Skip to main content
SpringerLink
Log in

Secure Overlay Network Design

  • Conference paper
Algorithmic Aspects in Information and Management (AAIM 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4041))

Included in the following conference series:

Abstract

Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servelets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servelets, which in turn pass them to the servers. The identity of APs are publicly known while the servelets are typically secret. All communications are done through the public Internet. Thus all the entities involved forms an overlay network. The main component of this distributed system consists of n APs. and m servelets. A design for a network is a bipartite graph with APs on one side, and the servelets on the other side. If an AP is compromised by an attacker, all the servelets that are connected to it are subject to attack. An AP is blocked, if all servelets connected to it are subject to attack. We consider two models for the failures: In the average case model, we assume that each AP i fails with a given probability p i . In the worst case model, we assume that there is an adversary that knowing the topology of the network, chooses at most k APs to compromise. In both models, our objective is to design the connections between APs and servelets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the average-case model when the number of servelets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servelet (we call such designs star-shaped), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the worst-case model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servelets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adler, M.: Tradeoffs in probabilistic packet marking for ip traceback. In: Proc. ACM Symposium on Theory of Computing (STOC) (May 2002)

    Google Scholar 

  2. Bu, T., Norden, S., Woo, T.: Trading resiliency for security: Model and algorithms. In: Proc. IEEE International Conference on Network Protocols (ICNP) (2004)

    Google Scholar 

  3. Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proc. USENIX LISA, pp. 319–327 (December 2000)

    Google Scholar 

  4. Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proc. NDSS, pp. 3–12 (February 2001)

    Google Scholar 

  5. Doeppner, T., Klein, P., Koyfman, A.: Using router stamping to identify the source of IP packets. In: Proc. ACM CCS, pp. 184–189 (November 2000)

    Google Scholar 

  6. Ferguson, P.: Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267 (January 1998)

    Google Scholar 

  7. Garber, L.: Denial-of-service attacks rip the Internet. IEEE Computer 33(4), 12–17 (2000)

    Google Scholar 

  8. Goodrich, M.T.: Efficient packet marking for large-scale IP traceback. In: Proc. ACM CCS, pp. 117–126 (November 2002)

    Google Scholar 

  9. Keromytis, A.D., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proc. ACM SIGCOMM, pp. 61–72 (August 2002)

    Google Scholar 

  10. Kleitman, D., Spencer, J.: Families of k-independent sets. Discrete Mathematics 6, 255–262 (1973)

    Article  MATH  MathSciNet  Google Scholar 

  11. Li, J., Sung, M., Xu, J., Li, L.E.: Large-scale ip traceback in high-speed internet: Practical techniques and theoretical foundation. In: Proc. IEEE Symposium on Security and Privacy, pp. 115–129 (2004)

    Google Scholar 

  12. Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM Computer Communication Review 32(3), 62–73 (2002)

    Article  Google Scholar 

  13. McGuire, D., Krebs, B.: Attack on internet called largest ever (October 2002), http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html

  14. Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: Proc. IEEE ICNP, pp. 312–321 (November 2002)

    Google Scholar 

  15. Mirkovic, J., Robinson, M., Reiher, P., Kuenning, G.: Alliance formation for ddos defense. In: Proc. New Security Paradigms Workshop, ACM SIGSAC (August 2003)

    Google Scholar 

  16. Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govidan, R.: COSSACK: coordinated suppression of simultaneous attacks. In: DISCEX III, pp. 22–24 (April 2003)

    Google Scholar 

  17. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In: Proc. ACM SIGCOMM, pp. 15–26 (August 2001)

    Google Scholar 

  18. Ruszinkó, M.: On the upper bound of the size of the r-cover-free families. Journal of Combinatorial Theory, Series A 66, 302–310 (1994)

    Article  MATH  MathSciNet  Google Scholar 

  19. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proc. ACM SIGCOMM, pp. 295–306 (August 2000)

    Google Scholar 

  20. Snoeren, A., Partridge, C., et al.: Hash-based IP traceback. In: Proc. ACM SIGCOMM, pp. 3–14 (August 2001)

    Google Scholar 

  21. Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proc. IEEE INFOCOM, pp. 878–886 (April 2001)

    Google Scholar 

  22. Vijayan, J.: Akamai attack reveals increased sophistication: Host’s DNS servers were DDoS targets, slowing large sites (June 2004), http://www.computerworld.com/securitytopics/security/story/0,10801,93977p2,00.html

Download references

Author information

Authors and Affiliations

  1. Bell Laboratories,  

    Li (Erran) Li

  2. Microsoft Research,  

    Mohammad Mahdian

  3. MIT Computer Science and Artificial Intelligence Lab,  

    Vahab S. Mirrokni

Authors
  1. Li (Erran) Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Mahdian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vahab S. Mirrokni
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Clear Water Bay, Hong Kong University of Science and Technology, Hong Kong, China

    Siu-Wing Cheng

  2. Department of Computer Science, City University of Hong Kong,  

    Chung Keung Poon

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Li, L.(., Mahdian, M., Mirrokni, V.S. (2006). Secure Overlay Network Design. In: Cheng, SW., Poon, C.K. (eds) Algorithmic Aspects in Information and Management. AAIM 2006. Lecture Notes in Computer Science, vol 4041. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11775096_33

Download citation

  • DOI: https://doi.org/10.1007/11775096_33

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-35157-3

  • Online ISBN: 978-3-540-35158-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation