2006 Fiscal Year Final Research Report Summary
A Study on a High-Performance Router Architecture with a Distributed and Cooperative Defense Mechanism against Network Attacks
| Project/Area Number |
16300017
|
|---|
| Research Category |
Grant-in-Aid for Scientific Research (B)
|
| Allocation Type | Single-year Grants |
|---|
| Section | 一般 |
|---|
| Research Field |
Computer system/Network
|
|---|
| Research Institution | Kyoto Institute of Technology |
|---|
Principal Investigator |
SHIBAYAMA Kiyoshi Kyoto Institute of Technology, Graduate School of Science and Technology, Professor, 工芸科学研究科, 教授 (70127091)
|
|---|
| Co-Investigator(Kenkyū-buntansha) |
HIRATA Hiroaki Kyoto Institute of Technology, Graduate School of Science and Technology, Associate Professor, 工芸科学研究科, 助教授 (90273549)
NUMOME Atsushi Kyoto Institute of Technology, Graduate School of Science and Technology, Research Associate, 工芸科学研究科, 助手 (60335320)
|
|---|
| Project Period (FY) |
2004 – 2006
|
| Keywords | Router / Packet Filtering / DoS Attack / Firewall / Distributed Processing |
|---|
| Research Abstract |
We proposed a distributed defending scheme against DDoS (Distributed Denial of Services) attacks and architecture of network routers which are main elements in our scheme.
When a node in the network detects DoS attack packets (such a node may usually be an attack target computer or firewall), it initiates a defending action. The node requests neighbor routers to cut off attack packets, and the neighbor routers begin to block the attack by employing packet filtering technique. In most of commercial routers, even if they are high-end routers, unfortunately, activation of packet filtering can make serious damages on total performance of packet processing. So, when our routers anticipate the remarkable degradation of its total performance by enabling packet filtering, they send copies of the request to the next routers which pass the attack packets. We developed a load balancing mechanism among routers, and this enables efficient block against the attack.
We also enhanced the performance of packet filtering by optimizing the order of filtering rules dynamically, and designed a hardware mechanism to support this.
We verified the effectiveness and efficiency of our scheme by simulation. The result shows that our scheme can successfully nullify the effect of DDoS attacks without obstructing any other network communications.
|
