• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.41 no.7
• /
• pp.63-73
• /
• 2004

This paper proposes an efficient centralized sin91e buffer management algorithm to arbitrate access contention mon processors on the multi-processor system for high-speed Packet filtering and proves that the algorithm provides reasonable performance by implementing it and applying it to a real multi-processor system. The multi-processor system for parallel packet filtering is modeled based on a network processor to distribute the packet filtering rules throughout the processors to speed up the filtering. In this paper we changed the number of processors and the processing time of the filtering rules as variables and measured the packet transfer rates to investigate the performance of the proposed algorithm.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.77-87
• /
• 2007

It will need a quite long time to replace IPv4 protocol, which currently used, with IPv6 protocol completely, thus we will use both IPv4 and IPv6 together in the Internet during the period. For coexisting protocols, IETF standardized various IPv4/IPv6 transition mechanisms. However, new security problems of IPsec adaptation and IPv6 packet filtering can be raised by tunneling mechanism which mainly used in transition mechanisms. To resolve these problems, we suggested two improved schemes for packet filtering functions, which consists of an inner header filtering scheme and a dedicated filtering scheme for IPv4/IPv6 transition mechanisms. Also we implemented our proposed schemes based on Linux Netfilter framework, and we tested their filtering functions and evaluated experimental performance of our implementation on IPv4/IPv6 transition testbed. These evaluation tests indicated that our improved packet filtering functions can solve packet filtering problems of IPv4/IPv6 transition mechanisms without severely affecting system performance.

• Journal of Korea Society of Industrial Information Systems
• /
• v.12 no.3
• /
• pp.47-59
• /
• 2007

IPv4 NAT, which often used in households or under SOHO environments, is one of the factors that delays IPv6 propagation. As IPv4 NAT does not operate properly under the transition mechanism like ISATAP or 6to4 that acts as IPv6-in-IPv4 tunneling type, Microsoft proposed Teredo in order to resolve this issue. However, tunneling transition mechanism like Teredo has a security problem. That is, being tunneled packets have dual IP headers; general firewall systems apply the filtering rules only to the outer header but not inner header when these packets pass the firewall. Furthermore, attacks using unregistered server and relay can take place in Teredo. To resolve these problems, we propose a new packet filtering mechanism exclusively for Teredo. The proposed packet filtering mechanism was designed and implemented by using Linux Netfilter and ip6tables. Through functional and experimental performance tests, this packet filtering system was found operating properly and solving the Teredo packet filtering problems without serious performance degradation.

• Proceedings of the IEEK Conference
• /
• 2003.11b
• /
• pp.77-80
• /
• 2003

Complying with highly demand of information through internet. the utility of computer and network is rapidly provided with to schools. This situation brings about many problems. For example, the stolen information through false identification(Hacking) is the most greatest concern. In this paper it tells that the efficient way of preservating computer use is by using operating system of Open Source, which is Linux system. Further more, it shows the system which was organized by IP-Tabling (offered service-Packet Filtering method from the Linux system) functions well as a security system.

• The KIPS Transactions:PartC
• /
• v.13C no.7 s.110
• /
• pp.813-820
• /
• 2006

The advance of computer and communication technologies enables the embedded systems to be equipped with the network communication interfaces. Their appearance in network leads to security issues on the embedded systems. An easy way to overcome the security problem is to adopt the packet filter that is implemented in the general computer systems. However, general packet filters designed for host computers are not suitable to embedded systems because of their complexity. In this paper, we propose a lightweight packet filter for embedded systems. The lightweight packet filter is implemented in the kernel code. And we have installed a Web-GUI interface for user to easily set the filtering policies at remote space. The experimental results show that the proposed packet filter decreases the packet delivery time compared to the packet filter designed for host computers and it is comparable to the systems without packet filter.

• Journal of Communications and Networks
• /
• v.5 no.1
• /
• pp.82-89
• /
• 2003

In this paper, an efficient threshold-based filtering (TF) buffer management scheme is proposed. The TF is capable of minimizing the overall loss performance and improving the fairness of buffer usage in a shared buffer packet switch. The TF consists of two mechanisms. One mechanism is to classify the output ports as sctive or inactive by comparing their queue lengths with a dedicated buffer allocation factor. The other mechanism is to filter the arrival packets of inactive output ports when the total queue length exceeds a threshold value. A theoretical queuing model of TF is formulated and resolved for the overall packet loss probability. Computer simulations are used to compare the overall loss performance of TF, dynamic threshold (DT), static threshold (ST) and pushout (PO). We find that TF scheme is more robust against dynamic traffic variations than DT and ST. Also, although the over-all loss performance between TF and PO are close to each other, the implementation of TF is much simpler than the PO.

• Convergence Security Journal
• /
• v.14 no.2
• /
• pp.65-72
• /
• 2014

This paper proposes multi-filtering method on the double firewall to prevent DDoS attack. In the first firewall, R-PA filtering algorithm and rigid hop counter filtering method are applied by analyzing packet paths. In the second firewall, packets are examined to be distinguished abnormal from normal packets. Security policy system monitors each user sessions and if the traffic is over the threshold value, the system blocks that session for an assigned time.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.8B
• /
• pp.745-756
• /
• 2006

The general packet filtering system using TCAM has some limitations such as range and negation rules filtering, so this paper proposes efficient searching schemes than existing methods. CRG(Converting Range rules using Gray code) algorithm, in the case of range rules, that takes advantage of the gray code and TCAM characteristics to save a number of TCAM entries is proposed, and a nTCAM(TCAM with negation) architecture for negation rules is proposed, implemented using a FPGA design tool, and verified through the wave simulation. According to the simulation with the SNORT rules, the CRG algorithm and nTCAM save TCAM entries about 93% in IPv4 and 98% in IPv6 than the existing method.

• Journal of KIISE:Computing Practices and Letters
• /
• v.13 no.2
• /
• pp.86-99
• /
• 2007

Packet filtering is to filter out potentially malicious network packets. In order to test a packet filtering function we should verify whether security policies are performed correctly as intended. However there are few existing tools to test the function. Besides, they need user participation when generating test cases or deciding test results. Many security administrators have a burden to test systematically new security policies when they establish new policies or modify the existing ones. To mitigate the burdens we suggest a new test method with minimal user articipation. Our tool automates generation steps of the test cases and the test oracles, respectively. By using the test oracles generated automatically, deciding test results is possible without user intervention. Our method realizes an automatic testing in three phases; test preparation phase, test execution, and test evaluation. As a result it may enhance confidence of test activities more highly. This paper describes the design and implementation of our test method and tool.

• Journal of Communications and Networks
• /
• v.18 no.6
• /
• pp.948-961
• /
• 2016

Internet protocol (IP) spoofing is a serious problem on the Internet. It is an attractive technique for adversaries who wish to amplify their network attacks and retain anonymity. Many approaches have been proposed to prevent IP spoofing attacks; however, they do not address a significant deployment issue, i.e., filtering inefficiency caused by a lack of deployment incentives for adopters. To defeat attacks effectively, one mechanism must be widely deployed on the network; however, the majority of the anti-spoofing mechanisms are unsuitable to solve the deployment issue by themselves. Each mechanism can work separately; however, their defensive power is considerably weak when insufficiently deployed. If we coordinate partially deployed mechanisms such that they work together, they demonstrate considerably superior performance by creating a synergy effect that overcomes their limited deployment. Therefore, we propose a universal anti-spoofing (UAS) mechanism that incorporates existing mechanisms to thwart IP spoofing attacks. In the proposed mechanism, intermediate routers utilize any existing anti-spoofing mechanism that can ascertain if a packet is spoofed and records this decision in the packet header. The edge routers of a victim network can estimate the forgery of a packet based on this information sent by the upstream routers. The results of experiments conducted with real Internet topologies indicate that UAS reduces false alarms up to 84.5% compared to the case where each mechanism operates individually.