Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Jie Li,Jun Bi,Jianping Wu,Wei Zhang

DOI: https://doi.org/10.1109/nca.2012.20

2012-01-01

Abstract:The functional deficiency of the Internet architecture enables attackers the ability to easily to spoof IP source address. The traditional signature-and-verification based anti-spoofing methods are often limited by essential process based on an explicit analysis and process of the IP header and does not adapt to incremental deployment. This paper designs a multi-fence countermeasure based inter-domain source address validation method named VIP. By employing intelligent originating information label and extended MPLS based cloud and network, VIP enables lightweight-label-based packet forwarding and validation. And VIP offers gains in efficiency by reducing the load on both forwarding tables and validation processing without negative influences and complex operations on de facto networks. In addition to enhanced scalability, VIP may facilitate incremental deployment in the long run.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1109/iscc.2008.4625684

2008-01-01

Abstract:IP source address spoofing is used by DDoS and DrDoS attacks in the Internet. This paper presents a signature-and-verification based IP spoofing prevention method, automatic peer-to-peer based anti-spoofing method (APPA). APPA has two levels: intra-AS (autonomous system) level and inter-AS level. In the intra-AS level, the end host tags a one-time key into each outgoing packet and the gateway at the AS border verifies the key. In inter-AS level, the gateway at the AS border tags a periodically changed key into the leaving packet and the gateway at border of the destination AS verifies and removes the key. The most prominent characteristic of APPA is the automatically synchronizing state-machine, which is used to update keys automatically and effectively. The benefits of APPA are: (1) preventing IP address spoofing strictly, end systems canpsilat even spoof addresses in the same AS or subnet, (2) providing very low running and management costs, (3) supporting anti-replay attacks and incremental deployment.

Jun Bi,Jianping Wu,Miao Zhang

DOI: https://doi.org/10.1007/11807964_69

2006-01-01

Abstract:The lack of verifying source address in Internet makes it easy for attackers to spoof the source IP address. One of challenges of Internet has been recognized is building mechanisms in routers to verify the source address. This paper discusses Source Address Spoofing Prevention (SASP) mechanisms, presents a formal description on SASP network and SASP router, proposes a hierarchical SASP architecture, and presents some design principles of SASP mechanisms.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Guang Yao,Jun Bi

DOI: https://doi.org/10.1109/lcn.2008.4664225

2008-01-01

Abstract:In this paper, we present a novel source address spoofing prevention method for IPv6 access network called CGA based source address authentication (CSAA). It makes use of CGA (cryptographically generated address) to generate an unspoofable identifier of host without PKI, and bind it to the authorized address of the host. Then all the packets sent out by the host can be validated in the first-hop router by a light-weight method.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Baobao Zhang,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2014.6911764

2014-01-01

Abstract:In today's Internet, users can send packets with forged source IP addresses, called IP Spoofing, which causes many severe problems to the Internet, especially the security problem. Extensive methods have been proposed to prevent IP spoofing. One category of anti-spoofing methods is extra-information-based. The other category of anti-spoofing methods is existing-information-based. The existing-information-based anti-spoofing methods are much easier to deploy than the extra-information-based ones. Thus, we focus on the existing-information-based anti-spoofing methods in this paper. However, the existing existing-information-based anti-spoofing methods perform poorly on preventing IP spoofing. Therefore, in this paper we propose a new existing-information-based anti-spoofing method, named Link-state-based Anti-Spoofing (LAS), which works in a link-state-protocol-based network. LAS provides good effectiveness on preventing IP spoofing as our simulation results show that even if LAS is only deployed on 10% of routers in a link-state-protocol-based network, 80%~99% of spoofing cases in the network can be prevented in general.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

Xinyu Yang,Jiahao Cao,Mingwei Xu

DOI: https://doi.org/10.1109/ipccc50635.2020.9391554

2020-01-01

Abstract:Spoofed traffic has been a great threat to the Internet. Tag-based inter-AS source address validation solutions show great effectiveness and high deployment incentives on filtering spoofed traffic. However, they fail to consider secure key negotiation for tags, efficient tag generation for network devices, and compatible tag placement for network functionalities. In this paper, we present SEC, a secure, efficient, and compatible source address validation scheme based on packet tags. We provide a secure key negotiation method and a lightweight tag generation algorithm for SEC considering hardware limitations of network devices. They can be easily implemented in network devices to filter spoofed packets while forwarding packets at approximately line rate. We also carefully place all tags into appropriate option fields in packet headers to guarantee the compatibility of network functionalities. We implement SEC in real programmable switches. Both theoretical analysis and experimental results show SEC can verify source addresses of packets in a secure, efficient, and compatible way.

Ming Li,Yong Cui,Matti Siekkinen,Antti Yla-Jaaski

DOI: https://doi.org/10.1109/glocomw.2010.5700338

2010-01-01

Abstract:We present the design and evaluation of NPLA (Network Prefix Level Authentication), a system allowing source addresses to be validated within the network to the granularity of network prefix. Prefix routers use public key cryptography to insert NPLA headers in outgoing packets. En route entities holding the corresponding public key verify the source of a packet. NPLA provides deployment incentives because each upgraded prefix can prevent its address space from being maliciously used by other networks and its traffic is forwarded with high priority. In order to increase the scalability, NPLA does not employ PKI but leverages BGP to distribute public keys. Based on the relative damage reduction analysis, we conclude that NPLA provides more relative benefit than other approaches when they are all partially deployed. In order to decrease the overhead induced by public key cryptography, NPLA uses FPGA based hardware cryptography accelerator which has been proven to achieve several Gbps throughput on average.

YiHao Jia,Ying Liu,Gang Ren

DOI: https://doi.org/10.1109/GLOBECOM38437.2019.9013151

2019-01-01

Abstract:IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economicsdriven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

Jie Li,Jianping Wu,Ke Xu

DOI: https://doi.org/10.1109/glocom.2011.6133740

2012-01-01

Chinese Journal of Computers

Abstract:Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.

Guang Yao,Jun Bi,Tao Feng,Peiyao Xiao,Duanqi Zhou

DOI: https://doi.org/10.1109/ICCCN.2014.6911784

2014-01-01

Abstract:IP spoofing is a well-known security threat on the Internet. Though there have been a number of spoofing prevention mechanisms, due the diversity of networks and management objectives, the operators may prefer a framework which enables easy installation and modification of the IP spoofing prevention solution, rather than a single mechanism. In this article, a lightweight and efficient framework for route-based IP spoofing filtering, named SEFA, is proposed. Through providing a collective view of the network and decoupling the filtering rule generation from network devices, SEFA enables easily installation of spoofing filtering application. SEFA mainly resolves the challenge that how to build network abstraction without taking full controllability. SEFA has been implemented based on slightly modifying commercial routers and an open source controller. Based on experiments, SEFA is found to be able to reduce the overhead and the latency of filtering rule generation and installation, while keeping off the complexity and latency of generating forwarding rules by the controller.

Jiamin Cao,Ying Liu,Mingxing Liu,Lin He,Yihao Jia,Fei Yang

DOI: https://doi.org/10.1109/IWQOS52092.2021.9521336

2021-01-01

Abstract:Source IP address spoofing has been a major vulnerability of the Internet for many years. Although much work has been done to study the problem extensively, spoofing continues to occur frequently and has led to many serious network attacks. Inter-AS source address validation (SAV) is considered an important defense method for AS to filter spoofed packets. However, existing work has been unable to drive inter-AS SAV deployment into practice due to the lack of deployment incentives and trust foundation. In this paper, we propose a practical and decentralized inter-AS SAV service framework, pSAV, to promote inter-AS SAV deployment. pSAV increases deployment incentives by treating SAV as a payable service and dividing the participant ASes into service subscribers, providers, and auditors. On the control plane, pSAV leverages blockchain as a trust foundation to provide service subscriptions and audits with automatic incentive allocation. On the data plane, pSAV leverages P4-programmable switches to provide flexible and high-performance SAV services. We prototype the pSAV control plane based on Hyperledger Fabric and implement various SAV techniques on Barefoot Tofino switches. The evaluation results show that (1) on the control plane, pSAV blockchain can provide high-performance service transactions (hundreds of transactions per second with second latency), and (2) on the data plane, pSAV can provide various high-throughput (hundreds of Gbps) SAV services using only one programmable switch.

Bi Jun,Liu Bingyang,Wu Jianping,Shen Yan

DOI: https://doi.org/10.1016/s1007-0214(09)70097-5

2009-01-01

Tsinghua Science & Technology

Abstract:A signature-and-verification-based method, automatic peer-to-peer anti-spoofing （APPA）, is proposed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS random number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS （autonomous system） level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.

Lu Xi

2008-01-01

Abstract:IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem,we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes,and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes,MASK can not only enlarge the domain of the spoofing prevention service,but also filter spoofing packets in advance. Through analysis and simulations,we demonstrate MASK's accuracy and effectiveness.

Guang Yao,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1016/j.comnet.2012.08.018

IF: 5.493

2013-01-01

Computer Networks

Abstract:Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.

Guolong Chen,Guangwu Hu,Yong Jiang,Chaoqin Zhang

DOI: https://doi.org/10.1109/iscc.2016.7543774

2016-01-01

Abstract:Current Internet packet forwarding only relies on destination IP address and thus neglects the validation of packet's IP source address for Internet accountability, which incurs many cyber-security threats. State-of-the-art solutions either have issues in spoofing packet filtering accuracy, e.g., false positive and false negative, or encounter scalability and deployment problems, i.e., end-host TCP/IP stack or router modification. In this article, we propose SAVSH, a practical IP source address validation scheme for Software Defined Networking (SDN) hybrid networks. SAVSH takes advantage of the SDN architecture which possesses global topological view and central control pattern, so that it can locate nodes for the SDN switch replacement and deploy filtering rules onto them with desirable IP prefix-level filtering accuracy. In the meantime, SAVSH also takes network dynamics (e.g., topology changes) into account. Finally, the established prototype experiment and typical topology simulations demonstrate SAVSH not only possesses desirable performance, but also owns the capability that trades the maximal validation effect with the minimal SDN switch deployment cost, which is up to more than 90% prefix coverage benefit to 15% deployment cost on average.