abstract:A flooding-based search mechanism is often used in unstructured P2P systems. Although a flooding-based search mechanism is simple and easy to implement, it is vulnerable to overlay distributed denial-of-service (DDoS) attacks. Most previous security techniques protect networks from network-layer DDoS attacks, but cannot be applied to overlay DDoS attacks. Overlay flooding-based DDoS attacks can be more damaging in that a small number of messages are inherently propagated to consume a large amount of bandwidth and computation resources. We propose a distributed and scalable method, DD-POLICE, to detect malicious nodes in order to defend P2P systems from overlay flooding-based DDoS attacks. We show the effectiveness of DD-POLICE by comprehensive simulation studies. We believe that deploying DD-POLICE will make P2P systems more scalable and robust.

岳宁,蒋兴浩

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.05.035

2008-01-01

Abstract:Compared with the fixed cable networks,wireless ad hoc networks have characteristics of dynamic topology,weak wireless channel and nodes serving as both hosts and routers.Thus the networks are particularly vulnerable to Denial of Service(DoS) attacks.Two flooding attack models,including exterior and interior attacks,are described to address the problem of defending DoS attack on multicast in wireless ad hoc networks.Finally,two defense policies and detailed steps are proposed toward the flooding attacks within the multicast groups in ad hoc networks.