Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2012.6289219

2012-01-01

Abstract:Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers.In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network.We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

CHEN Hong-tao,CHEN De-ren,GU Xue-fei

2005-01-01

Abstract:Content filtering is an indispensable important part in the network security field.It analyses the information transported in application layer content protocol and controls the forwarding of the information based on the filtering rules.Network Processor is a new generation programmable processor of high speed for carrying out data processing and transmitting.With its obvious advantages in network data processing,the network processor becomes the essential component in high-speed network equipment which supports network functions,such as operation management、security and network monitoring,etc.Based on the advantage of network processor,this paper presented an implementation of an Intel IXP2400 network processor-based content filtering system.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1145/2079327.2079328

2011-01-01

Abstract:To prevent network infrastructure from malicious traffic, such as DDoS attack and scanning, source filtering is widely used in the network. There are different ways to store the filters, e.g., a blacklist of source addresses. Among them, TCAM-based is used as the de facto, because of its wire speed performance. Unfortunately, TCAM is a scarce resource because it's limited by small capacity, high power consumption and high cost. To save storage space, some TCAM-based solutions even block part of the legitimate traffic for better aggregation. Another choice is software based solutions, which have larger storage space compared to hardware based solutions. However, they require multiple accesses for a single lookup, which causes latency.

Boyang Zhou,Chunming Wu,Shuangxi Chen,Zhen Li,Hong Fan

DOI: https://doi.org/10.1109/iucc-cit-dsci-smartcns57392.2022.00030

2022-01-01

Abstract:The distributed network control in software-defined networking is greatly challenged by the design demands of evolving a running distributed control plane (DCP), and by the complexity of handling the control state dynamics. In this paper, we propose RIFFLE to address the problem using a distributed network operating system approach. RIFFLE enables the evolvability of control states of DCP deployed on a global scale. RIFFLE handles spatial and temporal dynamics that occur when updating and migrating the distributed control states, which overcomes the critical barrier to the evolvability. It fills the gap by enabling temporal reconfigurability in DCP. Moreover, RIFFLE reduces the complexities of building and maintaining network control services in DCP by enabling componentization and abstracting the underlying network dynamics. We evaluated the prototype RIFFLE through experiments running in PlanetLab. The results show that the prototype scales well for 135 nodes. We also validate that RIFFLE ensures the continuity and low content request delay for the supported the information-centric network supported during cache update periods owing to the enabled evolvability.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icccn.2013.6614204

2013-01-01

Abstract:While making the Internet totally trustworthy is intractable, making as trustworthy as possible is a crucial problem. Within this landscape, authentication of the IP source address remains one important topic in need of further study. However, most source address validation methods are difficult to implement in practice because of deployment difficulties. This research designs an efficient inter-domain distributed source address validation solution (CatchIt). By employing a novel routing choice notification scheme, CatchIt makes the deployed ASes intelligent by allowing them cooperate to acquire the valid incoming path information of packets. With such knowledge, the deployed ASes can accurately authenticate the source address without the need for any modifications to the de facto routing protocol and packet structure. Moreover, CatchIt helps the deployed ASes proactively and quickly filter spoofed packets before they imperil the network. CatchIt also avoids any false positive, even under partial deployment. Our evaluation also shows that CatchIt is effective and accurate when catching spoofed packets while incurring a low overhead; CatchIt maintains an early deploy and rapidly benefit incremental deployment incentive mechanism.

Tingting Yang,Hailong Feng,Chengming Yang,Zhonghua Sun,Ruilong Deng

DOI: https://doi.org/10.1155/2016/3906549

IF: 1.938

2016-01-01

International Journal of Distributed Sensor Networks

Abstract:An innovative paradigm named Cooperative Cognitive Maritime Cyber Physical Systems (CCMCPSs) is developed to achieve high-speed and low-cost communication services. The analysis of the available white space at sea, as well as the framework, is presented. Specifically, a bilevel game with two stages of PUs-to-SUs (primary users to secondary users) and SUs-to-SUs is proposed, to address the resource allocation issue of Decode-and-Forward (DF) relay mode with maximal-ratio combining (MRC) receiving mode in destination. Stackelberg game with priority is employed between PU and SUs, while a symmetrical system model is considered among SUs-to-SUs. The game theoretic procedure that converges to Nash equilibrium based on the utility and payoff function is illustrated. Simulation results demonstrate that our proposed strategy could effectively increase the throughput as well as the payoffs of the system.

Jun Li,Devkishen Sisodia,Yebo Feng,Lumin Shi,Mingwei Zhang,Christopher Early,Peter Reiher

DOI: https://doi.org/10.1109/CNS59707.2023.10288699

2023-05-23

Abstract:Despite the proliferation of traffic filtering capabilities throughout the Internet, attackers continue to launch distributed denial-of-service (DDoS) attacks to successfully overwhelm the victims with DDoS traffic. In this paper, we introduce a distributed filtering system that leverages nodes distributed along the paths of DDoS traffic to filter the DDoS traffic. In particular, we focus on adaptive distributed filtering, a new direction in filtering DDoS traffic. In our design, a subscriber to the distributed filtering service can act on behalf of a DDoS victim and generate filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the preferences of the subscriber (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We design an efficient algorithm that can generate rules adaptive toward filtering granularities and objectives, which can further help determine where to deploy generated rules for the best efficacy. We evaluated our system through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithm can generate rules that adapt to every distinct filtering objective and achieve optimal results. We studied the success rate and distribution of rule deployment under different Internet-scale rule deployment profiles, and found a small number of autonomous systems can contribute disproportionately to the defense. Our pilot studies also show our adaptive distributed filtering system can effectively defend against real-world DDoS attack traces in real time.

Networking and Internet Architecture,Cryptography and Security

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Zhang Peng,Chen Xiangning,Ge Yun,Jin Lin

DOI: https://doi.org/10.1049/cje.2016.06.004

IF: 1.019

2016-01-01

Chinese Journal of Electronics

Abstract:After studying the routing and forwarding process of network stream and the implementation of SDN, we propose a retractable management model for flow table. A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network. The parallel tables share the same storage resources. Thanks to the separation of data plane and control plane, control plane owns more computing resources than traditional device. It evaluates the role of nodes and the action of network flows, makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries. Through simulation, it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding, especially existing blocking attack.

Yujiao Hu,Qingmin Jia,Meng Shen,Renchao Xie,Tao Huang,F.Richard Yu

2024-02-04

Abstract:The emergence of intelligent applications and recent advances in the fields of computing and networks are driving the development of computing and networks convergence (CNC) system. However, existing researches failed to achieve comprehensive scheduling optimization of computing and network resources. This shortfall results in some requirements of computing requests unable to be guaranteed in an end-to-end service pattern, negatively impacting the development of CNC systems. In this article, we propose a distributed cooperative routing framework for the CNC system to ensure the deadline requirements and minimize the computation cost of requests. The framework includes trading plane, management plane, control plane and forwarding plane. The cross-plane cooperative end-to-end routing schemes consider both computation efficiency of heterogeneous servers and the network congestion degrees while making routing plan, thereby determining where to execute requests and corresponding routing paths. Simulations results substantiates the performance of our routing schemes in scheduling computing requests in the CNC system.

Networking and Internet Architecture,Artificial Intelligence

Han Bao,Xiaoping Zhang,Gaoyuan Wang,Mengyu Zhang,Yisong Wang,Youjian Zhao

DOI: https://doi.org/10.1109/icc45041.2023.10278691

2023-01-01

Abstract:Wireless networks are vulnerable to many attacks due to its dynamic environments. Unrestricted forwarding of packets from untrusted sources in wireless networks has caused many serious security threats and a great waste of network resources. This paper presents RepuFilter, a probabilistic packet filtering scheme based on trust evaluation, which enables a shared data plane to provide security services for wireless networks. RepuFilter proposes a dynamic trust evaluation model based on the transitivity of trust evaluation between network users, and applies the model to packet filtering. In the framework of RepuFilter, forwarders verify packets with a certain probability, and discard packets from untrusted sources, to prevent the packets from being spread, and reduce inspection expenses as much as possible. We implement RepuFilter and evaluate its performance based on Network Simulator Version 3 (NS3). Simulation results prove that RepuFilter can resist the spread of untrusted packets more effectively than the classic and latest trust models and RepuFilter can meet current network performance requirements,

Xin Liu,Xiaowei Yang,Yong Xia

DOI: https://doi.org/10.48550/arXiv.1009.0033

2010-08-31

Networking and Internet Architecture

Abstract:Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders' traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System).

Jiamin Cao,Ying Liu,Yu Zhou,Lin He,Chen Sun,Yangyang Wang,Mingwei Xu

DOI: https://doi.org/10.1109/tpds.2021.3136575

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:As one of the most critical cloud services, Bare-metal Servers introduce stringent performance requirements on data center networks (DCN). Stateful packet filter is an integral DCN component of ensuring connection security for bare-metal servers. However, the off-the-shelf hardware-based and software-based stateful packet filters either are prohibitively costly for cloud DCNs or introduce significant performance bottlenecks. In this paper, we present CoFilter, which employs cheap programmable switches to accelerate the stateful packet filter for bare-metal servers. CoFilter consists of two key designs. First, to support complex stateful packet filtering logic in programmability-limited switching ASICs, CoFilter partitions the stateful packet filtering logic between programmable ASICs and switch CPU. Most packets are directly processed in switching ASICs to achieve high performance, while only a small number of packets go to switch CPU for connection tracking. Second, to track massive connections with constrained hardware memory, CoFilter employs hash to compress connection states and provides an efficient settlement for hash collisions. We build a prototype of CoFilter and evaluate it on the Tofino switch under various data center traffic traces with real-world flow distribution. The evaluation shows that CoFilter largely outperforms NetFilter, i.e., forwarding packets at line rate (13x throughput of NetFilter), keeping packet delay at 1us, and freeing a significant quantity of CPU cores. Furthermore, CoFilter presents great scalability and accommodates over ten million connections with only 16MB SRAM.

Guang Yao,Jun Bi,Tao Feng,Peiyao Xiao,Duanqi Zhou

DOI: https://doi.org/10.1109/ICCCN.2014.6911784

2014-01-01

Abstract:IP spoofing is a well-known security threat on the Internet. Though there have been a number of spoofing prevention mechanisms, due the diversity of networks and management objectives, the operators may prefer a framework which enables easy installation and modification of the IP spoofing prevention solution, rather than a single mechanism. In this article, a lightweight and efficient framework for route-based IP spoofing filtering, named SEFA, is proposed. Through providing a collective view of the network and decoupling the filtering rule generation from network devices, SEFA enables easily installation of spoofing filtering application. SEFA mainly resolves the challenge that how to build network abstraction without taking full controllability. SEFA has been implemented based on slightly modifying commercial routers and an open source controller. Based on experiments, SEFA is found to be able to reduce the overhead and the latency of filtering rule generation and installation, while keeping off the complexity and latency of generating forwarding rules by the controller.

Xin Wang,Min Lin,Zheng Huang,Xiangyang Xue

DOI: https://doi.org/10.1109/hspr.2008.4734420

2008-01-01

Abstract:Although coding over P2P is effective in some ways, coding at routers can bring us more significant benefits. Unfortunately, routers in todaypsilas network are mostly not capable of network coding. We propose a novel scheme to equip routers with coding functionalities. To do this, we design a routing protocol based on network coding and regulate the coding functionalities at routers. Simulation results show that for content distributions in single-source and multiple-sink networks, our scheme exhibits better performance in terms of download time and balanced load.

Jun-Yi Li,Zidong Wang,Renquan Lu,Yong Xu

DOI: https://doi.org/10.1109/tac.2022.3159486

IF: 6.549

2022-01-01

IEEE Transactions on Automatic Control

Abstract:This article is concerned with the distributed filtering issue for linear discrete-time systems under bounded noises and constrained bit rate over wireless sensor networks. The communication between different sensor nodes is implemented via a wireless digital communication network with limited bandwidth. A bit rate constraint, which is subject to the so-called bandwidth allocation strategy, is placed to quantify the effect of the network bandwidth on the distributed filtering performance. An improved codingdecoding procedure is proposed to enable each node to decode messages from its neighbor nodes. Based on this procedure, a decoded-innovation-based distributed filtering scheme is put forward and a sufficient condition is established to ensure that the filtering error dynamics is ultimately bounded. Subsequently, a relationship between the bit rate and certain specific filtering performance is discovered. The desired parameters of the distributed filter are determined via solving two optimization problems whose objectives are actually the filtering performance indices including the smallest ultimate bound and the fastest decay rate. Furthermore, the codesign issue of the bit rate allocation protocol and the filter gain is converted into the mixed integer nonlinear programming problem, which is solved by means of the particle swarm optimization algorithm and the linear matrix inequality technique. Finally, numerical simulations on three scenarios are provided to verify the validity of the proposed distributed filtering approach.

automation & control systems,engineering, electrical & electronic

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

Mingwei Xu,Shu Yang,Dan Wang,Fuliang Li,Jianping Wu

DOI: https://doi.org/10.1016/j.comcom.2013.09.013

IF: 5.047

2014-01-01

Computer Communications

Abstract:Source address filtering is very important for protecting networks from malicious traffic. Most networks use hardware-based solutions such as TCAM-based filtering, however, they suffer from limited capacity, high power consumption and high monetary cost. Although software, such as SRAM, is larger, cheaper and consumes less power, the software-based solutions need multiple accesses in memory, which as a result bear much more additional lookup burden.