【24h】

Spread-Identity mechanisms for DOS resilience and Security.

机译:用于DOS弹性和安全性的传播身份机制。

获取原文

摘要

The explosive growth in wireless (and wired) networking technologies and services indicates that multiple means of network connectivity will become available in the near future. For example, stationary and mobile hosts currently support Internet access via wired LANs, Wireless LANs/PANs (e.g., 802.11x, 802.15) or wide area wireless cellular phone and data networks (like GSM). In essence, heterogeneous multi-homing is now a necessity for all hosts (mobile or non-mobile). In order to tap the full potential of such heterogeneous multi-homing, we introduce the novel “Spread Identity (SI)” communications paradigm. Therein, the concept of multi-homing is extended to allow each interface to simultaneously assume multiple addresses and dynamically acquire and release them as needed which is tantamount to “Spreading Identity” at the network( IP) level and has fundamental implications for security. In this paper we show how the spread Identity mechanisms can effectively (1) Mitigate DDOS attacks by rate-limiting the number of name-resolution responses. (2) Quickly detect and neutralize resource-overload type DDOS attacks that cannot be prevented by rate-limiting (3) Enable surviving the remaining types of DDOS attacks by quenching destination addresses they target (in essence by changing the Identity) (4) and preventing future attack flows by returning NULL addresses, and re-directing the attackers against one-another. We demonstrate that Spread Identity mechanisms can also be leveraged to bolster the security of single sourceto- destination flows. SI mechanisms can attain the same level of security as that of a single link with Strong Security Infrastructure (SSI) at a lower cost (in terms of the infrastructure required and the encryption effort needed). The fundamental concept of Spreading-Identity revealed herein is more general and potentially applicable to other scenarios beyond Internet/Electronic communications.
机译:无线(和有线)网络技术和服务中的爆炸性增长表明,在不久的将来,多种网络连接手段将可用。例如,静止和移动主机目前通过有线LAN,无线LAN / PANS(例如,802.11x,802.15)或广域无线蜂窝电话和数据网络(如GSM)支持互联网访问。实质上,异构多归巢现在是所有主机的必要性(移动或非移动)。为了挖掘这种异构多归所的全部潜力,我们介绍了新颖的“扩展标识(SI)”通信范式。其中,延长多归位的概念以允许每个接口同时假设多个地址并根据需要动态获取并释放它们,这在网络(IP)级别时与“传播标识传播”,并且对安全具有基本影响。在本文中,我们展示了如何通过限制名称分辨率响应的数量来有效地有效地(1)减轻DDOS攻击。 (2)快速检测和中和资源过载型DDOS攻击,通过限速(3)无法通过淬火目的地地址来捕获其剩余的DDOS攻击(本质上通过改变身份)(4)和通过返回NULL地址,并将未来的攻击流程返回,并重新将攻击者重新指定对抗彼此。我们证明还可以利用扩展的身份机制来加强单个佐级目的流的安全性。 SI机制可以实现与具有强大安全基础设施(SSI)的单链路相同的安全性,以较低的成本(根据所需的基础设施和所需的加密工作)。这里揭示的扩散标识的基本概念更为一般,并且可能适用于互联网/电子通信之外的其他场景。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有
  • 客服微信

  • 服务号