WO2007035655A3 - Using overlay networks to counter denial-of-service attacks - Google Patents

Using overlay networks to counter denial-of-service attacks Download PDF

Info

Publication number
WO2007035655A3
WO2007035655A3 PCT/US2006/036327 US2006036327W WO2007035655A3 WO 2007035655 A3 WO2007035655 A3 WO 2007035655A3 US 2006036327 W US2006036327 W US 2006036327W WO 2007035655 A3 WO2007035655 A3 WO 2007035655A3
Authority
WO
WIPO (PCT)
Prior art keywords
methods
packet
service attacks
overlay networks
node
Prior art date
Application number
PCT/US2006/036327
Other languages
French (fr)
Other versions
WO2007035655A2 (en
Inventor
Angelos Stavrou
Angelos D Keromytis
Original Assignee
Univ Columbia
Angelos Stavrou
Angelos D Keromytis
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Columbia, Angelos Stavrou, Angelos D Keromytis filed Critical Univ Columbia
Publication of WO2007035655A2 publication Critical patent/WO2007035655A2/en
Publication of WO2007035655A3 publication Critical patent/WO2007035655A3/en
Priority to US12/048,533 priority Critical patent/US8631484B2/en
Priority to US14/103,430 priority patent/US9344418B2/en
Priority to US15/147,441 priority patent/US9992222B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.
PCT/US2006/036327 2005-09-16 2006-09-18 Using overlay networks to counter denial-of-service attacks WO2007035655A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US12/048,533 US8631484B2 (en) 2005-09-16 2008-03-14 Systems and methods for inhibiting attacks with a network
US14/103,430 US9344418B2 (en) 2005-09-16 2013-12-11 Systems and methods for inhibiting attacks with a network
US15/147,441 US9992222B2 (en) 2005-09-16 2016-05-05 Systems and methods for inhibiting attacks with a network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US71771605P 2005-09-16 2005-09-16
US60/717,716 2005-09-16

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/048,533 Continuation US8631484B2 (en) 2005-09-16 2008-03-14 Systems and methods for inhibiting attacks with a network

Publications (2)

Publication Number Publication Date
WO2007035655A2 WO2007035655A2 (en) 2007-03-29
WO2007035655A3 true WO2007035655A3 (en) 2007-11-01

Family

ID=37889428

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/036327 WO2007035655A2 (en) 2005-09-16 2006-09-18 Using overlay networks to counter denial-of-service attacks

Country Status (2)

Country Link
US (3) US8631484B2 (en)
WO (1) WO2007035655A2 (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7739724B2 (en) * 2005-06-30 2010-06-15 Intel Corporation Techniques for authenticated posture reporting and associated enforcement of network access
US8473732B2 (en) * 2008-03-17 2013-06-25 Broadcom Corporation Method and system for secure block acknowledgment (block ACK) with protected MAC sequence number
EP2279599B1 (en) * 2008-05-22 2015-10-14 Telefonaktiebolaget LM Ericsson (publ) Method and apparatus for controlling the routing of data packets
US8665874B2 (en) 2008-11-07 2014-03-04 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for forwarding data packets using aggregating router keys
US7974279B2 (en) * 2009-01-29 2011-07-05 Nokia Corporation Multipath data communication
TWI452488B (en) * 2009-05-18 2014-09-11 Pixart Imaging Inc Controlling method applied to a sensing system
US8458248B2 (en) 2010-09-24 2013-06-04 Research In Motion Limited System and method for enabling VPN tunnel status checking
US8499348B1 (en) * 2010-12-28 2013-07-30 Amazon Technologies, Inc. Detection of and responses to network attacks
CN103095452A (en) * 2011-11-01 2013-05-08 刘海云 Random encryption method needing to adopt exhaustion method for deciphering
US8631491B2 (en) * 2011-12-12 2014-01-14 Alcatel Lucent Replay attack protection with small state for use in secure group communication
US9026784B2 (en) * 2012-01-26 2015-05-05 Mcafee, Inc. System and method for innovative management of transport layer security session tickets in a network environment
WO2015094034A1 (en) * 2013-12-17 2015-06-25 Telefonaktiebolaget L M Ericsson (Publ) Secure triggering in a network
US20160173527A1 (en) * 2014-12-10 2016-06-16 NxLabs Limited Method and system for protecting against mobile distributed denial of service attacks
CN105187407B (en) * 2015-08-13 2018-12-07 浪潮(北京)电子信息产业有限公司 A kind of VPN connection method and system based on blacklist mechanism
JP6727292B2 (en) 2015-08-24 2020-07-22 華為技術有限公司Huawei Technologies Co.,Ltd. Security authentication methods, configuration methods, and related devices
CN108418776B (en) * 2017-02-09 2021-08-20 上海诺基亚贝尔股份有限公司 Method and apparatus for providing secure services
US20180234407A1 (en) * 2017-02-14 2018-08-16 Quanta Computer Inc. Method for securely exchanging link discovery information
BR112019022714A2 (en) * 2017-05-09 2020-05-19 Network Next Inc bidirectional packet exchange methods for nodal paths
EP3637815B1 (en) * 2017-07-21 2022-05-25 Huawei International Pte. Ltd. Data transmission method, and device and system related thereto
US10771482B1 (en) * 2017-11-14 2020-09-08 Ca, Inc. Systems and methods for detecting geolocation-aware malware
CN109379340A (en) * 2018-09-22 2019-02-22 魏巧萍 A kind of highly-safe data interaction system
CN110545541B (en) * 2019-09-20 2023-06-23 百度在线网络技术(北京)有限公司 Method, device, equipment, terminal and medium for defending attack behaviors

Family Cites Families (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5455865A (en) * 1989-05-09 1995-10-03 Digital Equipment Corporation Robust packet routing over a distributed network containing malicious failures
US5649099A (en) * 1993-06-04 1997-07-15 Xerox Corporation Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
JP3688830B2 (en) * 1995-11-30 2005-08-31 株式会社東芝 Packet transfer method and packet processing apparatus
US5842040A (en) 1996-06-18 1998-11-24 Storage Technology Corporation Policy caching method and apparatus for use in a communication device based on contents of one data unit in a subset of related data units
US5913921A (en) * 1996-07-12 1999-06-22 Glenayre Electronics, Inc. System for communicating information about nodes configuration by generating advertisements having era values for identifying time reference for which the configuration is operative
US6009173A (en) * 1997-01-31 1999-12-28 Motorola, Inc. Encryption and decryption method and apparatus
US6725376B1 (en) * 1997-11-13 2004-04-20 Ncr Corporation Method of using an electronic ticket and distributed server computer architecture for the same
US6330610B1 (en) 1997-12-04 2001-12-11 Eric E. Docter Multi-stage data filtering system employing multiple filtering criteria
US6111877A (en) * 1997-12-31 2000-08-29 Cisco Technology, Inc. Load sharing across flows
US6738814B1 (en) 1998-03-18 2004-05-18 Cisco Technology, Inc. Method for blocking denial of service and address spoofing attacks on a private network
US6725378B1 (en) 1998-04-15 2004-04-20 Purdue Research Foundation Network protection for denial of service attacks
US6452915B1 (en) 1998-07-10 2002-09-17 Malibu Networks, Inc. IP-flow classification in a wireless point to multi-point (PTMP) transmission system
US6502135B1 (en) * 1998-10-30 2002-12-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US6425004B1 (en) * 1999-02-24 2002-07-23 Nortel Networks Limited Detecting and locating a misbehaving device in a network domain
US6888797B1 (en) * 1999-05-05 2005-05-03 Lucent Technologies Inc. Hashing-based network load balancing
US7010590B1 (en) * 1999-09-15 2006-03-07 Datawire Communications Networks, Inc. System and method for secure transactions over a network
JP4294821B2 (en) * 2000-01-26 2009-07-15 株式会社日立製作所 Network relay device
US7124440B2 (en) 2000-09-07 2006-10-17 Mazu Networks, Inc. Monitoring network traffic denial of service attacks
US6898187B2 (en) * 2000-11-30 2005-05-24 Sun Microsystems, Inc. Automatic selection of unique node identifiers in a distributed routing environment
US7280540B2 (en) * 2001-01-09 2007-10-09 Stonesoft Oy Processing of data packets within a network element cluster
US20020150253A1 (en) * 2001-04-12 2002-10-17 Brezak John E. Methods and arrangements for protecting information in forwarded authentication messages
US7068595B2 (en) * 2001-04-13 2006-06-27 Sun Microsystems, Inc. Method and apparatus for facilitating instant failover during packet routing
US7120792B1 (en) * 2001-07-26 2006-10-10 Packet Design, Inc. System and method for secure communication of routing messages
FI118170B (en) 2002-01-22 2007-07-31 Netseal Mobility Technologies A method and system for transmitting a message over a secure connection
US7661129B2 (en) * 2002-02-26 2010-02-09 Citrix Systems, Inc. Secure traversal of network components
US7305704B2 (en) * 2002-03-16 2007-12-04 Trustedflow Systems, Inc. Management of trusted flow system
US20030188193A1 (en) * 2002-03-28 2003-10-02 International Business Machines Corporation Single sign on for kerberos authentication
AU2003266320A1 (en) * 2002-09-16 2004-04-30 Telefonaktiebolaget Lm Ericsson (Publ) Secure access to a subscription module
US7630305B2 (en) 2003-07-29 2009-12-08 Orbital Data Corporation TCP selective acknowledgements for communicating delivered and missed data packets
JPWO2004073269A1 (en) * 2003-02-13 2006-06-01 富士通株式会社 Transmission system, distribution route control device, load information collection device, and distribution route control method
US7882251B2 (en) * 2003-08-13 2011-02-01 Microsoft Corporation Routing hints
US7526807B2 (en) 2003-11-26 2009-04-28 Alcatel-Lucent Usa Inc. Distributed architecture for statistical overload control against distributed denial of service attacks
US7500264B1 (en) * 2004-04-08 2009-03-03 Cisco Technology, Inc. Use of packet hashes to prevent TCP retransmit overwrite attacks
US7372856B2 (en) * 2004-05-27 2008-05-13 Avaya Technology Corp. Method for real-time transport protocol (RTP) packet authentication
US7933253B2 (en) * 2004-09-20 2011-04-26 Panasonic Corporation Return routability optimisation
US20060174110A1 (en) * 2005-01-31 2006-08-03 Microsoft Corporation Symmetric key optimizations
GB2423220B (en) * 2005-02-11 2009-10-07 Ericsson Telefon Ab L M Method and apparatus for ensuring privacy in communications between parties
US7424016B2 (en) * 2005-04-05 2008-09-09 Cisco Technology, Inc. Distributing a stream of packets across available output paths within a network
US8583929B2 (en) 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
KEROMYTIS ET AL.: "SOS: An Architecture For Mitigating DDoS Attacks", IEEE JOURNAL OF SELECTED AREAS OF COMMUNICATIONS (JSAC), January 2004 (2004-01-01) *
KEROMYTIS ET AL.: "SOS: Secure Overlay Services", PROCEEDINGS OF ACM SIGCOMM'02, August 2002 (2002-08-01) *
YAAR ET AL.: "Pi: A Path Identification Mechanism to Defend against DDoS Attacks", IEEE SYMPOSIUM ON SECURITY AND PRIVACY, May 2003 (2003-05-01) *

Also Published As

Publication number Publication date
US9344418B2 (en) 2016-05-17
US9992222B2 (en) 2018-06-05
WO2007035655A2 (en) 2007-03-29
US20160248808A1 (en) 2016-08-25
US20160087951A9 (en) 2016-03-24
US20140101746A1 (en) 2014-04-10
US8631484B2 (en) 2014-01-14
US20090019537A1 (en) 2009-01-15

Similar Documents

Publication Publication Date Title
WO2007035655A3 (en) Using overlay networks to counter denial-of-service attacks
Papadimitratos et al. Secure link state routing for mobile ad hoc networks
WO2008016558A3 (en) Technique for multiple path forwarding of label-switched data traffic
WO2006017123A3 (en) Arrangement for preventing count-to-infinity in flooding distance vector routing protocols
DE602005014022D1 (en) METHODS, COMMUNICATION SYSTEMS AND MOBILE ROUTERS FOR ROUTING DATA PACKAGES FROM A PORTABLE NETWORK TO A HOME NETWORK OF THE MOBILE NETWORK
WO2006029131A3 (en) System and method for routing data between different types of nodes in a wireless network
WO2007033179A3 (en) Fault-tolerant communications in routed networks
WO2008005180A3 (en) Method and apparatus for routing data packets in a global ip network
WO2008063677A3 (en) Techniques for decreasing queries to discover routes in an igp
WO2007044038A3 (en) Lightweight packet-drop detection for ad hoc networks
Qin et al. STARS: A statistical traffic pattern discovery system for MANETs
MX2010001063A (en) Method and system of routing in a utility smart-grid network.
WO2009008934A3 (en) Routing packets on a network using directed graphs
MX2007001385A (en) Ad-hoc network and method employing globally optimized routes for packets.
WO2009078427A1 (en) Path control method and node
DE502007002506D1 (en) METHOD AND NETWORK NODES FOR ROUTING DATA PACKS IN COMMUNICATION NETWORKS
WO2009026019A3 (en) Fast computation of alternative packet routes
WO2006083412A3 (en) Mpls cookie label
WO2006028674A3 (en) A system and method for sharing an ip address
EP1843544A4 (en) A data transmission method and system of label switching network
WO2008102570A1 (en) System for effective position management signaling associated with mobile node moving in mobile network, router, mobile node, and mobile router
Raju et al. A simple and efficient mechanism to detect and avoid wormhole attacks in mobile ad hoc networks
WO2002005485A3 (en) Apparatus and method for efficient hashing in networks
CN102946606A (en) Method for detecting attack of wireless ad-hoc network
Deshmukh et al. Secure routing to avoid black hole affected routes in MANET

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06814877

Country of ref document: EP

Kind code of ref document: A2