skip to main content
10.1145/1378191.1378214acmconferencesArticle/Chapter ViewAbstractPublication PagesmmsysConference Proceedingsconference-collections
research-article

GONE: an infrastructure overlay for resilient, DoS-limiting networking

Published: 26 May 2006 Publication History

Abstract

With today's penetration in volume and variety of information flowing across the Internet, data and services are experiencing various issues with the TCP/IP infrastructure, most notably availability, reliability and mobility. Therefore, a critical infrastructure is highly desireable, in particular for multimedia streaming applications. So far the proposed approaches have focused on applying application-layer routing and path monitoring for reliability and on enforcing stateful packet filters in hosts or network to protect against Denial of Service (DoS) attacks. Each of them solves its own aspect of the problem, trading scalability for availability and reliability among a relatively small set of nodes, yet there is no single overall solution available which addresses these issues in a large scale.
We propose an alternative overlay network architecture by introducing a set of generic functions in network edges and end hosts. We conjecture that the network edge constitutes a major source of DoS, resilience and mobility issues to the network, and propose a new solution to this problem, namely the General Internet Signaling Transport (GIST) Overlay Networking Extension, or GONE. The basic idea of GONE is to create a half-permanent overlay mesh consisting of GONE-enabled edge routers, which employs capability-based DoS prevention and forwards end-to-end user traffic using the GIST messaging associations. GONE's use of GIST on top of SCTP allows multi-homing, multi-streaming and partial reliability, while only a limited overhead for maintaining the messaging association is introduced. In addition, upon the services provided by GONE overlays, hosts are identified by their unique host identities independent of their topologies location, and simply require (de-)multiplexing instead of the traditional connection management and other complex functionality in the transport layer. As a result, this approach offers a number of advantages for upper layer end-to-end applications, including intrinsic provisioning of resilience and DoS prevention in a dynamic and nomadic environment.

References

[1]
S. Blake, D. L. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, "An architecture for differentiated service," RFC 2475, Dec. 1998.
[2]
Y. Zhang, V. Paxon, and S. Shenker, "The Stationarity of Internet Path Properties: Routing, Loss and Throughput," ACIRI, Tech. Rep., May 2000.
[3]
D. Moore, G. Voelker, and S. Sava, "Inferring Internet Denial-of-Service Activity," in Proc. Usenix Security Symposium, 2001.
[4]
J. Kempf and R. Austein, "The Rise of the Middle and the Future of End-to-End: Reflections on the Evolution of the Internet Architecture," RFC 3724, Mar. 2004.
[5]
D. Clark, C. Partridge, R. Braden, B. Davie, S. Floyd, V. Jacobson, D. Katabi, G. Minshall, K. Ramakrishnan, T. Roscoe, I. Stoica, J. Wroclawski, and L. Zhang, "Making the World (of Communications) a Different Place," Computer Communication Review, vol. 35, no. 2, pp. 91--96, July 2005.
[6]
L. Wang, K. Park, R. Pang, V. Pai, and L. Peterson, "Reliability and Security in the CoDeeN Content Distribution Network," in Proc. USENIX Annual Technical Conference, Boston, MA, June 2004.
[7]
M. Bagnulo, A. Garcia-Martinez, A. Azcorra, and D. Larrabeiti, "Survey on proposed IPv6 multi-homing network level mechanisms," Internet draft (draft-bagnulo-multi6-survey6), work in progress, July 2001.
[8]
D. Andersesn, H. Balakrishnan, M. Kaashoek, and R. Morris, "Resilient Overlay Networks," in Proc. SOSP, 2001.
[9]
C. Perkins, "IP Mobility Support for IPv4," Internet Engineering Task Force, RFC 3344, Aug. 2002.
[10]
D. B. Johnson, C. E. Perkins, and J. Arkko, "Mobility support in IPv6," Internet Engineering Task Force, RFC 3775, June 2004.
[11]
B. Aboba, "IAB Considerations for the Split of Identifiers and Locators," draft-iab-id-locsplit-00.txt, work in progress, Mar. 2004.
[12]
R. Moskowitz and P. Nikander, "Host Identify Protocol Architecture," Internet draft (draft-ietf-hip-arch-03), work in progress, June 2005.
[13]
E. Nordmark and M. Bagnulo, "Level 3 multihoming shim protocol," Internet draft (draft-ietf-shim6-proto-03), work in progress, Sept. 2005.
[14]
I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana, "Internet Indirection Infrastructure," in Proc. SIGCOMM, 2002.
[15]
R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, "Controlling high bandwidth aggregates in the network," Computer Communication Review, vol. 32, no. 3, pp. 62--73, 2002.
[16]
A. Keromytis, V. Misra, and D. Rubenstein, "SOS: Secure Overlay Services," in Proc. SIGCOMM, 2002.
[17]
X. Yang and D. Wetherall and T. Anderson, "A DoS-limiting Network Architecture," in Proc. SIGCOMM, 2005.
[18]
H. Schulzrinne and R. Hancock, "GIST -- General Internet Signaling Transport," Internet draft (draft-ietf-nsis-ntlp-09), work in progress, Feb. 2006.
[19]
R. Moskowitz, P. Nikander, P. Jokela, and T. Henderson, "Host Identify Protocol," Internet draft (draft-ietf-hip-base-04), work in progress, Oct. 2005.
[20]
X. Fu, H. Schulzrinne, A. Bader, D. Hogrefe, C. Kappler, G. Karagiannis, H. Tschofenig, and S. Van den Bosch, "NSIS: A New Extensible IP Signaling Protocol Suite," IEEE Communications Magazine, vol. 43, no. 10, pp. 133--141, Oct. 2005.
[21]
J. Crowcroft, S. Hand, R. Mortier, T. Roscoe, and A. Warfield, "Plutarch: An Argument for Network Pluralism," in SIGCOMM Workshop on Future Directions in Network Architecture (FDNA), Aug. 2003.
[22]
P. Nikander, J. Ylitalo, and J. Wall, "Integrating Security, Mobility, and Multi-homing in a HIP Way," in Proc. NDSS, 2003.
[23]
P. Nikander, J. Arkko, and T. Henderson, "End-Host Mobility and Multi-Homing with the Host Identity Protocol," Internet draft (draft-ietf-hip-mm-01), work in progress, Feb. 2005.
[24]
P. Nikander, J. Arkko, and B. Ohlman, "Host Identity Indirection Infrastructure (Hi3)," in Proc. 2nd Swedish National Computer Networking Workshop, Karlstad, Sweden, Nov. 2004.
[25]
N. Feamster, D. Andersen, H. Balakrishnan, and M. Kaashoek, "Measuring the Effects of Internet Path Faults on Reactive Routing," in Proc. SIGMETRICS, 2003.
[26]
F. Guo, J. Chen, W. Li, and T. Chiueh, "Experiences in Building a Multihoming Load Balancing System," in Proc. INFOCOM, 2004.
[27]
R. Braden, L. Zhang, S. Berson, S. Herzog, and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification," RFC 2205, Sept. 1997.
[28]
X. Fu, C. Dickmann, and J. Crowcroft, "General Internet Signaling Transport (GIST) Over SCTP," Internet draft, work in progress, Feb. 2006.
[29]
I. Stoica, R. Morris, D. Karger, M. Kaashoek, and H. Balakrishnan, "Chord: A Scalable Peer-to-Peer Lookup Service For Internet Applications," MIT, Tech. Rep. TR-819, Jan. 2002.
[30]
S. Rhea, B. Godfrey, B. Karp, J. Kubiatowicz, S. Ratnasamy, S. Shenker, I. Stoica, and H. Yu, "OpenDHT: A Public DHT Service and Its Users," in Proc SIGCOMM, 2005.
[31]
R. Hancock, G. Karagiannis, J. Loughney, and S. V. den Bosch, "Next Steps in Signaling (NSIS): Framework," RFC 4080, June 2005.
[32]
"GONE Implementation." {Online}. Available: http://user.informatik.uni-goettingen.de/~fu/gone
[33]
J. Crowcroft and P. Oechsli, "Differentiated End-to-End Internet Services using a Weighted Proportional Fair Sharing TCP," Computer Communication Review, vol. 28, no. 3, pp. 53--69, 1998.

Cited By

View all
  • (2018)On the resistance of overlay networks against bandwidth exhaustion attacksTelecommunications Systems10.1007/s11235-015-9992-x60:4(539-552)Online publication date: 30-Dec-2018
  • (2013)Notice of Violation of IEEE Publication Principles - Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT)10.1109/ICCCNT.2013.6726518(1-6)Online publication date: Jul-2013
  • (2012)Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock DriftsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2012.189:3(401-413)Online publication date: 1-May-2012
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
NOSSDAV '06: Proceedings of the 2006 international workshop on Network and operating systems support for digital audio and video
May 2006
168 pages
ISBN:1595932852
DOI:10.1145/1378191
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 May 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. denial-of-service
  2. general internet signaling transport
  3. host identity protocol
  4. overlay networking
  5. resilience

Qualifiers

  • Research-article

Conference

NOSSDAV06
Sponsor:

Acceptance Rates

Overall Acceptance Rate 118 of 363 submissions, 33%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)On the resistance of overlay networks against bandwidth exhaustion attacksTelecommunications Systems10.1007/s11235-015-9992-x60:4(539-552)Online publication date: 30-Dec-2018
  • (2013)Notice of Violation of IEEE Publication Principles - Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT)10.1109/ICCCNT.2013.6726518(1-6)Online publication date: Jul-2013
  • (2012)Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock DriftsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2012.189:3(401-413)Online publication date: 1-May-2012
  • (2012)Analyzing and improving the resistance of overlays against bandwidth exhaustion attacks2012 IV International Congress on Ultra Modern Telecommunications and Control Systems10.1109/ICUMT.2012.6459768(779-785)Online publication date: Oct-2012
  • (2008)Probe-Aided MulTCPACM SIGCOMM Computer Communication Review10.1145/1341431.134143438:1(17-28)Online publication date: 30-Jan-2008
  • (2008)Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock DriftsProceedings of the 2008 Symposium on Reliable Distributed Systems10.1109/SRDS.2008.30(63-72)Online publication date: 6-Oct-2008
  • (2007)Securing peer-to-peer media streaming systems from selfish and malicious behaviorProceedings of the 4th on Middleware doctoral symposium10.1145/1377934.1377937(1-6)Online publication date: 1-Nov-2007

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media