Abstract
Several projects proposed to use active or programmable networks to implement attack detection systems for detecting distributed denial of service attacks or worm propagation. In order to distinguish legal traffic from the attack traffic bypassing packets need to be inspected deeply which is resource consuming. Such an inspection can be realized either with additional and expensive special hardware or in software. But due to resource limitations inspection of all bypassing packets in software is not feasible if the packet rate is high. Therefore we propose to add packet selection mechanisms to the NodeOS reference architecture for programmable networks. A packet selector reduces the rate of packets which are inspected. In this paper we detail on various packet selectors and evaluate their suitability for an attack detection system. The results of our implementation show significant advantages by using packet sampling methods compared to packet filtering.
Chapter PDF
Similar content being viewed by others
References
Active Networking NodeOS Working Group. NodeOS Interface Specification (January 2002), http://www.lancs.ac.uk/postgrad/bourakis/papers/an_node_.pdf
Choi, B.-Y., Park, J., Zhang, Z.-L.: Adaptive random sampling for load change detection. In: SIGMETRICS 2002: Proceedings of the 2002 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pp. 272–273. ACM Press, New York (2002)
Claffy, K.C., Polyzos, G.C., Braun, H.-W.: Application of sampling methodologies to network traffic characterization. SIGCOMM Comput. Commun. Rev. 23(4), 194–203 (1993)
Duffield, N., Lund, C., Thorup, M.: Charging from sampled network usage. In: IMW 2001: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 245–256. ACM Press, New York (2001)
Duffield, N.G.: A framework for packet selection and reporting. Internet Draft, draft-ietf-psamp-framework-10.txt, Work in Progress, Internet Engineering Task Force (January 2005)
Duffield, N.G., Grossglauser, M.: Trajectory sampling for direct traffic observation. In: Proceedings of SIGCOMM, pp. 271–282 (2000)
Fuhrmann, T., Harbaum, T., Schöller, M., Zitterbart, M.: AMnet 3.0 source code distribution, http://www.flexinet.de
Garber, L.: Denial-of-service attacks rip the internet. Computer 33(4), 12–17 (2000)
Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks-extended. Technical Report ISI-TR-2003-569b, USC/Information Sciences Institute (June 2003) (Original TR, February 2003, updated June 2003)
Mahajan, R., Bellovin, S., Floyd, S., Vern, J., Scott, P.: Controlling high bandwidth aggregates in the network (2001)
N. Measurement and N. A. Group, http://pma.nlanr.net
Moore, D., Shannon, C., Claffy, K.C.: Code-red: a case study on the spread and victims of an internet worm. In: Internet Measurement Workshop, pp. 273–284 (2002)
T. netfilter/iptables project, http://www.iptables.org
Quittek, J., Bryant, S., Claise, B., Meyer, J.: Information model for ip flow information export. Internet Draft, draft-ietf-ipfix-info-07.txt, Work in Progress, Internet Engineering Task Force (May 2005)
Ruf, L., Wagner, A., Farkas, K., Plattner, B.: A Detection And Filter System for Use Against Large-Scale DDoS Attacks In the Internet-Backbone. In: Minden, G.J., Calvert, K.L., Solarski, M., Yamamoto, M. (eds.) IWAN 2004. LNCS, vol. 3912, pp. 169–187. Springer, Heidelberg (2007)
Shannon, C., Moore, D.: The spread of the witty worm. IEEE Security and Privacy 2(4), 46–50 (2004)
Zseby, T., Molina, M., Raspall, F., Duffield, N.G.: Sampling and filtering techniques for ip packet selection. Internet Draft, draft-ietf-psamp-sample-tech-07.txt, Work in Progress, Internet Engineering Task Force (July 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Schöller, M., Gamer, T., Bless, R., Zitterbart, M. (2009). An Extension to Packet Filtering of Programmable Networks. In: Hutchison, D., Denazis, S., Lefevre, L., Minden, G.J. (eds) Active and Programmable Networks. IWAN 2005. Lecture Notes in Computer Science, vol 4388. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00972-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-00972-3_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00971-6
Online ISBN: 978-3-642-00972-3
eBook Packages: Computer ScienceComputer Science (R0)