Abstract
Lack of ability to control inbound traffic is one of the essential security vulnerabilities of the present Internet. It is the consequence of the fundamental fact that the Internet was built as a highly distributed public network, in which every node may freely send arbitrary traffic to any other node. This vulnerability can be exploited by a variety of DoS attacks (with a volumetric DDoS attack being the most prominent example) or non-malicious phenomena like flash crowds. In this paper, state-of-the-art solutions aiming to mitigate these risks have been discussed and a novel proposal, On-demand Source Authentication and Authorization (OSAA), has been presented. OSAA does not target a particular threat but addresses the root cause of the vulnerability. The proposed architecture enables Internet end nodes to authenticate traffic sources and facilitates cost-effective filtering of unauthorized traffic. The solution is based on a capability-based security model and public key infrastructure. Key characteristics of OSAA are strong security of provided services and a viable business case with clear economic incentives for parties bearing the workload.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A flow is defined by a pair of network addresses (source and destination).
References
ISO/IEC: International Standard 27000. Information technology – Security techniques – Information security management systems – Overview and vocabulary (2016)
Hoque, N., Bhattacharyya, D.K., Kalita, J.K.: Botnet in DDoS attacks: trends and challenges. IEEE Commun. Surv. Tutorials 17(4), 2242–2270 (2015)
Akamai Technologies: State of the Internet/Security Report. Q1 2017 (2017)
NETSCOUT Systems: NETSCOUT’s 14th Annual Worldwide Infrastructure Security Report (2018)
Imperva: The Top 10 DDoS Attack Trend (2015)
Argyraki, K., Cheriton, D.: Network capabilities: the good, the bad and the ugly. In: Proceedings of the ACM Workshop on Hot Topics in Networks, College Park, ACM (2005)
IETF: RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (2000)
Cisco Systems: Characterizing and Tracing Packet Floods Using Cisco Routers. http://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/13609-22.html. Accessed 02 May 2019
Shokri, R., Varshovi, A., Mohammadi, H.: DDPM: Dynamic Deterministic Packet Marking for IP traceback. In: 14th IEEE International Conference on Networks. IEEE, Singapore (2006)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, ACM, Stockholm (2000)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings on Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM 2001. IEEE, Anchorage (2002)
Yaar, A., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of the Symposium on Security and Privacy. IEEE, Berkeley (2003)
IETF: RFC 3882 - Configuring BGP to Block Denial-of-Service Attacks (2004)
IETF: RFC 1633 - Integrated Services in the Internet Architecture: an Overview (1994)
IETF: RFC 2474 - Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers (1998)
Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Network and Distributed System Security Symposium. Proceedings, Internet Society, San Diego (2002)
Anderson, T., Roscoe, T., Wetherall, D.: Preventing Internet denial-of-service with capabilities. ACM SIGCOMM Comput. Commun. Rev. 34(1), 39–44 (2004)
Yaar, A., Perrig, A., Song, D.: SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Berkeley (2004)
Natu, M., Mirkovic, J.: Fine-grained capabilities for flooding DDoS defense using client reputations. In: Proceedings of the 2007 Workshop on Large Scale Attack Defense. ACM, Kyoto (2007)
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.C.: Portcullis: protecting connection setup from denial-of-capability attacks. ACM SIGCOMM Comput. Commun. Rev. 37(4), 289–300 (2007)
Wang, L., Wu, Q., Dung, L.D.: Engaging edge networks in preventing and mitigating undesirable network traffic. In: 3rd IEEE Workshop on Secure Network Protocols. IEEE, Beijing (2007)
Kambhampati, V., Papadopoulos, C., Massey, D.: A taxonomy of capabilities based DDoS defense architectures. In: 9th IEEE/ACS International Conference on Computer Systems and Applications (AICCSA). IEEE, Sharm El-Sheikh (2011)
FAQ: Certification – RIPE Network Coordination Centre. https://www.ripe.net/manage-ips-and-asns/resource-management/faq/certification. Accessed 05 Oct 2019
Acknowledgments
The author would like to thank Professor Grzegorz Kolaczek for his insightful comments and technical assistance. Words of gratitude are owed also to Nokia Networks for financial support of the research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Dabiński, B. (2020). OSAA: On-Demand Source Authentication and Authorization in the Internet. In: Borzemski, L., Świątek, J., Wilimowska, Z. (eds) Information Systems Architecture and Technology: Proceedings of 40th Anniversary International Conference on Information Systems Architecture and Technology – ISAT 2019. ISAT 2019. Advances in Intelligent Systems and Computing, vol 1050. Springer, Cham. https://doi.org/10.1007/978-3-030-30440-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-30440-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30439-3
Online ISBN: 978-3-030-30440-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)