RISP: An RPKI-Based Inter-AS Source Protection Mechanism

Yihao Jia; Ying Liu; Gang Ren; Lin He

doi:10.26599/TST.2018.9010025

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Journals A - Z

About Us

Publish with Us

Support

PDF (1.4 MB)

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

AI Chat Paper

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Open Access

RISP: An RPKI-Based Inter-AS Source Protection Mechanism

Yihao Jia, Ying Liu, Gang Ren(

), Lin He

Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China.

Show Author Information

Abstract

IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (IETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing. In this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.

Keywords

IP spoofing source address validation inter-AS RPKI DDoS

References

[1]

C. Rossow, Amplification Hell: Revisiting network protocols for DDoS abuse, in Network and Distributed System Security Symposium (NDSS), San Diego, USA, CA, 2014.

Crossref

[2]

Arbor Networks and Google idea, DDoS visualization map, http://www.digitalattackmap.com/, 2017.

[3]

D. Anstee, P. Bowen, C. Chui, and G. Sockrider, 12th worldwide infrastructure security report, 2017.

[4]

B. Liu and J. Bi, Discs: A distributed collaboration system for inter-as spoofing defense, in International Conference on Parallel Processing (ICPP), Beijing, China, 2015.

Crossref

[5]

M. Prince, Technical details behind a 400Gbps NTP amplification ddos attack, Cloudflare Inc, https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, 2017.

[6]

J. Wu, J. Bi, X. Li, G. Ren, M. Williams, and K. Xu, A Source Address Validation Architecture (SAVA) testbed and deployment experience, RFC 5210, June 2008.

[7]

J. Wu, J. Bi, M. Bagnulo, F. Baker, and C. Vogt, Source Address Validation Improvement (SAVI) framework, RFC 7039, Oct. 2013.

[8]

P. Ferguson, Network Ingress Filtering: DDoS attacks which employ IP source address spoofing, RFC 2827, May 2000.

[9]

M. Lepinski and D. S. T. Kent, An infrastructure to support secure internet routing, RFC 6480, Feb. 2012.

[10]

M. Lepinski, D. Kong, and S. Kent, A profile for Route Origin Authorizations (ROAs), RFC 6482, Feb. 2012.

[11]

J. Li, J. Mirkovic, T. Ehrenkranz, M. Wang, P. Reiher, and L. Zhang, Learning the valid incoming direction of ip packets, Computer Networks, vol. 52, no. 2, pp. 399-417, 2008.

Crossref Google Scholar

[12]

Z. Duan, X. Yuan, and J. Chandrashekar, Constructing inter-domain packet filters to control IP spoofing based on BGP updates, in International Conference on Computer Communications (INFOCOM), Barcelona, Spain, 2006.

Crossref

[13]

K. Park and H. Lee, On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets, ACM SIGCOMM Computer Communication Review, vol. 31, no. 4, pp. 15-26, 2001.

Crossref Google Scholar

[14]

F. Baker and P. Savola, Ingress Filtering for Multihomed Networks, RFC 3704, Mar. 2004.

[15]

A. Cohen, Y. Gilad, A. Herzberg, and M. Schapira, Jumpstarting BGP security with path-end validation, in Special Interest Group on Data Communication (SIGCOMM), Florianpois, Brazil, 2016.

Crossref

[16]

C. Jin, H. Wang, and K. G. Shin, Defense against spoofed IP traffic using Hop-Count filtering, IEEE/ACM Transactions on Networking, vol. 15, pp. 40-53, 2007

Crossref Google Scholar

[17]

A. Bremler-Barr and H. Levy, Spoofing prevention method, in Proceedings of IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies, pp. 536–547, 2005.

[18]

R. Beverly, A. Berger, Y. Hyun, K. Claffy, Understanding the efficacy of deployed internet source address validation filtering, in Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 356–369, 2009.

Crossref

[19]

L. Howard, IETF: End Work on IPv4, Internet-Draft draft-ietf-sunset4-ipv6-ietf-00, Internet Engineering Task Force, Mar. 2017, Work in Progress.

[20]

J. Lee and R. Poovendran, The AES-CMAC algorithm, RFC 4493, June 2006.

[21]

M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudorandom bits, SIAM Journal on Computing, vol. 13, no. 4, pp. 850-864, 1984.

Crossref Google Scholar

[22]

J. Mirkovic and E. Kissel, Comparative evaluation of spoofing defenses, IEEE Trans. Dependable Sec. Comput,, vol. 8, pp. 218-232, 2011.

Crossref Google Scholar

[23]

AS-relationships, http://data.caida.org/datasets/as-relationships, 2017.

[24]

Prefix-to-AS-Mappings, http://data.caida.org/datasets/routing, 2017.

[25]

B. Quoitin and S. Uhlig, Modeling the routing of an autonomous system with c-bgp, IEEE Network, vol. 19, no. 6, pp. 12-19, 2005.

Crossref Google Scholar

[26]

AS rank by transit degree, http://as-rank.caida.org, 2017.

[27]

M. Luckie, B. Huffaker, A. Dhamdhere, V. Giotsas, and K. Claffy, AS relationships, customer cones, and validation, in Proceedings of the Conference on Internet Measurement, pp. 243–256, 2013.

Crossref

[28]

M. Faloutsos, P. Faloutsos, and C. Faloutsos, On power-law relationships of the internet topology, ACM SIGCOMM Computer Communication Review, vol. 29, pp. 251-262, 1999.

Crossref Google Scholar

[29]

AES-cores, http://www.heliontech.com/aes.htm, 2017.

[30]

M. Konte, R. Perdisci, and N. Feamster, Aswatch: An AS reputation system to expose bulletproof hosting ases, ACM SIGCOMM Computer Communication Review, vol. 45, no. 4, pp. 625-638, 2015.

Crossref Google Scholar

[31]

S. Mansfield-Devine, DDoS: Threats and mitigation, Network Security, vol. 2011, no. 12, pp. 5-12, 2011.

Crossref Google Scholar

Tsinghua Science and Technology

Volume 23 Issue 1,
February 2018

Pages 1-12

DOI: 10.26599/TST.2018.9010025

Cite this article:

Jia Y, Liu Y, Ren G, et al. RISP: An RPKI-Based Inter-AS Source Protection Mechanism. Tsinghua Science and Technology, 2018, 23(1): 1-12. https://doi.org/10.26599/TST.2018.9010025

678

Views

Downloads

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 16 July 2017

Accepted: 17 September 2017

Published: 15 February 2018