Abstract:

An antiDoS (Denial of Service) mechanism called LMCM (Lightweight Multilevel Capabilities Mechanism) for next generation Internet is proposed. The LMCM distinguishes the malicious users and the benign users through their behaviors and adopts lightweight validation mechanism to avoid heavyweight operations in the core network. It improves data transfer efficiency but not lowers the overall security, meeting different security requirements. In order to defend DoC (DenialofCapability) attacks caused by the capabilities and guarantee fairly sharing the network resources, the LMCM adopts a hierarchical queue management mechanism. Furthermore, the LMCM improves the flow control mechanism to defend other complicated attack which cannot be defended in TVA（Traffic Validation Architecture） and makes up for the shortcomings and inadequacies of the TVA. In order to get convincing comparative results, we choose some representative topologies in the dataset of the CAIDA (Cooperative Association for Internet Data) as our experiment topologies. Simulation results in dissimilar scenarios indicate that the LMCM is conducive to improving the data transfer efficiency and enhancing the scalability of defense system compared with the TVA.

Key words: next generation Internet;network security;distributed denial of service;traffic validation architecture