• Journal of Communications and Networks
• /
• v.10 no.4
• /
• pp.455-464
• /
• 2008

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single firewall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple fire walls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

• Journal of Internet Computing and Services
• /
• v.9 no.6
• /
• pp.37-48
• /
• 2008

VoIP service is a transmission of voice data using SIP protocol on IP based network, The SIP protocol has many advantages such as providing IP based voice communication and multimedia service with cheap communication cost and so on. Therefore the SIP protocol spread out very quickly. But, SIP protocol exposes new forms of vulnerabilities on malicious attacks such as Message Flooding attack and protocol parsing attack. And it also suffers threats from many existing vulnerabilities like on IP based protocol. In this paper, we propose a new Virtual Proxy Server system in front of the existed Proxy Server for anomaly detection of SIP attack and stateful management of SIP session with enhanced security. Based on stateful virtual proxy server, out solution shows promising SIP Message Flooding attack verification and detection performance with minimized latency on SIP packet transmission.

• Proceedings of the Korean Information Science Society Conference
• /
• 2001.10c
• /
• pp.205-207
• /
• 2001

3세대 이동 통신망인 UMTS/GPRS에서 IP 기반의 서비스를 제공하기 위해서는 이동단말이 IP 주소를 할당 받고 이 주소를 통하여 데이터 패킷이 전송된다. 하지만 IPv4에서 인터넷 가입자의 폭발적인 증가로 인해 IP 주소 부족 문제를 예견하고 있다. UMTS/GPRS에 IP 주소가 획기적으로 증가하는 IPv6(Internet Protocol version 6) 적용이 필요하다. 본 논문에서는 UMTS/GPRS 망에서의 stateless autoconfiguration 절차를 설명하고 이동단말이 DHCPv6 서버와 연동하여 IP 주소를 할당하기 위한 stateful autoconfiguration 방법을 제안한다.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.51 no.5
• /
• pp.127-134
• /
• 2014

In DRDoS(Distributed Reflective Denial of Service) attacks, the victim is bombarded by packets from legitimate reflector unlike DDoS(Distributed Denial of Service) attacks through zombie, which is more dangerous than DDoS attack because it is in stronger disguise. Therefore, the method of filtering packet method on router are useless. Moreover SCTP(Stream Control Transmission Protocol) multi-homing feature, such as with an improved transmission protocol allows detecting attacks is more difficult and the effect of the attack can be maximized. In this paper we propose a DRDoS detection mechanism based on DRDoS utilizing attention to the characteristics of stateful protocols. The proposed scheme is backed by stateful firewall, and detect DRDoS attacks through a rules table and perform a defense treatment against DRDoS attack. Rules table with a simple structure is possible to easily adapt for any kind of stateful protocol can used by DRDoS attack. The experimental result confirm that our proposed scheme well detect DRDoS attacks using SCTP, the next-generation transmission protocol which not known by victim, and reduce the attacking packets rapidly.

• Proceedings of the Korean Institute of Communication Sciences Conference
• /
• 2004.11a
• /
• pp.438-438
• /
• 2004

• The Journal of the Korea Contents Association
• /
• v.10 no.1
• /
• pp.46-58
• /
• 2010

The user valence of VoIP services with SIP protocol is increasing rapidly because of cheap communication cost and its conveniency. But attacker can easily modify the packet contents of SIP protocol as SIP header is transmitted by using UDP methods in text form. The reason is that SIP protocols does not provide an authentication function on the transmission session. Therefore, existing SIP protocol is very weak on SIP Packet Flooding attack etc. In order to solve like this kinds of SIP vulnerabilities, we used SIP status codes under the monitoring module for detecting SIP Flooding attacks and additionally proposed an advanced protocol where the authentication and security function is strengthened about SIP packet. We managed SIP session spontaneously in order to strengthen security with SIP authentication function and to solve the vulnerability of SIP protocol. The proposed mechanism can securely send SIP packet to solves the security vulnerability with minimum traffic transmission. Also service delay in SIP proxy servers will be minimized to solve the overload problem on SIP proxy server.

• Journal of KIISE:Information Networking
• /
• v.32 no.4
• /
• pp.443-451
• /
• 2005

Stateful inspection devices must maintain flow information. These devices create the flow information also for network attack packets, and it can fatally inflate the dynamic memory allocation on stateful inspection devices under network attacks. The memory inflation leads to memory overflow and subsequent performance degradation. In this paper, we present a guideline to set the flow entry timeout for a stateful inspection device to remove harmful embryonic entries created by network attacks. Considering Transmission Control Protocol (TCP) if utilized by most of these attacks as well as legitimate traffic, we propose a parsimonious memory management guideline based on the design of the TCP and the analysis of real-life Internet traces. In particular, we demonstrate that for all practical purposes one should not reserve memory for an embryonic TCP connection with more than (R+T) seconds of inactivity where R=0, 3, 9 and $1\leqq{T}\leqq{2}$ depending on the load level.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.3 no.3
• /
• pp.251-265
• /
• 2009

VoIP service is the transmission of voice data using SIP protocol on an IP-based network. The SIP protocol has many advantages, such as providing IP-based voice communication and multimedia service with low communication cost. Therefore, the SIP protocol disseminated quickly. However, SIP protocol exposes new forms of vulnerabilities to malicious attacks, such as message flooding attack. It also incurs threats from many existing vulnerabilities as occurs for IP-based protocol. In this paper, we propose a new virtual proxy to cooperate with the existing Proxy Server to provide state monitoring and detect SIP message flooding attack with IP/MAC authentication. Based on a proposed virtual proxy, the proposed system enhances SIP attack detection performance with minimal latency of SIP packet transmission.

• Journal of Communications and Networks
• /
• v.7 no.4
• /
• pp.509-524
• /
• 2005

Due to the strict requirements of emerging applications, per-flow admission control is gaining increasing importance. One way to implement per-flow admission control is using an on­path resource reservation protocol, where the admission decision is made hop-by-hop after a new flow request arrives at the network boundary. The next-steps in signaling (NSIS) working group of the Internet engineering task force (IETF) is standardising such an on-path signaling protocol. One of the reservation methods considered by NSIS is reduced-state mode, which, suiting the differentiated service (DiffServ) concept, only allows per-class states in interior nodes of a domain. Although there are clear benefits of not dealing with per-flow states in interior nodes-like scalability and low complexity-, without per-flow states the handling of re-routed flows, e.g., after a failure, is a demanding and highly non-trivial task. To be applied in carrier-grade networks, the protocol needs to be resilient in this situation. In this article, we will explain the consequences of a route failover to resource reservation protocols: Severe congestion and incorrect admission decisions due to outdated reservation states. We will set requirements that handling solutions need to fulfill, and we propose extensions to reduced-state protocols accordingly. We show with a set of simulated scenarios that with the given solutions reduced-state protocols can handle re-routed flows practically as fast and robust as stateful protocols.

• Electronics and Telecommunications Trends
• /
• v.31 no.5
• /
• pp.99-109
• /
• 2016

IETF Path Computation Element(PCE) 그룹에서는 데이터 전송을 위한 전달 경로를 찾는 엔진 기능을 중심으로 표준화를 진행하고 있다. 망의 상태, 위상, 자원 가용성, 정책을 기반으로 최적의 자원을 할당하는 경로 계산 기능과 구조, 프로토콜 등을 정의하는데 MPLS/GMPLS 망의 제어 평면 프로토콜 기반 전송을 위주로 출발하여 광, 회선 망에서의 적용과 서비스 표준이 실제 사례를 뒷받침하여 발전되었고 현재는 데이터 센터 네트워크, SDN, IoT 분야에서의 활용이 활발하게 논의되고 있다. 본고에서는 경로 계산 기능의 분산을 주요 목적으로 하여 이제는 범용의 전달망 관리 분야로 확대 적용되는 추세의 active stateful PCE와 Traffic Engineering Database (TED), Label Switched Path DB(LSP-DB), PCE Protocol(PCEP) 등을 포함한 관련 표준 현황을 살펴보고 향후 통합 전달망 제어 관리 진화 방향을 소개하고자 한다.