Security analysis of Bloom filter based multicast forwarding
Authors: 
Xiaohua Tian, Jiaqi Liu, Wei Liu, Yu Cheng, Lijun Ou, Zilong ZhaoAuthors Info & Claims
Article No.: 38, Pages 1 - 10
Abstract
Bloom filter (BF) based forwarding is an effective approach to implement scalable multicasting. The forwarding BF carried by each packet can encode either multicast tree or destination IP addresses, which are termed as tree oriented approach (TOA) and destination oriented approach (DOA), respectively. Studies have indicated that TOA based protocols have serious vulnerabilities under some distributed denial-of-service (DDoS) attacks, and raised doubt about deployability of BF based multicasting. However, security analysis for DOA based protocols is still unavailable, and the fundamental effect of in-packet routing information on security performance of BF based multicast protocols is yet to be revealed. In this paper, we present a systematic analysis of security performance of BF based multicasting. Important DDoS attacks and the corresponding defending mechanisms are studied in the context of DOA. We have positive findings that DOA, with convenient enhancement, has a robust performance in resisting a variety of DDoS attacks that can deny service of TOA based protocols. Moreover, we reveal that TOA based protocols are prone to flow duplication attack when applied in the data center network (DCN). We propose a dynamic-sized BF mechanism to defend against flow duplication attack for TOA based protocols in the DCN. Simulation results are presented to validate our theoretical analysis.
References
[1]
D. Guo, J. Xie, X. Zhou, X. Zhu, W. Wei and X. Luo, "Exploiting efficient and scalable shuffle transfers in future data center networks," IEEE Trans. Parallel Distrib. Syst., vol. 26, no. 4, pp. 997--1009, Apr. 2015.
[2]
S.Deering and D.Cheriton, "The PIM architecture for wide area multicasting," ACM Trans. Comput. Syst., vol. 8, no. 2, pp. 85--110, May. 1990.
[3]
K.C. Almeroth, "The evolution of multicast: from the MBone to interdomain multicast to Internet2 deployment," IEEE Netw., vol. 14, no. 1, pp. 10--20, Jan.-Feb. 2000.
[4]
L. Costa, S. Fdida and O. Duarte, "Incremental service deployment using the hop-by-hop multicast routing protocol," IEEE/ACM Trans. Netw., vol. 14, no. 3, pp.543--556, Jun. 2007.
[5]
T. W. Cho, M. Rabinovich, K.K. Ramakrishnan, D. Srivastava, Y. Zhang, "Enabling content dissemination using efficient and scalable multicast," in Proc. IEEE INFOCOM, 2009, pp.1980--1988.
[6]
S. Ratnasamy, A. Ermolinskiy and S. Shenker " Revisiting IP multicast, " in Proc. ACM SIGCOMM, 2006, pp. 15--26.
[7]
P. Jokela, A. Zahemszky, C. E. Rothenberg, S. Arianfar, and P. Nikander, "LIPSIN: Line speed publish/subscribe internetworking," in Proc. ACM SIGCOMM, 2009, pp. 195--205.
[8]
L. Nikolaevskiy, A. Lukyanenko, T. Polishchuk, V. Polishchuk and A. Gurtov, "isBF: Scalable in-packet bloom filter based multicast," Computer Communications, vol. 70, no. 1, pp. 79--85, Oct. 2015.
[9]
J. Tapolcai, J. Bíró, P. Babarczi, A. Gulyás, Z. Heszberger and D. Trossen, "Optimal False-Positive-Free Bloom Filter Design for Scalable Multicast Forwarding," IEEE/ACM Trans. Netw., vol. 23, no. 6, pp. 1832--1845, Dec. 2015.
[10]
M. Särelä, C. E. Rothenberg, T. Aura, A. Zahemszky, P. Nikander and J. Ott, "Forwarding anomalies in Bloom filter-based multicast," in Proc. IEEE INFOCOM, 2011, pp. 2399--2407.
[11]
D. Guo, J. Wu, H. Chen, Y. Yuan and X. Luo, "The dynamic Bloom filters," IEEE Trans. Knowl. and Data Eng., vol. 20, no. 1, pp. 120--133, Jun. 2012.
[12]
A. Broder and M. Mitzenmacher, "Network applications of Bloom filters: A survey," Internet Mathematics, vol. 1, no. 4, pp.485--509, May. 2004.
[13]
B. Xiao and Y. Hua, "Using Parallel Bloom Filters for Multiattribute Representation on Network Services," IEEE Trans. Parallel and Distrib. Syst., vol. 21, no. 1, pp.20--32, Jan. 2010.
[14]
S. Rizvi, "Performance analysis of Bloom filter-based multicast,?M.S. thesis, Computer Science and Engineering Dept., Aalto Univ., Espoo, Finland, 2011.
[15]
S. Rizvi, A. Zahemszky and T. Aura, "Scaling Bloom filter based multicast with hierarchical tree splitting," in Proc. IEEE ICC, 2012, pp. 2790--2795.
[16]
D. Li, Y. Li, J. Wu, S. Su and J. Yu, "ESM: Efficient and scalable data center multicast routing," IEEE/ACM Trans. Netw., vol. 20, no. 3, pp.944--955, Jun. 2012.
[17]
D. Li, H. Cui, Y. Hu, Y. Xia and X. Wang, "Scalable data center multicast using multi-class Bloom filter," in Proc. IEEE ICNP, Oct. 2008, pp.266--275.
[18]
C. E. Rothenberg, C. A. B. Macapuna, F. L. Verdi, M. F. Magalhães, and A. Zahemszky, "Data center networking with in-packet Bloom filters," in Proc. Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, 2010, pp.553--566.
[19]
K. Chen, C. Hu, X. Zhang, K. Zheng, Y. Chen and A. V. Vasilakos, "Survey on routing in data centers: Insights and future directions," IEEE Netw., vol. 25, no. 4, pp.6--10, Aug. 2004.
[20]
C. Rothenberg, P. Jokela, P. Nikander, M. Särelä and J. Ylitalo, "Self-routing denial-of-service resistant capabilities using inpacket Bloom filters," in Proc. IEEE European Conference on Computer Network Defense, 2009, pp.46--51.
[21]
M. Särelä, C. E. Rothenberg, A. Zahemszky, P. Nikander and J. Ott, "Bloomcasting: Security in bloom filter based multicast," in Information Security Technology for Applications Lecture Notes in Computer Science, vol. 7127, pp. 1--16, 2012.
[22]
S. Fahmy and M. Kwon, "Denial-of-service attacks in Bloom-filter-based forwarding," IEEE/ACM Trans. Netw., vol. 22, no. 5, pp. 1463--1476, Oct. 2014.
[23]
M. Antikainen, "On the security of in-packet Bloom-filter forwarding," M.S. thesis, Computer Science and Engineering Dept., Aalto Univ., Espoo, Finland, 2011.
[24]
X. Tian, Y. Cheng and B. Liu, "Design of a Scalable Multicast Scheme with an Application-Network Cross-Layer Approach," IEEE Trans. Multimedia, vol. 11, no. 6, pp.1160--1169, Oct. 2009.
[25]
X. Tian and Y. Cheng, "A scalable destination-oriented multicast protocol with incremental deployability," IEEE Trans. Comput., vol. 63, no.4, pp.793--806, Apr. 2014.
[26]
Y. Rekhter et. al., "A border gateway protocol 4 (BGP-4)," IETF RFC 1771, Mar. 1995.
[27]
General Purpose Hash Function Algorithms, http://www.partow.net/programming/hashfunctions/index.html
[28]
BGP Analysis Reports, Jan. 2017. http://bgp.potaroo.net/as6447/
Recommendations
Denial-of-service attacks in bloom-filter-based forwarding
Bloom-filter-based forwarding has been suggested to solve several fundamental problems in the current Internet, such as routing-table growth, multicast scalability issues, and denial-of-service (DoS) attacks by botnets. The proposed protocols are source-...
A whitelist-based countermeasure scheme using a Bloom filter against SIP flooding attacks
Since SIP uses a text-based message format and is open to the public Internet, it is exposed to a number of potential threats of denial of service (DoS) by flooding attacks. Although several approaches have been proposed to detect and counteract SIP ...
Bloom-filter based IP-CHOCK detection scheme for denial of service attacks in VANET
Vehicular ad hoc networks VANETs have drawn increasing attention in recent years due to their wide range of applications. At the present time, vehicle communication is exposed to many security threats, such as denial of service DoS attacks. In these ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2017
371 pages
ISBN:9781450348737
DOI:10.1145/3063955
- Conference Chairs:
- John Lui,
- Xinbing Wang,
- General Chairs:
- Alexander Wolf,
- Yunhao Liu,
- Chuanping Hu
Copyright © 2017 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 May 2017
Check for updates
Qualifiers
- Research-article
Funding Sources
Conference
ACM TUR-C '17
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 73Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 31 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in