One of key security issues on the current Internet is unwanted traffic, the forerunner of unauthorized accesses, scans, and attacks. It is vitally important but extremely challenging to fight such unwanted traffic. We need a series of defensive mechanisms to identify unwanted packets, filter them out, and further defeat their associated attacks. In this paper, we propose a lightweight, scalable packet authentication mechanism, named Lightweight Internet Permit System (LIPS), as a first line of defense to effectively filter out the most common forms of unwanted traffic, spoofed and unsolicited packets, such that in-depth security schemes can take care of the remaining issues more efficiently. LIPS is a simple extension of IP, in which each packet carries an access permit issued by its destination host or gateway, and the destination verifies the access permit to determine to accept or drop the packet. LIPS provides preliminary traffic-origin accountability that supports two salient features to confine unwanted traffic: (1) filter out the most common forms of unwanted packets and defeat associated attacks; (2) help us identify compromised hosts/domains such that we are able to build active defense schemes to deal with various attacks through real-time inter-domain collaboration. In this paper, we first present the design and prototype implementation of LIPS on Linux 2.4 kernel, and then use analysis, simulations, and experiments to demonstrate the efficacy of LIPS in protecting critical resources with light overheads.
Bibliographical noteFunding Information:
This work was supported in part by the National Science Foundation under the grants ANI-0073819, ITR-0085824, CNS 0435444, and CAREER Award NCR-9734428. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of NSF.
Copyright 2008 Elsevier B.V., All rights reserved.
- IP spoofing
- Network security
- Packet authentication
- Unwanted traffic