UC Santa Cruz UC Santa Cruz Previously Published Works

Transcription

1 UC Santa Cruz UC Santa Cruz Previously Publishe Works Title Towars Loop-Free Forwaring of Anonymous Internet Datagrams that Enforce Provenance Permalink Author Garcia-Luna-Aceves, J.J. Publication Date Peer reviewe escholarship.org Powere by the California Digital Library University of California

2 Towars Loop-Free Forwaring of Anonymous Internet Datagrams that Enforce Provenance J.J. Garcia-Luna-Aceves 1,2 1 Department of Computer Engineering, University of California, Santa Cruz, CA Palo Alto Research Center, Palo Alto, CA jj@soe.ucsc.eu Abstract The way in which aressing an forwaring are implemente in the Internet constitutes one of its biggest privacy an security challenges. The fact that source aresses in Internet atagrams cannot be truste makes the IP Internet inherently vulnerable to DoS an DDoS attacks. The Internet forwaring plane is open to attacks to the privacy of atagram sources, because source aresses in Internet atagrams have global scope. The fact an Internet atagrams are forware base solely on the estination aresses state in atagram heaers an the next hops store in the forwaring information bases (FIB) of relaying routers allows Internet atagrams to traverse loops, which wastes resources an leaves the Internet open to further attacks. We introuce PEAR (Provenance Enforcement through Aressing an Routing), a new approach for aressing an forwaring of Internet atagrams that enables anonymous forwaring of Internet atagrams, eliminates many of the existing DDoS attacks on the IP Internet, an prevents Internet atagrams from looping, even in the presence of routing-table loops. I. INTRODUCTION One of the biggest challenges facing the future of the Internet is that its vulnerabilities to DoS an DDoS attacks are inherent in the algorithms use in the Internet to: (a) assign aresses to hosts, routers, an evices; (b) inclue source aresses in Internet atagrams; (c) map aresses to routes; () bin names to locations in the Internet; an (e) forwar Internet atagrams. In theory, the goal of assigning Internet Protocol (IP) aresses to entities an incluing the source an estination IP aress in each atagram is to have system-frienly ientifiers that: state the origin an estination of Internet atagrams base on topological locations where content, services, or evices are mae available; an can be matche efficiently against store information by routers an en systems. However, an IP aress simply enotes the point of attachment of a host or router to a network with a given IP aress range, without any topological information other than the aggregation of IP aresses. Furthermore, IP aresses are assigne to entities inepenently of the establishment of routes to services, content, evices, groups, or any entity in general. As a result, routing protocols (e.g., OSPF, BGP) an irectory services (e.g., DNS) map names use to enote entities (e.g., omain names) to names that enote points of attachment to networks (IP aresses). In aition to this, the Internet surreners any control of the allocation of source IP aresses to Internet atagrams, because the origin of an Internet atagram specifies the source aress of the atagram inepenently of any forwaring mechanism an en noes are allowe to specify IP source aresses. Because of the algorithms use to assign IP aresses to entities an write source aresses into Internet atagrams, the source aress of an Internet atagram fails to convey its provenance correctly. The recipient of an Internet atagram is unable to authenticate the claime IP aress of the source of the atagram base solely on the basic operation of the forwaring plane of the IP Internet. The receivers of Internet atagrams are force to use aitional mechanisms an information to cope with the fact that a source aress nee not enote the vali provenance of an Internet atagram. Furthermore, these mechanisms are far more complex than the simple mechanism use by sources of Internet atagrams to state the origins of atagrams. In aition, IP aresses are globally unique an assigne on a long-term basis, which makes it easier for attackers to plan an mount attacks. This constitutes a major vulnerability to DDoS attacks in the current Internet architecture. In aition to the above, a router forwars an Internet atagram to its next hop base solely on the estination aress state in the atagram an the next hop liste in its forwaring information base (FIB). This is a problem in the presence of routing-table loops, because it is possible for Internet atagrams to traverse loops. The only approach use toay is to inclue a time-to-live (TTL) fiel in the atagram heaer that is ecremente at each hop of the path traverse by the atagram, an to rop an Internet atagram after the TTL value reaches zero. The contribution of this paper is to present a set of algorithms that we call PEAR (Provenance Enforcement through Aressing an Routing), an which prevent Internet atagrams from traversing forwaring loops, makes the ientity of the origin of an Internet atagram anonymous to the rest of the Internet, an enforces the provenance of an Internet atagram. Section II summarizes current efenses against DDoS flooing attacks. The main objective of this review of prior work is to point out that efening against large DDoS flooing attacks is virtually impossible without changing the basic algorithms use for the allocation of aresses to Internet atagrams, the mapping of aresses to routes an connections, an the protection of information carrie in Internet atagrams. Currently, attackers spen far less energy an time mounting

3 attacks than their targets spen efening against them. Section III introuces a simple approach to ensure that Internet atagrams never loop, even when routing tables contain long-term or short-term routing-table loops. The approach operates by having the FIB entry for an aress prefix state the next hop an the hop-count istance to the prefix, an by using the TTL file of a atagram to enforce an orering constraint ensuring that a router can forwar a atagram only to a next hop that is strictly closer to the intene estination. Section IV introuces a receiver-initiate aress allocation algorithm, a simple aress swapping function, an an oneman routing algorithm operating in the ata plane, which together ensure that the origins of Internet atagrams remain anonymous to any routers processing the atagram, an that anonymous sources of atagrams can receive traffic from public estinations over the reverse paths travele by their anonymous atagrams. II. CURRENT DEFENSES AGAINST DDOS ATTACKS The methos use to launch DDoS attacks toay consist of: (a) sening malforme packets to the victims to confuse protocols or applications; (b) isrupting the connectivity of legitimate users by exhausting banwith, router processing capacity, or network resources; an (c) isrupting services to legitimate users by exhausting the resources of servers (sockets, CPU, memory, or I/O banwith). We aress DDoS flooing attacks aime at isrupting the connectivity an services offere to legitimate users. Four types of efenses against these attacks have been propose to ate [3], [12], [26], [30], [37]: Attack prevention, which aims at stopping attacks before they reach their targets; attack etection, which attempts to ientify the existence of attacks when they occur; attack source ientification, which tries to locate the source of the attack inepenently of the information containe in packets use in the attack; an attack reaction, which aims at eliminating or minimizing the impact of attacks. The attack prevention approaches propose to ate focus on routers filtering IP atagrams with spoofe source IP aresses (e.g., [5], [13], [18], [22], [25], [28]), or routers aing provenance information to IP atagrams The limitations of existing packet-filtering approaches are that: (a) existing filters provie only coarse-graine escriptions of vali source IP aresses; (b) filters are vulnerable to asymmetric routing an the ynamics of routing protocols; (c) it can be ifficult to etermine which source IP aresses are vali because of the complexity of the network topology; an () the exiting approaches use to upate filters either incur substantial signaling overhea or are very slow to upate filters with new ata. Prior approaches base on aing provenance information require too much effort by the attacke network, because they involve the use an issemination of secret keys to mark IP atagrams, an some even require aitional heaers. Several efense approaches have focuse on etecting specific DoS an DDoS attacks (e.g., [2], [7], [16], [29], [39]) or anomaly etection (e.g., [10], [21], [40]). These approaches monitor the behavior of specific protocols or the network in an attempt to etect flow anomalies. The key limitation of efense approaches base on etection is that they must rely on a number of assumptions regaring the behavior of legitimate users, an attackers can aopt countermeasures to evae etection. Some DoS attacks can be etecte, given that only a few computer systems are attackers an compromise system must behave ifferently than benign users to exhaust the resources of their targets. However, the problem is far more ifficult for DDoS attacks, which involve many compromise hosts that can mimic legitimate users an nee not change the normal pattern of protocol traffic to be effective. Prior approaches for the ientification of attack sources have focuse on tracing the origins of attacks by explicit signaling or marking atagrams with the paths they traverse (e.g., [9], [31], [33], [34], [35], [41], [42]). Some path marking techniques have also been combine with filtering. The main limitations of these approaches inclue that: it may be ifficult to infer the attack paths in large DDoS attacks; some approaches can consume consierable storage, processing, an communication overhea; some path markings are not entirely unique; an tracebacks an markings become useful only after the attacks have consume network resources an have reache their targets. Similarly, prior approaches aime at filtering Internet atagrams with spoofe IP aresses are only partially effective, because they change router behavior to enact filtering without changing the way in which IP source aresses are assigne to Internet atagrams [5], [13], [18], [22], [25], [28], or the fact that atagram forwaring is inepenent of the istances to aress prefixes state in routing tables. Approaches that introuce aitional information to enote the provenance of a atagram are ifficult to implement an cannot be eploye at Internet scale, because they require public key infrastructure (PKI) support. For example, HIP [27] requires a PKI that is globally eploye to prevent attackers from simply minting unlimite numbers of host ientifiers use in HIP. AIP [4] on the other han assumes a flat aressing space that cannot be applie at Internet scale, is vulnerable to malicious hosts creating unlimite numbers of EIDs, an oes not offer an efficient way to recovering from compromise private keys corresponing to the AIP aresses of hosts or accountability omains. Similar limitations exist in approaches that a path information (e.g., [8], [23]). Attack-reaction approaches seek to minimize the amage cause by attacks by protecting bottleneck resources [24]. The mechanisms that have been propose inclue reucing the state neee to execute specific communication protocols (TCP in particular [6], [11], [32]); manage resources, shape traffic, an increase the capacity of servers [19], [36]; an secure the communication between confirme users an servers [20], [38]. Attempting to reuce connection state in TCP is a goo objective in all TCP implementation moifications; however, they have not caught on because of the inconsistencies they introuce in the establishment an termination of connections. Approaches that attempt to manage bottleneck resources are not effective, because such resources are share fairly by DDoS traffic, leaving limite resources for vali users. On the

4 other han, prior approaches that attempt to secure the communication between vali users an resources are overly complex, because they buil new mechanisms to enforce provenance an obfuscation on top of existing Internet methos for naming, aressing an routing. III. ELIMINATING FORWARDING LOOPS IN THE INTERNET The Internet atagram forwaring algorithm is base on FIB entries that simply state the next hops for IP aress prefixes. To forwar a atagram intene to estination aress, an IP router looks up its FIB to obtain the best match for among the entries liste in its FIB for known IP aress prefixes an ecrements the TTL of the atagram. Two approaches are currently use to cope with the occurrence of forwaring loops in Internet forwaring. In the forwaring plane, the time-to-live (TTL) fiel of an Internet atagram is use to iscar a atagram after it circulates a forwaring loop too many times. In the control plane, routing protocols (e.g., OSPF an EIGRP) are use to reuce or eliminate the existence of routing loops. However, even if a loop-free routing protocol is use in the control plane, a atagram may still circulate a forwaring loop while routing tables are inconsistent among routers. We propose using FIBs to ensure that forwaring ecisions in the ata plane are consistent with the routing information maintaine by the routing protocol operating in the control plane. The FIB entry store at router i for aress prefix states the minimum-hop istance H i to the prefix in aition to the next hop n to the prefix. We assume for convenience that a istance state in a FIB is a minimum-hop count to a estination. We enote by P k [s k,, T k, ID o ](p) an Internet atagram sent by router k with a heaer that contains a source aress of local scope (s k ), a estination aress of global scope (), a TTL value (T k ), an an origin ID (ID o ), plus payloa ata p. Router i uses the following rule to forwar such a atagram using its FIB within a network. TTL-base FIB Rule (TFR): Router i accepts to forwar P k [s k,, T k, ID o ](p) from router k towars the best-match prefix for if T k > H i. If router i accepts P k [s k,, T k, ID o ](p), it sets T i = H i an forwars atagram P i [s i,, T i, ID o ](p) to its next hop towars prefix. A router simply rops a atagram intene for a estination aress of global scope with a TTL value that oes not satisfy TFR. TFR consists of imposing an orering constraint on the traitional Internet atagram forwaring algorithm base on FIB entries, an making the TTL value of the atagram equal to the istance store in the FIB for the intene estination, rather than simply ecrementing its value. The following theorem proves that TFR eliminates IP forwaring loops. Theorem 1: No Interest can traverse a forwaring loop in an IP network in which TFR is use to forwar atagrams. Proof: Consier a network in which TFR is use an assume for the sake of contraiction that routers in a forwaring loop L of h hops {v 1, v 2,..., v h, v 1 } forwar a atagram for estination along L with no router in L etecting that the atagram has traverse loop L. Given that L exists by assumption, router v k L must forwar P v k [s v k,, T v k, ID o ](p) to router v k+1 L for 1 k h 1, an router v h L must forwar P v h [s v h,, T v h, ID o ](p) to router v 1 L. Accoring to TFR, if router v k (1 < k h) forwars P v k [s v k,, T v k, ID o ](p) to router v k+1 as a result of receiving P v k 1 [s v k 1,, T v k 1, ID o ](p) from router v k 1, then it must be true that T v k 1 > H v k, where is the aress prefix that is the best match for estination. Similarly, if router v 1 forwars P v1 [s v1,, T v1, ID o ](p) to router v 2 as a result of receiving P v h [s v h,, T v h, ID o ](p) from router v h, then it must be true that T v h > H v1. However, these results constitute a contraiction, because they imply that H v k > H v k for 1 k h. Therefore, the theorem is true. Theorem 1 is inepenent of whether the network is static or ynamic, or whether routers use single-path routing of multipath routing. The orering constraint of TFR is essentially the same loop-free conition first introuce in DUAL [14]. The ifference between the way in which the orering constraint is use in TFR an in DUAL is that TFR establishes istancebase orering in the ata plane to forwar atagrams base on existing FIB entries, while DUAL establishes istance-base orering in the control plane to buil FIB entries that are then use to etermine how to forwar atagrams. As state, TFR is only applicable within an autonomous system (AS) in which the same routing protocol is use to obtain minimum-hop istances to estinations. However, applying the approach use in TFR across autonomous systems is relatively straightforwar. A atagram nees to carry two hop counts, one that states the AS hop count to the estination AS, an another one stating the istance to the intene estination within the same AS or the gateway connecting to the next AS along the path to the estination AS. IV. ANONYMOUS DATAGRAM FORWARDING Since the introuction of atagram packet switching by Baran [1], the ientifiers use to enote the estinations an sources of atagrams have ha global scope. Toay, the FIBs maintaine by Internet routers list entries that state the next hop to each known IP aress range of global scope. However, five important observations can be mae to argue that atagram forwaring oes not have to be limite to Baran s original esign. First, the purpose of having aresses in atagram heaers is to enable hop-by-hop atagram forwaring base on fast lookups of estination-base routing tables, which oes not require aresses to have global, longterm meaning. Secon, assigning IP aresses to hosts on a long-term basis as if they were names is not necessary an enables attackers to take avantage of the quasi-static nature of such ientifiers. Thir, there is no technical reason for the origin of an IP atagram to be the entity that assigns the source IP aress of the atagram. Fourth, having the estination of an IP atagram ascertain the provenance of a atagram without any assistance from the routing infrastructure imposes

5 too much effort on the estination an is one after atagrams with spoofe aresses have waste network resources. Fifth, the packet-filtering schemes propose to ate to aress DDoS attacks o not take full avantage of the istance information maintaine in routing tables. Our approach consists of using IP aresses of local scope to enote anonymous sources of Internet atagrams, an introucing an on-eman routing algorithm to maintain routes to such aresses. Similar to the approach in [17], we avocate Internet atagram forwaring over symmetric paths in orer to support the forwaring of Internet atagrams using IP aresses with local scope. The rest of this section escribes the mechanisms for supporting anonymous atagram forwaring in the Internet using a simple example. A formal escription of the algorithms is omitte for brevity. A. Receiver-Initiate Source Aress Assignment Each router announces a continuous interval of IP aresses (local interval) that the router consiers vali local-scope aresses use to enote sources or estinations of Internet atagrams. Router i maintains a local-interval set table (LIST i ) that lists the local interval announce by each neighbor router k (LI i (k)) to router i, an the local interval announce by router i to its neighbors (LI i (i)). All local intervals are of equal length LI, an hence a local interval is uniquely efine by the IP aress at the start of the interval. The start of local interval LI i (k) is enote by LI i (k)[s]. Given this, router i can easily map an IP aress of local scope x LI i (i) to a corresponing IP aress of local scope y that is acceptable to neighbor k with the following bijection, where ɛ is a constant known only to router i: y ɛ + x LI i (i)[s] + LI i (k)[s] mo LI (1) B. Forwaring Information Store an Exchange PEAR is transparent to en hosts. Clients an servers simply use IP atagrams without moification. The aresses specifie in a atagram sent between a host an router may be of local or global scope. A host that originates atagrams must use an IP aress taken from the local-interval set use by the ajacent router. To forwar Internet atagrams from an anonymous atagram source to a estination with an IP aress that has global scope, PEAR uses three aresses to forwar a atagram. A source IP aress of local scope enotes the originating router of the atagram at each hop of the path towars the estination. An IP aress of global scope enotes the intene estination. In aition, an IP aress of local scope, which we call the origin ID, is use to enote the host that originate the atagram. The TTL file of a atagram is use to enforce TFR at each router to forwar a atagram towars the best prefix match for estination aress of global scope. A router that receives a atagram from a host sets the TTL fiel of the atagram to equal its hop-count istance to the estination. Because the source IP aress an the origin ID state in a atagram have local scope, routers along the path from an anonymous source to a estination with a global-scope aress must establish forwaring state pointing back towars the anonymous source in orer for atagrams from to the anonymous source to be forware. Aitional forwaring tables are neee to accomplish this. Each router maintains a Hop-Specific Routing Table (HRT) to keep track of the next hops towars estinations enote by aresses that have hop-specific scope. Router i maintains HRT i, which is inexe using hop-specific IP aresses taken from LI i (i). An entry in HRT i states a hop-specific IP aress (HIP) use to enote a estination (HIP (HRT i ) LI i (i)), a next hop to that estination, (n(hrt i ) N i ), an a hop-specific aress mapping use to hanle collisions of hop-specific IP aresses (map(hrt i ) LI i (i)). HRT i [HIP, n, map] enotes a given entry in HRT i. A HIP use as the source IP aress in a atagram forware by router i is enote by SHIP D (i). Similarly, DHIP D (i) an OHIP D (i) are use to enote the estination IP aress an the origin IP of a atagram forware by router i, respectively.the origin IDs are not store in HRT entries. Each router uses the same bijection of Eq. (1) to map the origin ID state in a atagram it receives to the origin ID of the atagram it forwars towars its estination. Each router also maintains a Destination Routing Table (DRT) to reuce the amount of forwaring state neee in relaying routers. Router i maintains DRT i, which inexe using origin IDs receive in atagrams an lists entries corresponing to sources of atagrams that have inicate a estination aress that is irectly attache to router i. An entry in DRT i states an origin ID ((O(DRT i )) an a hopspecific IP aress ((HIP (DRT i )), both of which are in the local interval efine for router i. Fig. 1. Datagram forwaring using IP aress swapping with PEAR C. Forwaring of Datagrams from Anonymous Sources Routers that forwar a atagram from an anonymous source to a estination aress of global scope use their FIBs to etermine the next hop an establish forwaring state in their HRTs as the atagram is forware to allow atagrams to flow back to anonymous sources.

6 Figure 1 shows an example of the forwaring state establishe at relay routers between an anonymous source an a well-known estination to enable atagrams to be sent back to IP aresses of local scope. The example in the figure shows a client h initiating communication with a server assigne an aress that has network-wie scope an is part of an aress prefix liste in the forwaring information bases (FIB) maintaine by routers. It is assume that the client has obtaine the IP aress of the intene estination using the DNS or other means. The IP aress assigne to host h is s p an has only local scope at router p, i.e., other routers o not associate s p with the same host h. In the example, host h must use IP aress s p as its source aress. Router p accepts atagrams from host h only if the IP source aress in those atagrams is s p. The TTL fiel is not shown in the figure, but TFR is assume to be applie by each relay router. Starting with the router that receives a atagram from an attache host (router p in the example), routers establish forwaring state using a source IP aresses of local scope, an origin ID that is also an IP aress of local scope, an the estination aress. In the figure, a atagram forware between two routers towars the estination with global-scope aress is enote by P [x, : s x ], where x is a source IP aress of local scope, is the global-scope aress, an s x is an origin ID. The source IP aress an origin ID of a atagram being forware by router r to router n along the path from host h to aress (P h ) are taken from the local interval assigne by n to r (LI r (n)) using the bijection state in Eq. (1). In the example of Figure 1, router i has an exiting entry HRT i [15, q, 15] when it receives atagram P [15, : s i ] from router p q. The estination IP aress in the atagram has global scope an hence is forware base on its FIB. However, the source IP aress in the atagram receive from p collies with entry HRT i [15, q, 15]. Accoringly, router i selects HIP = 40, which is not use in any existing HRT entry; creates entry HRT i [40, p, 15], sets SHIP D (i) = f i (n)[40] = 550 an OHIP D (i) = f i (n)[s i ] = s n ; an forwars atagram P [550, : s n ] to router n. When router y receives P [1005, : s y ] from router n, it etermines that the host with aress y is locally attache. Accoringly, it creates an entry in DRT i with the tuple (s y, 1005) an passes atagram D[s y, ] to the host with IP aress. D. Forwaring of Datagrams to Anonymous Sources Routers use their HRTs to forwar atagrams to estinations enote with hop-specific aresses. Given that TFR is use when the entries in HRTs are establishe, the paths implie by HRT entries are loop-free. In Figure 1, when router i receives atagram P [, 550 : s i ] from router n, the fact that the estination aress in the atagram is in its local interval LI i (i) instructs router i to use HRT i for forwaring rather than its F IB i. To o so, router i computes the inverse function f 1 i (n)[550] = 40. Using HIP = 40 as the key in HRT i, router i obtains the next hop p an sets DHIP D (i) = 15. Router i also computes f 1 i (n)[s n ] = s i, sets OHIP D (i) = s i, an forwars forwars P [, 15 : s i ] to router p. In turn, router p uses f 1 i (p) to obtain the values of the estination aress an origin ID for the atagram it shoul forwar. However, given that p = f 1 i (p)[15] L p (p), router p obtains the local host that shoul receive the atagram. It computes f 1 i (p)[s i ] = s an forwars D[, s] to the host with IP aress s. E. Enforcing Anonymity an Provenance of Datagrams It is easy to show that PEAR enforces anonymity of atagrams, in the sense that no intruer can etermine the origin of a atagram simply by monitoring traffic over a link an reaing the heaers of atagrams. The reason an Internet atagram ivulges the ientity of its source is that source aresses have global scope an hence any relay router or intruer receiving the atagram can etermine its origin. Reucing the scope of a source aress to the specific hop where the atagram is being forware still allows intruers an relay routers to infer the ientity of the source in small networks. However, forcing each relay to use an aress from an aress space provie by the next hop eliminates the ability of an intruer or the receiving router to infer the true ientity of the atagram origin. This is the case even in small networks larger than two routers, unless the topology of the network is such that any traffic sent from a given router must be originate by the router (e.g., a leaf router). Even tough PEAR uses IP aresses of hop-specific scope to provie anonymity, routers can enforce correct provenance of atagrams by eliminating the ability of hosts or routers to inject arbitrary source IP aresses in atagrams being forware among truste routers implementing PEAR. An ingress router accepts a atagram from an attache host only if it has a source aress eeme vali for that host. Furthermore, the source IP aress an origin ID it uses in the atagram it forwars to the next hop must both be in the aress space provie by the next-hop router, an the same is true at every hop along the path to the estination. Therefore, it follows that any malicious host or team of routers attempting to inject atagrams with spoofe IP source aresses can be ientifie by the first truste router that oes not receive atagrams with correct source aresses. Furthermore, malicious atagrams using vali source aresses can be trace back to the first untruste router injecting the traffic, given the inuctive nature of the receiver-initiate source aress assignment an the simple bijection use at each hop to swap IP aresses to an from anonymous estinations. V. CONCLUSIONS AND FUTURE WORK We introuce the first approach for Internet atagram forwaring that eliminates forwaring loops even if routing tables contain routing-table loops. Base on the ability to eliminate forwaring loops, we also presente an approach that enables the origins of Internet atagrams to remain anonymous while enforcing the correct provenance of atagrams. As such, the propose forwaring scheme can be applie to eliminate

7 many of the existing DDoS attacks on the IP Internet, which are enable by the inability of Internet atagrams to enforce correct provenance. Aitional work is neee to formally escribe the specific DDoS countermeasures enable by PEAR. Equally important, TFR can be applie to inter-omain routing by utilizing two hop counts, one that takes effect across autonomous systems an another one that is use within an autonomous system. However, such cluster-base version of TFR has not been proven to be correct as is the case of TFR [15], [14] an this is an obvious next step. Lastly, even though we have avocate symmetric paths as aitional protection against DDoS attacks [17], the Internet has many asymmetric paths, an the propose scheme must be extrapolate to the case in which atagrams from s to follow a ifferent path than atagrams from to s. VI. ACKNOWLEDGMENTS This work was supporte in part by the Jack Baskin Chair of Computer Engineering at the University of California at Santa Cruz. REFERENCES [1] P. Baran, On Distribute Communications: I. Introuction fo Distribute Communication Networks, Memoranum RM-3420-PR, The RAND Corporation, Aug [2] S. Abelsaye et al., An Efficient Filter for Denial-of-Service Banwith Attacks, Proc. IEEE Globecom 03, [3] M. Abliz, Internet Denial of Service Attacks an Defense Mechanisms, Report No. TR , Univ. of Pittsburg, [4] D. Anersen, Accountable Internet Protocol (AIP), Proc. ACM SIG- COMM 08, [5] F. Baker, Requirements for IP Version 4 Routers, RFC 1812, [6] D.J. Bernstein, SYN Cookies, [7] R.B. Blazek et al., A Novel Approach to Detection of Denial-of- Service Attacks via Aaptive Sequential an Batch-Sequential Change- Point Detection Methos, Proc. IEEE Systems, Man, an Cybernetics Information Assurance Workshop 01, [8] A. Bremler-Barr an H. Levy, Spoofing Prevention Metho, Proc. IEEE INFOCOM 05, March [9] H. Burch an B. Cheswitck, Tracing Anonymous Packets to Their Approximate Source, Proc. 14th Systems Amin. Conference, [10] D.E. Denning, An Intrusion Detection Moel, IEEE Trans. Softw. Eng., [11] W. Ey, TCP SYN Flooing Attacks an Common Mitigations, RFC 4987, [12] T. Ehrenkranz an J. Li, On The state of IP Spoofing Defense, ACM Trans. Internet Technology, Vol. 9, No. 2, [13] P. Ferguson an D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Aress Aress Spoofing, RFC 2827, [14] J.J. Garcia-Luna-Aceves, A Unifie Approach to Loop-Free Routing Using Distance Vectors or Link States, Proc. ACM SIGCOMM 89, Aug [15] J.J. Garcia-Luna-Aceves, A Fault-Tolerant Forwaring Strategy for Interest-base Information Centric Networks, Proc. IFIP Networking 15, May [16] T.M. Gil an M. Poletto, MULTOPS: A Data-Structure for Banwith Attack Detection, Proc. USENIX Security Symposium 01, [17] M. Hanley an A. Greenhalgh, Steps Towars a DoS-Resistant Internet Architecture, Proc. ACM SIGCOMM 04 Workshops, Aug [18] C. Jin et al., Hop-Count Filtering: An Effective Defense against Spoofe DDoS Attacks, Proc. 10th ACM Conf. on Computer an Communications Security, [19] F. Kargl et al., Protecting Web Servers from Distribute Denial of Service Attacks, Proc. 10th Int l Worl Wie Web Conference, [20] A. Keromytis et al., SOS: Secure Overlay Services, Proc. ACM SIGCOMM 02, [21] R.R. Kompella et al., On Scalable Attack Detection in The Network, Proc. ACM IMC 04, [22] J. Li et al., SAVE: Source Aress Valiity Enforcement Protocol, Proc. IEEE INFOCOM 02, [23] X. Liu et al., Passport: Secure an Aoptable Source Authentication, Proc. USENIX 08, [24] J.K. Millen, A Resource Allocation Moel for Denial of Service, Proc. IEEE Symposium on Security an privacy, [25] J. Mirkovic et al., Attacking DDoS at The Source, Proc. IEEE ICNP 02, [26] J. Mirkovic an P. Reiher, A Taxonomy of DDoD Attack an DDOs Defense Mechanisms, ACM SIGCOMM CCR, Vol. 34, No.2, April [27] R. Moskowitz et al., Host Ientity Protocol, RFC 5201, April [28] K. Park an H. Lee, On The Effectiveness of Router-Base Packet Filtering for Distribute DoS Attack Prevention in Power-Law Internets, Prof. ACM SIGCOMM 01, [29] T. Peng et al., Proactively Detecting Distribute Denial of Service Attacks Using Source IP Aress Monitoring, Proc. IFIP Networkig 04, [30] T. Peng et al., Survey of Network-base Defense Mechanisms Countering The DoS an DDoS Problems, ACM Computing Surveys, Vol. 39, No. 1, April [31] S. Savage et al., Practical Network Support for IP Traceback, Proc. ACM SIGCOMM 00, [32] C.L. Schuba et al., Analysis of A Denial of Service Attack on TCP, Proc. IEEE Symposium on Security an Privacy 97, [33] A. Snoeren et al., Hash-base IP Traceback, Proc. ACM SIGCOMM 01, [34] D.X. Song an A. Perrig, Avance an Authenticate Marking Schemes for IP Traceback, Proc. IEEE INFOCOM 01, [35] R. Stone, Centertrack: An IP Overlay Network for Tracking DoS Floos, Proc. 9th USENIX Security Symposium, [36] O. Spatscheck an L. Petersen, efening against Denial of Service Attacks in Scout, Proc. 3th Symposium on Operating Systems Design an Implementation, [37] S. Taghavi et al., A Survey of Defense Mechanisms Against Distribute Denial of Service (DDoS) Flooing Attacks, IEEE Comm. Surveys an Tutorials, Vol. 15, No. 3, 2013 [38] U. Tupakula an V. Varaharajan, A Practial Metho To Counteract Denial of Service Attacks, Proc. ACSC 03, [39] H. Wang et al., Detecting SYN Flooing Attacks, Proc. IEEE INFO- COM 02, [40] P.D. Williams et al., CDIS: Towars a Computer Immune System fore Detecting Network Intrusions, Proc. Int l Symp. on Recent Avances on Intrusion Detection, [41] A. Yaar et al., Pi: A Path Ientification Mechanism to Defen Against DDoS Attack, Proc. IEEE Symposium on Security an Privacy, [42] A. Yaar et al., StackPi: New Packet Marking an Filtering Mechanisms for DDoS an IP Spoofing Defense, IEEE JSAC, 2006.