Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles

Our work targets a network architecture and accompanying algorithms for countering distributed denial-of-service (DDoS) attacks directed at an Internet server. The basic mechanism is for a server under stress to install a router throttle at selected upstream routers. The throttle can be the leaky-bucket rate at which a router can forward packets destined for the server. Hence, before aggressive packets can converge to overwhelm the server, participating routers proactively regulate the contributing packet rates to more moderate levels, thus forestalling an impending attack. In allocating the server capacity among the routers, we propose a notion of level-k max-min fairness. We first present a control-theoretic model to evaluate algorithm convergence under a variety of system parameters. In addition, we present packet network simulation results using a realistic global network topology, and various models of good user and attacker distributions and behavior. Using a generator model of web requests parameterized by empirical data, we also evaluate the impact of throttling in protecting user access to a web server. First, for aggressive attackers, the throttle mechanism is highly effective in preferentially dropping attacker traffic over good user traffic. In particular, level-k max-min fairness gives better good-user protection than recursive pushback of max-min fair rate limits proposed in the literature. Second, throttling can regulate the experienced server load to below its design limit - in the presence of user dynamics - so that the server can remain operational during a DDoS attack. Lastly, we present implementation results of our prototype on a Pentium III/866 MHz machine. The results show that router throttling has low deployment overhead in time and memory.     

FDVRRP: Router implementation for fast detection and high availability in network failure cases

High availability and reliability have been considered promising requirements for the support of seamless network services such as real‐time video streaming, gaming, and virtual and augmented reality. Increased availability can be achieved within a local area network with the use of the virtual router redundancy protocol that utilizes backup routers to provide a backup path in the case of a master router failure. However, the network may still lose a large number of packets during a failover owing to a late failure detections and lazy responses. To achieve an efficient failover, we propose the implementation of fast detection with virtual router redundancy protocol (FDVRRP) in which the backup router quickly detects a link failure and immediately serves as the master router. We implemented the FDVRRP using open neutralized network operating system (OpenN2OS), which is an open‐source‐based network operating system. Based on the failover performance test of OpenN2OS, we verified that the FDVRRP exhibits a very fast failure detection and a failover with low‐overhead packets.     

Preconfiguring IP-over-Optical Networks to Handle Router Failures and Unpredictable Traffic

We consider the realization of traffic-oblivious routing in IP-over-optical networks where routers are interconnected over a switched optical backbone. The traffic-oblivious routing we consider is a scheme where incoming traffic is first distributed in a preset manner to a set of intermediate nodes. The traffic is then routed from the intermediate nodes to the final destination. This splitting of the routing into two phases simplifies network configuration significantly. In implementing this scheme, the first and second phase paths are realized at the optical layer with router packet grooming at a single intermediate node only. Given this unreliability of routers, we consider how two-phase routing in IP-over-optical networks can be made resilient against router node failures. We propose two different schemes for provisioning the optical layer to handle router node failures-one that is failure node independent and static, and the other that is failure node dependent and dynamic We develop linear programming formulations for both schemes and a fast combinatorial algorithm for the second scheme so as to maximize network throughput. In each case, we determine (i) the optimal distribution of traffic to various intermediate routers for both normal (no-failure) and failure conditions, and (ii) provisioning of optical layer circuits to provide the needed inter-router links. We evaluate the performance of the two router failure protection schemes and compare it with that of unprotected routing     

Avoiding instability during graceful shutdown of multiple OSPF routers

Many recent router architectures decouple the routing engine from the forwarding engine, allowing packet forwarding to continue even when the routing process is not active. This opens up the possibility of using the forwarding capability of a router even when its routing process is brought down for software upgrade or maintenance, thus avoiding the route flaps that normally occur when the routing process goes down. Unfortunately, current routing protocols, such as BGP, OSPF and IS-IS do not support such operation. In an earlier paper, we described an enhancement to OSPF, called the IBB (I'll Be Back) capability, that enables a router to continue forwarding packets while its routing process is inactive. When the OSPF process in an IBB-capable router is inactive, it cannot adapt its forwarding table to reflect changes in network topology. This can lead to routing loops and/or black holes. In this paper, we focus on the loop problem and provide a detailed analysis of how and when loops are formed and propose solutions to prevent them. We develop two necessary conditions for the formation of routing loops in the general case when multiple routers are inactive. These conditions can easily be checked by the neighbors of the inactive routers. Simulations on several network topologies showed that checking the two conditions together signaled a loop in most cases only when a loop actually existed.     

MPLS security: an approach for unicast and multicast environments

Multi-Protocol Label Switching (MPLS) network architecture does not protect the confidentiality of data transmitted. This paper proposes a mechanism to enhance the security in MPLS networks by using multi-path routing combined with a modified (k, n) threshold secret sharing scheme. An Internet Protocol (IP) packet entering MPLS ingress router can be partitioned into n shadow (share) packets, which are then assigned to maximally node disjoint paths across the MPLS network. The egress router at the end will be able to reconstruct the original IP packet if it receives any k share packets. The attacker must therefore tap at least k paths to be able to reconstruct the original IP packet that is being transmitted, while receiving k???1 or less of share packets makes it hard or even impossible to reconstruct the original IP packet. In this paper, we consider the multicast case in addition to the unicast. To our best knowledge, no work has been published for MPLS multicast security. We have implemented our model and measured its time complexity on variable packets size.     

CPCA: An efficient wireless routing algorithm in WiNoC for cross path congestion awareness

Wireless network-on-chip (WiNoC) is a new paradigm to mitigate the long-distance transmission latency for conventional wired network-on-chip. The wireless routers in WiNoC have to handle a large number of packets which could cause data congestion, thus reducing the network performance. In this paper, we propose a novel wireless routing algorithm, called CPCA, which exploits the cross path congestion information as hints to route the packets. Under CPCA, the whole network is partitioned into sub-networks. In each subnet, the congestion information of the wireless router is propagated along the cross path. As a result, the routers in the same dimension can get the congestion degree of wireless router within the subnet. Based on the congestion information, CPCA can compute the suitable path for packets routing, which can prominently avoid the congestion aggravation in the wireless router. Experimental results show that our proposed method can effectively improve performance in terms of packets transmission latency and network throughput.     

All-Optical Wavelength-Bypassing Ring Communications Networks

We introduce an all-optical WDM packet communication network that performs wavelength bypassing at the routers. Packets that arrive at a wavelength (optical cross-connect) router at designated wavelengths are switched by the router without having their headers examined. Thus, the processing element of the router is bypassed by such packets. For packet traffic that uses wavelengths that do not bypass a switch, the headers of such packets are examined to determine if this switch is the destination for the flow. If latter is the case, the packet is removed. Otherwise, the packet is switched to a pre-determined output without incurring (network internal) queueing delays. We study a ring network with routers that employ such a WDM bypassing scheme. We present methods to construct wavelength graphs that define the bypassing pattern employed by the routers to guide the traffic flows distributed at each given wavelength. Performance is measured in terms of the network throughput and the average processing path length (i.e., the average number of switches not being bypassed). For a fixed total processing capacity, we show that a WDM bypassing ring network provides a higher throughput level than that exhibited by a non-bypassing ring network, using the same value of total link capacity. By using WDM bypassing, the average processing path length (and thus the packet latency) is reduced. We study a multitude of network loading configurations, corresponding to distinct traffic matrices and client-server scenarios. Higher throughput levels are obtained for network configurations driven by non-uniform traffic matrices. The demonstrated advantages of WDM bypassing methods shown here for WDM ring networks are also applicable to more general network topological layouts.     

基于信任管理系统的可信路由器的设计与实现(英文)

This paper presents a scheme to perform QoS management and assure network security by using the trusted-router based on the Trust Management System.In this trusted-router,every IP packet is forwarded and queued by its trust value,which is the quantification of the network's expectation for this packet's and its owner's behavior in the network.We outline the algorithms to calculate the trust value of the trusted-router and the IP packet.We also introduce the trust-based QoS management algorithm and the deplo...     

On wavelength-converted optical routers employing flow routing

Optical networks have been extensively investigated in recent years to provide high capacity for the Internet traffic. Among them the optical packet-switching network deploying buffering, wavelength conversion and multipath routing could be the most suitable one. It cannot only provide high capacity transport for Internet traffic but also achieve high utilization of the network resources. However due to the packet-oriented routing and switching, such a network can result in a large amount of packets out-of-order, packet loss and/or with various delays upon arriving at end systems, causing TCP flows that comprise those packets corrupted. Large amount of corrupted flows can increase the burstiness of the Internet traffic and cause higher-layer protocol to malfunction. This paper presents a novel routing and switching method for optical IP networks-flow routing. Without using a complicate control mechanism flow routing deals with packet-flows to reduce the amount of corrupted flows. The performance of the wavelength-converted optical flow router is investigated, based on a novel analytical model. A performance metric, i.e., good-throughput, is used, measuring the ratio of the amount of packets comprised in the noncorrupted flows to total amount of packets. Comparing with optical packet-switching routers, a remarkable improvement of good-throughput can be obtained by using optical flow routers. More important, using wavelength conversion can greatly improve the good-throughput of optical flow routers.     

A network management architecture for robust packet routing in meshoptical access networks

We describe an architecture for an optical local area network (LAN) or metropolitan area network (MAN) access. The architecture allows for bandwidth sharing within a wavelength and is robust to both link and node failures. The architecture can be utilized with an arbitrary, link-redundant mesh network (node-redundancy is necessary only to handle all node failures), and assumes neither the use of a star topology nor the ability to embed such a topology within the physical mesh. Reservation of, bandwidth is performed in a centralized fashion at a (replicated) head end node, simplifying the implementation of complex sharing policies relative to implementation on a distributed set of routers. Unlike a router, however, the head end does not take any action on individual packets and, in particular, does not buffer packets. The architecture thus avoids the difficulties of processing packets in the optical domain while allowing for packetized shared access of wavelengths. We describe the route construction scheme and prove its ability to recover from single link and single node failures, outline a flexible medium access protocol and discuss the implications for implementing specific policies, and propose a simple implementation of the recovery protocol in terms of state machines for per-link devices     

Monitoring and controlling QoS network domains

Increased performance, fairness, and security remain important goals for service providers. In this work, we design an integrated distributed monitoring, traffic conditioning, and flow control system for higher performance and security of network domains. Edge routers monitor (using tomography techniques) a network domain to detect quality of service (QoS) violations—possibly caused by underprovisioning—as well as bandwidth theft attacks. To bound the monitoring overhead, a router only verifies service level agreement (SLA) parameters such as delay, loss, and throughput when anomalies are detected. The marking component of the edge router uses TCP flow characteristics to protect ‘fragile’ flows. Edge routers may also regulate unresponsive flows, and may propagate congestion information to upstream domains. Simulation results indicate that this design increases application‐level throughput of data applications such as large FTP transfers; achieves low packet delays and response times for Telnet and WWW traffic; and detects bandwidth theft attacks and service violations. Copyright © 2004 John Wiley & Sons, Ltd.     

Design-dimensioning model for transparent WDM packet-switchedirregular networks

A detailed analytical traffic model for all-optical wavelength division multiplexing (WDM) photonic packet-switched networks is presented and the requirements for buffer size and link dimensions are analyzed. This paper shows that due to the topology, packets may generate traffic bottlenecks produced by a tendency of the routing scheme to send packets with different destinations through preferred paths. This effect increases the traffic load and, hence, the probability of blocking at the output links of specific routers in the network and, therefore, a large buffer depth or an increment in the number of fibers per link is required. Three router architectures are analyzed and it is shown that WDM all-optical router architectures with shared contention resolution resources are the best candidates to reduce hardware volume and cost of all-optical networks. It is shown that routers with a bank of completely shared wavelength converters (WCs) require a fraction of WCs compared to router architectures that use a WC per wavelength. This fraction depends on the location of the router, the network topology, and the traffic load in the network. However, in general terms, about 50% to 90% of WCs can be saved by architectures with shared wavelength-conversion resources. Also, it is shown that limited wavelength conversion degrees d=8 and d=10 in packet-switching routers with 16 and 32 wavelengths give the same probability of packet loss performance as full wavelength conversion     

Resource management in software-programmable router operatingsystems

Future routers will not only forward data packets but also provide value-added services, such as security, accounting, caching, and resource management. These services ran be implemented as general programs, to be invoked by traversing packets embedding router program calls. Software-programmable routers pose new challenges in the design of router operating systems (OS). First, router programs will require access to diverse system resources. The resource demands of a large community of heterogeneous resource consumers must either be coordinated to enable cooperation or arbitrated to resolve competition. Second, it is beneficial to concurrently support multiple virtual machines, each with a guaranteed share of physical resources. This allows services to be customized and to seamlessly evolve. We present the design and implementation of a next generation router OS that can meet the above challenges. We define an orthogonal kernel abstraction of resource allocation, which can schedule various time-shared and space-shared resources with quality of service (QoS) differentiation and guarantees. A scalable and flexible packet classifier enables dynamic resource binding and per-flow processing of received packets. We have prototyped our system on a network of UltraSPARC and Pentium II computers. Currently, QoS-aware schedulers for CPU time, forwarding bandwidth, memory-store capacity, and capacity for secondary data stores have been integrated. We present experimental results on various aspects of resource management in our system     

A Transparent Failover Mechanism for a Mobile Network with Multiple Mobile Routers

In a mobile network that is multihomed by multiple mobile routers, a mobile router that loses link connectivity can be replaced by the other mobile routers. We propose a transparent failover mechanism (TFM) to provide seamless Internet services to nodes in the mobile network, which is validated by implementing a real test-bed. Compared to the network mobility basic support protocol, TFM does not require the nodes attached to the failed mobile router to change their addresses, and hence has two advantages: (a) IP connectivity is maintained transparently, and (b) failover is quickly accomplished by avoiding the address re-configuration process in each node.     

Dissemination of routing information in broadcast networks: OSPFversus IS-IS

OSPF and IS-IS are two main standard link state routing protocols designed to operate in various complex network topologies. One aspect that both protocols handle is the reliable dissemination of routing information over broadcast networks such as Ethernet and FDDI. Both protocols suggest different schemes for this purpose and in this article we compare the two. The performance criteria being checked are: the longest arrival time of a routing update packet at all the routers; the average arrival time of routing update packets at all the routers; the total required bandwidth; and the number of memory accesses a router performs, which is evidence of the amount of internal work it performs. We find that in our model of broadcast networks the scheme suggested in IS-IS is more efficient than that of OSPF in terms of the arrival times of routing update packets. In particular, the average arrival time of routing update packets in OSPF is 2-10 times longer than in IS-IS. In terms of the bandwidth each scheme consumes, there are scenarios where OSPF outperforms IS-IS and vice versa. In terms of the number of memory accesses routers perform in each scheme, IS-IS outperforms OSPF     

基于区分服务的边缘路由器的服务质量

Internet real-time multimedia communication brings a further challenge to Quality of Service （QoS）. A higher QoS in communication is required increasingly. As a new framework for providing QoS services, Differentiated Services （DiffServ） is undergoing a speedily standardization process at the IETF. DiffServ not only can offer classified level of services, but also can provide guaranteed QoS in a certain extent. In order to provide QoS, DiffServ must be properly configured. The traditional DiffServ mechanism provides classifier for edge router to mark the different traffic streams, and then the core router uses different Drop Packet Mechanisms to drop packets or transmit data packets according to these classified markers. When multiple edge routers or other core routers transmit data packets high speedily to a single core router, the core router will emerge bottleneck bandwidth. The most valid solution to this problem is that the edge router adopts drop packet mechanism. This paper proposes an Modified Edge Router Mechanism that let the edge router achieve marking, dropping and transmitting packets of hybrid traffic streams based on DiffServ in a given bandwidth, the core router will only transmits packets but won＇t drop packets. By the simulation of ns2, the modified mechanism ensure the QoS of high priority traffics and simplify the core router, it is a valid method to solve the congestion of the core router.     

Netpiler: detection of ineffective router configurations

Configuring a network is a tedious and error-prone task. In particular, configuring routing policies for a network is complex as it involves subtle dependencies in multiple routers across the network. Misconfigurations are common and certain misconfigurations can bring the Internet down. In 2005, a misconfigured router in AS 9121 blackholed traffic for tens of thousands of networks in the Internet. This paper describes NetPiler, a system that detects router misconfigurations. NetPiler consists of a routing policy configuration model and a misconfiguration detection algorithm. The model is applicable to routing policies configured on a single router as well as to network-wide configuration. Using the model, NetPiler detects configuration commands that do not influence the behavior of the network - we call these configurations ineffective commands. Although the ineffective commands could be benign, sometimes when the commands are mistakenly configured to be ineffective, they cause the network to misbehave deviating from the intended behavior. We have implemented NetPiler in approximately 128,000 lines of C++ code, and evaluated it on the configurations of four production networks. NetPiler discovers nearly a hundred ineffective commands. Some of these misconfigurations can result in loss of connectivity, access to protected networks, and financial implications by providing free transit services. We believe NetPiler can help networks to significantly reduce misconfigurations.     

Distributed control and resource marking using best-effort routers

We present a method for creating differential QoS where control is in the hands of the end system or user, and the network distributes congestion feedback information to users via packet marking at resources. Current proposals for creating differential QoS in the Internet often rely on classifying packets into a number of classes with routers treating different classes appropriately. The router plays a critical role in guaranteeing performance. In contrast, there is a growing body of work that seeks to place more of the control in the hands of the end system or user, with simple functionality in the router. This is the approach outlined in this tutorial article: using insights from economics and control theory we show how cooperation between end systems and the network can be encouraged using a simple packet marking scheme. The network distributes congestion feedback information to users via packet marking at resources, and users react accordingly to obtain differential QoS