LIPS: Lightweight Internet Permit System for Stopping Unwanted Packets

 

As cyber security becomes increasingly important on today's Internet, many security approaches have been proposed, e.g., IPsec, SSL, and VPNs. However, developing a flexible and scalable security framework that secures Internet resources without jeopardizing the openness of the Internet remains a challenging issue.

 

In this project, we propose a Lightweight Internet Permit System (LIPS) that provides a lightweight, scalable packet authentication mechanism to support traffic-origin accountability and defeat most common spoofing and associated attacks. LIPS is a simple extension of IP, in which each packet carries an access permit issued by its destination host or gateway, and the destination verifies the access permit to determine if a packet is accepted or dropped.

 

Besides its lightweight and scalable features, LIPS has several salient advantages. First, its traffic-origin accountability enables destination domains and hosts to easily stop most unwanted traffic. Therefore, it gives ISPs strong incentives to deploy LIPS since it greatly improves their ability to identify trouble traffic and perform actively responses. Furthermore, LISP facilitates and simplifies the tasks of detecting unauthorized intrusions and attacks by forcing malicious hosts to first request access permits and identify themselves to intended targets before launching an offense.

Therefore, we can easily build active defense schemes that automatically identify and fix zombies, and prevent random scanning/probing and reflection attacks in LIPS domains. In addition, LIPS greatly simplifies the task of IDSs by filtering out most unwanted packets and allowing IDSs to focus on serious threats. Lastly, it is incrementally deployable since it is a domain-to-domain approach that does not require changes in backbone networks and only requires minor software patches on common platforms.  

 

We have designed and implemented a LIPS prototype on Linux 2.4 kernel. We also use analysis, simulations, and experiments to show how LIPS can effectively prevent protected critical servers and links from being flooded by unwanted packets with negligible overheads. 

 

People

 

          Yingfei Dong, Mark Lee, University of Hawaii

          Zhi-Li Zhang, Changho Choi, University of Minnesota

 

Publication

 

“Stopping Unwanted Packets using Lightweight Permits”, the full report for journal submission.

 

“LIPS: Lightweight Internet Permit System for Stopping Unwanted Packets”, in Proc. of IFIP Networking 2005, Waterloo, Canada, May, 2005.

(A short version.)