Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

Will Major,William J Buchanan,Jawad Ahmad

DOI: https://doi.org/10.48550/arXiv.2001.07897

2020-01-22

Cryptography and Security

Abstract:Port Knocking is a method for authenticating clients through a closed stance firewall, and authorising their requested actions, enabling severs to offer services to authenticated clients, without opening ports on the firewall. Advances in port knocking have resulted in an increase in complexity in design, preventing port knocking solutions from realising their potential. This paper proposes a novel port knocking solution, named Crucible, which is a secure method of authentication, with high usability and features of stealth, allowing servers and services to remain hidden and protected. Crucible is a stateless solution, only requiring the client memorise a command, the server's IP and a chosen password. The solution is forwarded as a method for protecting servers against attacks ranging from port scans, to zero-day exploitation. To act as a random oracle for both client and server, cryptographic hashes were generated through chaotic systems.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Zhu Min,Xu Ke,Li Qi

DOI: https://doi.org/10.1007/978-3-642-24403-2_26

2011-01-01

Abstract:Mobile IPv6 runs high risk of being attacked by IP spoofing due to the introduction of mobility and route optimization. In this paper, an authentic IP address validation scheme is proposed to protect mobile nodes in Mobile IPv6 against IP spoofing attack. The mobile nodes' historical traffic information is leveraged to validate the authenticity of its claimed home address in the scheme. Compared with other authentication schemes, this scheme is much simpler to implement and easier to deploy based on the usage of real data, and does not require additional computational overhead. It also solves the address ownership problem and the unauthenticated binding update issue in Mobile IPv6. Real traces are used to demonstrate the applicability of the scheme in this paper. The experimental results show that only three consecutive historical packet records are required to construct a unique authentication key, which can identify forged home address efficiently.

Jian-fan WEI,Zhong CHEN,Yun-suo DUAN,Li-fu WANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2005.02.023

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Denial of service has become a major security threat in open communications networks. Authentication and key establishment protocols usually are vulnerable to network DoS attacks. This paper presents a new countermeasure to make authentication protocols without trusted third party resistant against DoS attack. By using this method, the strength of resistance can be adjusted dynamically and most parallel session attacks can be prevented.

Shanshan Hao,Renjie Liu,Zhe Weng,Deliang Chang,Congxiao Bao,Xing Li

DOI: https://doi.org/10.1371/journal.pone.0246293

IF: 3.7

2021-01-01

PLoS ONE

Abstract:Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost.

YiHao Jia,Ying Liu,Gang Ren

DOI: https://doi.org/10.1109/GLOBECOM38437.2019.9013151

2019-01-01

Abstract:IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economicsdriven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11758549_26

2006-01-01

Abstract:Many network attacks forge the source address in their IP packets to block traceback. This situation does not change much in IPv6 network since IPSEC is not enabled generally and most IP address spoof attacks have taken effect before packets reached destination. Although ingress filtering can be used to validate source addresses, it could only ensure that the network portion of an address is not spoofed. Since subnets are much larger in IPv6, even with RFC 2827-like filtering an adversary can spoof an enormous range of addresses. In this paper, we propose an IPv6 address assignment scheme to generate verifiable IPv6 addresses in one network. With this scheme, router could validate the IPv6 addresses quickly, thus allow all outgoing packets with improper source addresses and all incoming packets with improper destination addresses to be immediately identified. Apart from the obvious merit to counter denial of service attacks, this scheme also make network audit and pricing easier.

ZHOU Duan-qi,BI Jun,YAO Guang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.z1.005

2014-01-01

Abstract:In the Internet, there are no mechanisms to verify the identity of a message sender, resulting in a large number of forged identity attacks, such as phishing websites. By mapping the user identity into the rightmost 64 bit of the IPv6 address, this paper tries to make every message embedded with an identity, which lay a credible foundation for commu-nications on the Internet. We design and realize a true identity communication system based on source address validation improvement, which can protect the privacy of the users, and ensure the verifiability and authenticity of the user identi-ties.

Haijiang Xie,Jizhong Zhao

DOI: https://doi.org/10.1007/s12083-014-0287-x

IF: 3.488

2014-01-01

Peer-to-Peer Networking and Applications

Abstract:The state of art authentication schemes are tightly linked with encryption or crypto systems, which provides concrete foundations to move towards the concept of access control by confirming the user identity. However the openness of the computer network makes the identity credentials vulnerable even transmitted as cipher text especially in lots of peer-to-peer (P2P) networks. The malicious attackers can possibly steal and fake the user identity by eavesdropping, hijacking, cryptanalysis and forging. In this paper, a novel identity authentication mechanism is proposed based on the reverse usage of the Network Covert Channel (NCC) which is originally designed by attackers to create stealth communication. Different from NCC, where the packet intervals can be exploited as the data carrier to transmit the unauthorized information, we exploit such capability in Network-Covert-Channel-based Identity Authentication (NCCIA) to transmit the identity tag. By validating user identity in a covert manner, we provide a more secure authentication method compared with many existing approaches. A NCCIA demo system is designed on a FTP Platform to verify our method. The experiments demonstrate the NCCIA can prevent the attackers from eavesdropping while maintaining transmission efficiency.

Liu Wu,Ren Ping,Zhao Yawei,Sun Donghong,Liu Ke

DOI: https://doi.org/10.1109/icdsp.2015.7251328

2015-01-01

Abstract:Although widely deployed in recent years, the IPv6 protocols still have many security problems, especially the Man-In-The-Middle (MITM) Attack in IPv6 Local Area Network. This paper presents an IPv6 MITM Attack test system to help users aware the security risks, and then design a defending tool using DNSSEC to avoid session hijack attack in IPv6 Networks.

Weichao Xie,Jian Wang

DOI: https://doi.org/10.1109/sns-pcs.2013.6553830

2013-01-01

Abstract:Wireless Ad Hoc network is vulnerable to attacks due to its open and decentralized properties. This paper proposes a trusted connection based scheme for Ad Hoc network to prevent attacks. A trusted architecture is introduced into the node platform, which consists of two phases, platform identity verification and platform integrity measurement. For a communication requirement of two nodes, the terminal platform identity is firstly authenticated via Direct Anonymous Attestation, and the platform integrity measurement is performed for the nodes passing authentication. The communication is established if the nodes in both sides pass the authentication and measurement. We conduct simulation experiments to analyze the performance of the proposed scheme and verify its security in the attack scenario. The simulation results show that the proposed scheme can prevent the malicious nodes from accessing the network and resist the attacks from network.

Guangwu Hu,Wenlong Chen,Qi Li,Yong Jiang,Ke Xu

DOI: https://doi.org/10.1016/j.future.2016.09.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Despite the Internet has been rapidly developed in the past three decades, its intrinsic security mechanism, e.g., IP source address validation and user identification authentication, is still not well addressed. This results in numerous cyber security threats. In order to enhance the Internet accountability and deter potential cyber-attacks, in this paper, we propose TrueID, an IPv6 header extension scheme which can embed hash-based, creditable and undeniable user identity code inside IPv6 packets. We present the system architecture, header’s format and viable implementation approaches with different credibility granularities. Meanwhile, to verify packet credibility and integrity, we design an Autonomous System (AS) level public-key distribution system which can disseminate user’s public keys between allied ASes safely. Also, the prototype experiment has proved that our scheme possesses these features with desirable performance.

Liu Wu,Ren Ping,Sun Donghong,Liu Ke

DOI: https://doi.org/10.1109/icdsp.2017.8096115

2017-01-01

Abstract:Although widely deployed in recent years, the IPv6 protocols still have many security problems, especially the Man-In-The-Middle Attack in LAN (Local Area Network). In this paper we present an Address Forging and Data-Gram Forwarding based IPv6 Man-In-The-Middle Attack testing system to help user aware the security risks in IPv6 Networks.

ZHANG Jia,DUAN Haixin,WU Jianping

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.01.022

2011-01-01

Abstract:Anonymous communications are widely accepted as an important mechanism to protect privacy.However,the Internet protocol(IP) addresses are essentially fixed in the current network environment,so an adversary can destroy anonymity in the system by tracing IP addresses.This paper presents a peer-to-peer(P2P) based anonymous communication mechanism to enhance the anonymity of communications in IPv6 networks.This method improves the IPv6 IP generation algorithm and the onion routing based anonymous communication mechanisms.The system uses IPv6 to provide a wide address space and to periodically change the IP address to avoid privacy loss caused by IP address.The onion routing based mechanism can hide the IP addresses among network segments and encrypt the data.Tests show that integration of these two methods enhances the anonymity of anonymous communication systems,while maintaining communication efficiency and system compatibility.

David Plonka,Arthur Berger

DOI: https://doi.org/10.48550/arXiv.1707.03900

2017-07-13

Abstract:Privacy-minded Internet service operators anonymize IPv6 addresses by truncating them to a fixed length, perhaps due to long-standing use of this technique with IPv4 and a belief that it's "good enough." We claim that simple anonymization by truncation is suspect since it does not entail privacy guarantees nor does it take into account some common address assignment practices observed today. To investigate, with standard activity logs as input, we develop a counting method to determine a lower bound on the number of active IPv6 addresses that are simultaneously assigned, such as those of clients that access World-Wide Web services. In many instances, we find that these empirical measurements offer no evidence that truncating IPv6 addresses to a fixed number of bits, e.g., 48 in common practice, protects individuals' privacy. To remedy this problem, we propose kIP anonymization, an aggregation method that ensures a certain level of address privacy. Our method adaptively determines variable truncation lengths using parameter k, the desired number of active (rather than merely potential) addresses, e.g., 32 or 256, that can not be distinguished from each other once anonymized. We describe our implementation and present first results of its application to millions of real IPv6 client addresses active over a week's time, demonstrating both feasibility at large scale and ability to automatically adapt to each network's address assignment practice and synthesize a set of anonymous aggregates (prefixes), each of which is guaranteed to cover (contain) at least k of the active addresses. Each address is anonymized by truncating it to the length of its longest matching prefix in that set.

Networking and Internet Architecture

Geoffrey Alexander,Antonio M. Espinoza,Jedidiah R. Crandall

DOI: https://doi.org/10.2478/popets-2019-0071

2019-07-30

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit. In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.