Results 1 - 10
of
111
Hop-count filtering: an effective defense against spoofed DDoS traffic
, 2003
"... IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near ..."
Abstract
-
Cited by 187 (4 self)
- Add to MetaCart
(Show Context)
IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Base on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. Through analysis using network measurement data, we show that Hop-Count Filtering (HCF) can identify close to 90 % of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its benefits using experimental measurements.
The impact of routing policy on internet paths
- in Proc. 20th IEEE INFOCOM
, 2001
"... Abstract — The impact of routing policy on Internet paths is poorly understood. In theory, policy can inflate shortest-router-hop paths. To our knowledge, the extent of this inflation has not been previously examined. Using a simplified model of routing policy in the Internet, we obtain approximate ..."
Abstract
-
Cited by 97 (5 self)
- Add to MetaCart
(Show Context)
Abstract — The impact of routing policy on Internet paths is poorly understood. In theory, policy can inflate shortest-router-hop paths. To our knowledge, the extent of this inflation has not been previously examined. Using a simplified model of routing policy in the Internet, we obtain approximate indications of the impact of policy routing on Internet paths. Our findings suggest that routing policy does impact the length of Internet paths significantly. For instance, in our model of routing policy, some 20 % of Internet paths are inflated by more than five router-level hops. Keywords—Routing, Routing Policy, Policy Routing, Internet Paths I.
Efficient algorithms for large-scale topology discovery
- IN PROC. ACM SIGMETRICS
, 2005
"... There is a growing interest in discovery of internet topology at the interface level. A new generation of highly distributed measurement systems is currently being deployed. Unfortunately, the research community has not examined the problem of how to perform such measurements efficiently and in a ne ..."
Abstract
-
Cited by 88 (21 self)
- Add to MetaCart
(Show Context)
There is a growing interest in discovery of internet topology at the interface level. A new generation of highly distributed measurement systems is currently being deployed. Unfortunately, the research community has not examined the problem of how to perform such measurements efficiently and in a network-friendly manner. In this paper we make two contributions toward that end. First, we show that standard topology discovery methods (e.g., skitter) are quite inefficient, repeatedly probing the same interfaces. This is a concern, because when scaled up, such methods will generate so much traffic that they will begin to resemble DDoS attacks. We measure two kinds of redundancy in probing (intra- and inter-monitor) and show that both kinds are important. We show that straightforward approaches to addressing these two kinds of redundancy must take opposite tacks, and are thus fundamentally in conflict. Our second contribution is to propose and evaluate Doubletree, an algorithm that reduces both types of redundancy simultaneously on routers and end systems. The key ideas are to exploit the treelike structure of routes to and from a single point in order to guide when to stop probing, and to probe each path by starting near its midpoint. Our results show that Doubletree can reduce both types of measurement load on the network dramatically, while permitting discovery of nearly the same set of nodes and links.
Home-Centric Visualization of Network Traffic for Security Administration
- In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and
, 2004
"... Today’s system administrators, burdened by rapidly increasing network activity, must quickly perceive the security state of their networks, but they often have only text-based tools to work with. These tools often provide no overview that would help users grasp the big-picture. Our interviews with a ..."
Abstract
-
Cited by 61 (4 self)
- Add to MetaCart
(Show Context)
Today’s system administrators, burdened by rapidly increasing network activity, must quickly perceive the security state of their networks, but they often have only text-based tools to work with. These tools often provide no overview that would help users grasp the big-picture. Our interviews with administrators have revealed that they need visualization tools. Thus we present VISUAL (Visual Information Security Utility for Administration Live), a network security visualization tool that allows users to perceive communications patterns between their home (or internal) networks and external hosts. VISUAL is part of our Network Eye security visualization architecture, also described in this paper. We have designed and tested a new computer security visualization that gives a quick overview of current and recent communication patterns in the monitored network to the users. Many tools can detect and show fan-out and fan-in, but VISUAL shows network events graphically, in context. Visualization helps users comprehend the intensity of network events more intuitively than text-based tools can. VI-SUAL provides insight for networks with up to 2,500 home hosts and 10,000 external hosts, shows the relative activity of hosts, displays them in a constant relative position, and reveals the ports and protocols used.
LGL: creating a map of protein function with an algorithm for visualizing very large biological networks
- Journal of Molecular Biology
, 2004
"... Supplementary data associated with this article can be found at doi: 10.1016/j.jmb.2004.04.047 ..."
Abstract
-
Cited by 54 (1 self)
- Add to MetaCart
Supplementary data associated with this article can be found at doi: 10.1016/j.jmb.2004.04.047
Topology Inference from BGP Routing Dynamics
- in Internet Measurement Workshop
, 2002
"... All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract
-
Cited by 50 (6 self)
- Add to MetaCart
(Show Context)
All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Defense Against Spoofed IP Traffic Using Hop-Count Filtering
"... IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and dilute localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed I ..."
Abstract
-
Cited by 49 (2 self)
- Add to MetaCart
(Show Context)
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and dilute localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)—which builds an accurate IP-to-hop-count (IP2HC) mapping table—to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90 % of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.
Internet Topology Discovery: a Survey
- IN IEEE COMMUNICATIONS SURVEY AND TUTORIALS
, 2007
"... ..."
Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats
"... Abstract — The Internet has become a wild place: malicious code is spread on personal computers across the world, deploying botnets ready to attack the network infrastructure. The vast number of security incidents and other anomalies overwhelms attempts at manual analysis, especially when monitoring ..."
Abstract
-
Cited by 28 (11 self)
- Add to MetaCart
(Show Context)
Abstract — The Internet has become a wild place: malicious code is spread on personal computers across the world, deploying botnets ready to attack the network infrastructure. The vast number of security incidents and other anomalies overwhelms attempts at manual analysis, especially when monitoring service provider backbone links. We present an approach to interactive visualization with a case study indicating that interactive visualization can be applied to gain more insight into these large data sets. We superimpose a hierarchy on IP address space, and study the suitability of Treemap variants for each hierarchy level. Because viewing the whole IP hierarchy at once is not practical for most tasks, we evaluate layout stability when eliding large parts of the hierarchy, while maintaining the visibility and ordering of the data of interest. Index Terms—Information visualization, network security, network monitoring, treemap 1
Resolving Anonymous Routers in Internet Topology Measurement Studies
"... Abstract—Internet measurement studies utilize traceroute to collect path traces from the Internet. A router that does not respond to a traceroute query is referred to as an anonymous router and is represented by a ‘* ’ in the traceroute output. Anonymous router resolution refers to the task of ident ..."
Abstract
-
Cited by 28 (7 self)
- Add to MetaCart
(Show Context)
Abstract—Internet measurement studies utilize traceroute to collect path traces from the Internet. A router that does not respond to a traceroute query is referred to as an anonymous router and is represented by a ‘* ’ in the traceroute output. Anonymous router resolution refers to the task of identifying the occurrences of ‘*’s that belong to the same router in the underlying network. This task is an important step in building traceroute-based topology maps and obtaining an optimum solution is shown to be NP-complete. In this paper, we use a novel technique from graph data mining field to build an efficient solution. The results of our experiments on both synthetic and genuine topologies show a significant improvement in accuracy and effectiveness over the existing approaches. I.
