SAFE:a Scalable Filter-Based Packet Filtering Scheme

作     者：LU Ning HU Wenhao 

作者机构：College of Information Science and EngineeringNortheastern University.ShenyangLiaoning110819 China State Key Laboratory of Networking and Switching TechnologyBeijing University of Posts and TelecommunicationsBeijing100000China Nanjing University of Information Science and Technology NanjingJiangsu210044 China 

出 版 物：《China Communications》 (中国通信（英文版）)

年 卷 期：2016年第13卷第2期

页      面：163-177页

核心收录：

学科分类：080706[工学-化工过程机械] 0839[工学-网络空间安全] 08[工学] 0807[工学-动力工程及工程热物理] 

基　　金：supported by the Doctoral Fund of Northeastern University of Qinhuangdao(No.XNB201410) the Fundamental Research Funds for the Central Universities(No.N130323005) the Natural Science Foundation of Hebei Province of China(No.F2015501122) the Doctoral Scientific Research Foundation of Liaoning Province(No.201501143) 

主　　题：internet security DoS attacks filtering scheme 

摘      要：Recently, attacks have become Denial-of-Service （DOS） the mainstream threat to the internet service availability. The filter-based packet filtering is a key technology to defend against such attacks. Relying on the filtering location, the proposed schemes can be grouped into Victim-end Filtering and Source-end Filtering. The first scheme uses a single filtering router to block the attack flows near the victim, but does not take the factor that the filters are scarce resource into account, which causes the huge loss of legitimate flows; considering each router could contribute a few filters, the other extreme scheme pushes the filtering location back into each attack source so as to obtain ample filters, but this may incur the severe network transmission delay due to the abused filtering routers. Therefore, in this paper, we propose a scalable filter-based packet filtering scheme to balance the number of filtering routers and the available filters. Through emulating DoS scenarios based on the synthetic and real-world Intemet topologies and further implementing the various filter-based packet filtering schemes on them, the results show that our scheme just uses fewer filtering routers to cut off all attack flows while minimizing the loss of legitimate flows.