Stopping Unwanted Traffic using Lightweight Permits ⋆

One of key security issues on the current Internet is unwanted traffic, the forerunner of unauthorized accesses, intrusions, Denial of Service (DoS) attacks, port scanning, and other attacks. Since stopping unwanted traffic is vitally important but extremely challenging, we need a series of defensive schemes to identify unwanted packets, filter them out, and further defeat their associated attacks. In this paper, we propose a lightweight, scalable packet authentication mechanism, named Lightweight Internet Permit System (LIPS), as a first line of defense to stop unwanted traffic. LIPS is a simple extension of IP, in which each packet carries an access permit issued by its destination host or gateway, and the destination verifies the access permit to determine to accept or drop the packet. LIPS provides preliminary trafficorigin accountability that supports two salient features to stop unwanted traffic. First, it helps us stop common unwanted traffic such as IP-spoofed packets and associated attacks. Second, it helps us identify compromised hosts/domains such that we can build automatic defense schemes to deal with various attacks through real-time inter-domain collaboration. In addition, as a domain-to-domain approach, LIPS is incrementally deployable since it does not require changes in backbone networks as many other approaches; it gives ISPs strong deployment incentives since it can greatly improve their ability to identify unwanted traffic and take proactive responses; it also largely reduces the load of Intrusion Detection Systems (IDSs) by filtering out most unwanted packets such that IDSs can focus on serious threats. In this paper, we first present the design and prototype implementation of LIPS on Linux 2.4 kernel, and then use analysis, simulations, and experiments to demonstrate the efficacy of LIPS in protecting critical resources with negligible overheads.