Please use this identifier to cite or link to this item: https://scholarbank.nus.edu.sg/handle/10635/153736
Title: PRACTICAL VERIFIABLE IN-NETWORK FILTERING FOR DDOS DEFENSE
Authors: GONG DELI
Keywords: DDoS Defense, Trusted Hardware, Network Function Virtualization, Verifiability
Issue Date: 22-Dec-2018
Citation: GONG DELI (2018-12-22). PRACTICAL VERIFIABLE IN-NETWORK FILTERING FOR DDOS DEFENSE. ScholarBank@NUS Repository.
Abstract: In light of the ever-increasing scale and sophistication of modern DDoS attacks, it is time to revisit in-network filtering or the idea of empowering DDoS victims to install in-network traffic filters in the upstream transit networks. Recent proposals show that filtering DDoS traffic at a handful of large transit networks can handle volumetric DDoS attacks effectively. However, the in-network filtering primitive can also be misused. Transit networks can use the in-network filtering service as an excuse for any arbitrary packet drops made for their own benefit. We argue that it is due to the lack of verifiable filtering. To make in-network filtering a more robust defense primitive, in this paper, we propose a verifiable in-network filtering, called VIF, that exploits emerging hardware-based trusted execution environments (TEEs) and offers filtering verifiability to DDoS victims and neighbor ASes. Our proof of concept demonstrates that a VIF filter implementation on commodity servers with TEE support can handle traffic at line rate and execute up to 3,000 filter rules. We show that VIF can easily scale to handle larger traffic volume and more complex filtering operations by parallelizing the TEE-based filters.
URI: https://scholarbank.nus.edu.sg/handle/10635/153736
Appears in Collections:Master's Theses (Open)

Show full item record
Files in This Item:
File Description SizeFormatAccess SettingsVersion 
GongDL.pdf1.2 MBAdobe PDF

OPEN

NoneView/Download

Page view(s)

44
checked on Jul 10, 2020

Download(s)

6
checked on Jul 10, 2020

Google ScholarTM

Check


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.