A router-based technique to mitigate reduction of quality (RoQ) attacks

We propose a router-based technique to mitigate the stealthy reduction of quality (RoQ) attacks at the routers in the Internet. The RoQ attacks have been shown to impair the QoS sensitive VoIP and the TCP traffic in the Internet. It is difficult to detect these attacks because of their low average rates. We also show that our generalized approach can detect these attacks even if they employ the source IP address spoofing, the destination IP address spoofing, and undefined periodicity to evade several router-based detection systems. The detection system operates in two phases: in phase 1, the presence of the RoQ attack is detected from the readily available per flow information at the routers, and in phase 2, the attack filtering algorithm drops the RoQ attack packets. Assuming that the attacker uses the source IP address and the destination IP address spoofing, we propose to detect the sudden increase in the traffic load of all the expired flows within a short period. In a network without RoQ attacks, we show that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. We further propose a simple filtering solution to drop the attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. Our results show that we can successfully detect and mitigate RoQ attacks even with the source and destination IP addresses spoofed. The detection system is implemented in the ns2 simulator. In the simulations, we use the flowid field available in ns2 to implement per-flow logic, which is a combination of the source IP address, the destination IP address, the source port, and the destination port. We also discuss the real implementation of the proposed detection system.     

MASK: An efficient mechanism to extend inter-domain IP spoofing preventions

IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem, we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK can not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance. Through analysis and simulations, we demonstrate MASK＇s accuracy and effectiveness.     

Controlling IP Spoofing through Interdomain Packet Filters

The distributed denial-of-service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in border gateway protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.     

An incrementally deployable path address scheme

The research community has proposed numerous network security solutions, each dealing with a specific problem such as address spoofing, denial-of-service attacks, denial-of-quality attacks, reflection attacks, viruses, or worms. However, due to the lack of fundamental support from the Internet, individual solutions often share little common ground in their design, which causes a practical problem: deploying all these vastly different solutions will add exceedingly high complexity to the Internet routers. In this paper, we propose a simple generic extension to the Internet, providing a new type of information, called path addresses, that simplify the design of security systems for packet filtering, fair resource allocation, packet classification, IP traceback, filter push-back, etc. IP addresses are owned by end hosts; path addresses are owned by the network core, which is beyond the reach of the hosts. We describe how to enhance the Internet protocols for path addresses that meet the uniqueness requirement, completeness requirement, safety requirement, and incrementally deployable requirement. We evaluate the performance of our scheme both analytically and by simulations, which show that, at small overhead, the false positive ratio and the false negative ratio can both be made negligibly small.     

域间IP欺骗防御服务增强机制

IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.     

域间IP欺骗防御服务增强机制

IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.     

Packet forwarding with source verification

Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.     

IP欺骗技术和防范方法

IP欺骗是一种复合型网络攻击技术,研究IP欺骗原理与技术有利于有效防范黑客攻击,保护资源.IP欺骗的主要技术包括IP地址伪造技术、TCP SYN 洪流攻击技术与TCP序列号猜测等技术.通过列举典型实例,分析一个完整的攻击过程,总结IP欺骗的具体预防技术,为防止IP欺骗提供一种有效的方法.     

DOS攻击的逆向路径追踪算法研究

在当前 IP源地址可欺骗的情况下 ,准确、快速追踪攻击源是防范网络攻击尤其是 DOS攻击的关键 .本文给出了逆向路径追踪 DOS攻击的模型和评价指标 ,分析了已有算法的性能 .在此基础上 ,提出一种新的基于消息鉴别码的随机数据包标记算法 MPPM.在该算法中路由器随机标记转发的数据包 ,标记信息包括路由器自身及其下游路由器组成的边标记的分片以及 MAC值 ,DOS攻击的受害者利用 MAC把不同攻击数据包中的边标记分片重组以得到边标记及攻击路径 ,并可鉴别标记的真伪 .分析和模拟结果表明 ,该算法具有线性的计算复杂度 ,追踪速度快 ,误差较小 ,高效可行     

IPSec和IP Filter在路由器中部署策略的研究

IPSec和IP Filter是IPv6路由器中的重要安全部件．IPSec的安全关联查找引擎具有类似于IP Filter的功能，也需要对IP包进行过滤和匹配，路由器中流动的IP包可能需要经过这两个部件的重复过滤，因此，这两个部件之间的部署策略将会直接影响到IP包的处理效率．从路由器整体安全的角度分析了两个安全部件之间的相互关系，提出了一个新的部署策略．与国际上著名的开放源码IPv6协议栈KAME相比较，该部署策略可以提高IPSec的处理效率，减轻IP Filter对IPSec的负面影响，同时，也减少了IP包在路由器中的重复过滤，提高了IP包的处理效率．     

Building an Identity Management Infrastructure for Today…and Tomorrow

ABSTRACT

The basis of denial of service (DoS)/distributed DoS (DDoS) attacks lies in overwhelming a victim's computer resources by flooding them with enormous traffic. This is done by compromising multiple systems that send a high volume of traffic. The traffic is often formulated in such a way that it consumes finite resources at abnormal rates either at victim or network level. In addition, spoofing of source addresses makes it difficult to combat such attacks. This paper adopts a twofold collaborative mechanism, wherein the intermediate routers are engaged in markings and the victim uses these markings for detecting and filtering the flooding attacks. The markings are used to distinguish the legitimate network traffic from the attack so as to enable the routers near the victim to filter the attack packets. The marked packets are also helpful to backtrack the true origin of the spoofed traffic, thus dropping them at the source rather than allowing them to traverse the network. To further aid in the detection of spoofed traffic, Time to Live (TTL) in the IP header is used. The mappings between the IP addresses and the markings along with the TTLs are used to find the spurious traffic. We provide numerical and simulated experimental results to show the effectiveness of the proposed system in distinguishing the legitimate traffic from the spoofed. We also give a statistical report showing the performance of our system.     

低价位GTS显卡谁最值得购买——四款低价位GeForce2 GTS对比测试

IP欺骗是常用的一种攻击手段。在存在信任关系的网络中,IP欺骗能够伪装成为合法用户,取得一般用户甚至超级用户的权限,危害甚大。本文分析了这种攻击的实现原理,并提出了针对这种攻击的检测方法和防御技术,另外对IP欺骗和IP却持进行了比较。     

网络通信中TCP/IP协议安全隐患研究

TCP/IP协议本身存在许多安全缺陷,使网络通信受到IP地址欺骗、ARP欺骗、ICMP攻击、TCP SYN Flood、DNS攻击等。本文深入研究了TCP/IP协议中存在的安全隐患,并针对这些漏洞给出了相应的防范和改进措施。     

Short-circuiting the congestion signaling path for AQM algorithms using reverse flow matching

Recently, we introduced a new congestion signaling method called ACK spoofing, which offers significant benefits over existing methods, such as packet dropping and Explicit Congestion Notification (ECN). Since ACK spoofing requires the router to create a ‘short circuit’ signaling path, by matching marked data packets in a congested buffer with ACK packets belonging to the same flow that are traveling in the opposite direction, the focus of this paper is evaluating the feasibility of reverse flow matching. First, we study the behavior of individual flows from real bi-directional Internet traces to show that ACK spoofing has the potential to significantly reduce the signaling latency for Internet core routers. We then show that reverse flow matching can be implemented at reasonable cost, using essentially the same hardware as the packet filtering logic commonly employed in Layer 2 transparent bridges. Finally, we show that this architecture can be scaled to accommodate worst-case traffic patterns on multi-gigabit links that would render ordinary route caching algorithms completely ineffective.     

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks

Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that adopts a divide-and-conquer strategy. AD combines the concepts of pushback and packet marking, and its architecture is in line with the ideal DDoS attack countermeasure paradigm - attack detection is performed near the victim host and packet filtering is executed close to the attack sources. AD is a reactive defense mechanism that is activated by a victim host after an attack is detected. By instructing its upstream routers to mark packets deterministically, the victim can trace back one attack source and command an AD-enabled router close to the source to filter the attack packets. This process isolates one attacker and throttles it, which is repeated until the attack is mitigated. We also propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attackers simultaneously. AD and PAD are analyzed and evaluated using the Skitter Internet map, Lumeta's Internet map, and the 6-degree complete tree topology model. Both schemes are shown to be robust against IP spoofing and to incur low false positive ratios     

基于Hash_tree的多维IP包分类算法

随着各种网络应用的发展,路由器必须能够快速完成对IP数据包的分类,以支持如防火墙、QoS等服务。文章分析了多维IP包分类中Hash算法的应用,在此基础上提出了一种基于Hash_tree的多维IP包分类算法。该算法充分发挥了Hash函数查找快速的特点,对IP数据包的分类能够以T位的线速进行处理,同时算法还具有支持较大的匹配规则集、支持增量更新等特点。     

支持ForCEs的IP路由器技术研究与实现

支持ForCEs的IP路由器通过使CE和FE的分离,从而实现网络功能的快速配置和重 组。提出了一种在Linux下FEModule的实现机制,在此基础上构造出一个支持ForCEs的IP路由器 进行测试。结果表明,通过这种机制实现的ForCEs路由器能很好地满足ForCEs的需求。     

An IP Traceback Protocol using a Compressed Hash Table,a Sinkhole Router and Data Mining based on Network Forensics against Network Attacks

The Source Path Isolation Engine (SPIE) is based on a bloom filter. The SPIE is designed to improve the memory efficiency by storing in a bloom filter the information on packets that are passing through routers, but the bloom filter must be initialized periodically because of its limited memory. Thus, there is a problem that the SPIE cannot trace back the attack packets that passed through the routers earlier. To address this problem, this paper proposes an IP Traceback Protocol (ITP) that uses a Compressed Hash Table, a Sinkhole Router and Data Mining based on network forensics against network attacks. The ITP embeds in routers the Compressed Hash Table Module (CHTM), which compresses the contents of a Hash Table and also stores the result in a database. This protocol can trace an attack back not only in real time using a hash table but also periodically using a Compressed Hash Table (CHT). Moreover, the ITP detects a replay attack by attaching time-stamps to the messages and verifies its integrity by hashing it. This protocol also strengthens the attack packet filtering function of routers for the System Manager to update the attack list in the routers periodically and improves the Attack Detection Rate using the association rule among the attack packets with an Apriori algorithm.     

Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks

The lack-of service differentiation and resource isolation by current IP routers exposes their vulnerability to Distributed Denial of Service (DDoS) attacks (Garber, 2000), causing a serious threat to the availability of Internet services. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a transport-aware IP (tIP) router architecture that provides fine-grained service differentiation and resource isolation among different classes of traffic aggregates. The tIP router architecture consists of a fine-grained Quality-of-Service (QoS) classifier and an adaptive weight-based resource manager. A two-stage packet-classification mechanism is devised to decouple the fine-grained QoS lookup from the usual routing lookup at core routers. The fine-grained service differentiation and resource isolation provided inside the tIP router is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS attacks. Moreover, the tIP architecture is stateless and compatible with the Differentiated Service (DiffServ) infrastructure. Thanks to its scalable QoS support for TCP control segments, the tIP router supports bidirectional differentiated services for TCP sessions.     

基于SNMP的ARP攻击检测系统设计与实现

随着校园网的发展,校园网用户大大增加,同时局域网ARP欺骗攻击极大影响着校园网用户的上网质量。通过SNMP读取路由器、交换机的ARP表,对ARP欺骗攻击进行检测,结合DCBI网络管理系统,迅速定位到ARP欺骗攻击源,取得了良好的效果。