Guang Yao,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1016/j.comnet.2012.08.018

IF: 5.493

2013-01-01

Computer Networks

Abstract:Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.

Bingyang Liu,Jun Bi,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/tifs.2013.2296437

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:IP spoofing-based flooding attacks are a serious and open security problem on the current Internet. The best current antispoofing practices have long been implemented in modern routers. However, they are not sufficiently applied due to the lack of deployment incentives, i.e., an autonomous system (AS) can hardly gain additional protection by deploying them. In this paper, we propose mutual egress filtering (MEF), a novel antispoofing method, which provides continuous deployment incentives. The MEF is implemented on the AS border routers using access control lists (ACLs). It drops an outbound packet whose source address does not belong to the local AS if the packet is related to a spoofing attack against other MEF-enabled ASes. By this means, only the deployers of the MEF can gain protection, whereas nondeployers cannot free ride. As more ASes deploy MEF, deployment incentives become higher. We present the system design of MEF, and propose an optimal prefix compression algorithm to compact the ACL into the routers' limited hardware resource. With theoretical analysis and simulations with real Internet data, our evaluation results show that MEF is the only method that achieves monotonically increasing deployment incentives for all types of spoofing attacks, and the system design is lightweight and practical. The prefix compression algorithm advances the state-of-the-art by generalizing the functionalities and reducing the overhead in both time and space.

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Lu Xi

2008-01-01

Abstract:IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem,we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes,and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes,MASK can not only enlarge the domain of the spoofing prevention service,but also filter spoofing packets in advance. Through analysis and simulations,we demonstrate MASK's accuracy and effectiveness.

Bingyang Liu,Jun Bi,Xiaowei Yang

DOI: https://doi.org/10.1145/2377677.2377707

IF: 1.937

2012-01-01

ACM SIGCOMM Computer Communication Review

Abstract:No abstract available.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Jun Bi,Jianping Wu,Miao Zhang

DOI: https://doi.org/10.1007/11807964_69

2006-01-01

Abstract:The lack of verifying source address in Internet makes it easy for attackers to spoof the source IP address. One of challenges of Internet has been recognized is building mechanisms in routers to verify the source address. This paper discusses Source Address Spoofing Prevention (SASP) mechanisms, presents a formal description on SASP network and SASP router, proposes a hierarchical SASP architecture, and presents some design principles of SASP mechanisms.

Junjie Xie,Deke Guo,Xiaozhou Li,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/jsac.2018.2815358

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:To enable the network softwarization, network function virtualization (NFV) and software defined networking (SDN) are integrated to jointly manage and utilize the network resource and virtualized network functions (VNFs). For a network flow resulting from any NFV application, an associated switch would send a routing request to the controller in SDN. The controller then generates and configures a routing path to dynamically steer the flow across appropriate VNFs or service function chains. This process, however, exhibits a skew distribution of response latency with a long tail. Cutting the long-tail latency of response is critical to enable the network softwarization, yet difficult to achieve due to many factors, such as the limited capacities and the load imbalance among controllers. In this paper, we reveal that such flow requests still experience the long-tail response latency, even using the up-to-date controller-to-switch assignment mechanism. To tackle this essential problem, we first propose a light-weight and load-aware switch-to-controller selection scheme to cut the long-tail response latency under the simple scenario of homogeneous controllers, and then design a general delay-aware switch-to-controller selection scheme to fundamentally cut the long-tail response latency for the more complicated heterogeneous controller scenario with performance fluctuations. The comprehensive evaluations indicate that our two new switch-to-controller selection schemes can significantly reduce the long-tail latency and provide higher system throughput.

YiHao Jia,Ying Liu,Gang Ren

DOI: https://doi.org/10.1109/GLOBECOM38437.2019.9013151

2019-01-01

Abstract:IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economicsdriven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icnp.2012.6459939

2012-01-01

Abstract:The authentication of the IP source address remains one of the most important steps in making the Internet as trustworthy as possible. With existing anti-spoofing solutions, deployed ASes lack cooperation when exchanging routing decisions and disseminations. In general, this makes anti-spoofing mechanisms inefficient and does not adapt to incremental deployment. By introducing routing choice feedback, we propose a distributed inter-domain anti-spoofing solution (Umbrella). In Umbrella, the deployed ASes can acquire approximate global routing choice information. Our approach offers gains in efficiency through the verification of the packets forwarding path and the construction of dynamically spoofing packets filter. Our experimental analysis of Umbrella shows it to be both effective and incrementally deployable.

Guanyu Li,Menghao Zhang,Chang Liu,Xiao Kong,Ang Chen,Guofei Gu,Haixin Duan

DOI: https://doi.org/10.1109/icnp.2019.8888057

2019-01-01

Abstract:In this paper, we design NETHCF, a line-rate in-network system for filtering spoofed traffic. NETHCF leverages the opportunity provided by programmable switches to design a novel defense against spoofed IP traffic, and it is highly efficient and adaptive. One key challenge stems from the restrictions of the computational model and memory resources of programmable switches. We address this by decomposing the HCF system into two complementary components-one component for the data plane and another for the control plane. We also aggregate the IP-to-Hop-Count (IP2HC) mapping table for efficient memory usage, and design adaptive mechanisms to handle end-to-end routing changes, IP popularity changes, and network activity dynamics. We have built a prototype on a hardware Tofino switch, and our evaluation demonstrates that NETHCF can achieve line-rate and adaptive traffic filtering with low overheads.

Baobao Zhang,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2014.6911764

2014-01-01

Abstract:In today's Internet, users can send packets with forged source IP addresses, called IP Spoofing, which causes many severe problems to the Internet, especially the security problem. Extensive methods have been proposed to prevent IP spoofing. One category of anti-spoofing methods is extra-information-based. The other category of anti-spoofing methods is existing-information-based. The existing-information-based anti-spoofing methods are much easier to deploy than the extra-information-based ones. Thus, we focus on the existing-information-based anti-spoofing methods in this paper. However, the existing existing-information-based anti-spoofing methods perform poorly on preventing IP spoofing. Therefore, in this paper we propose a new existing-information-based anti-spoofing method, named Link-state-based Anti-Spoofing (LAS), which works in a link-state-protocol-based network. LAS provides good effectiveness on preventing IP spoofing as our simulation results show that even if LAS is only deployed on 10% of routers in a link-state-protocol-based network, 80%~99% of spoofing cases in the network can be prevented in general.

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ming Li,Matti Siekkinen,Sasu Tarkoma,Antti Yla-Jaaski,Yong Cui

DOI: https://doi.org/10.1109/ISCC.2010.5546541

2010-01-01

Abstract:This paper presents SLA (Segment Level Authentication), a transport segment level solution designed to prevent both of the intra-domain and inter-domain source spoofing. SLA is based on public key cryptography authentication. It enables intermediate network nodes the ability to validate the packet authenticity by verifying authentication information carried in packets. Although public key cryptography is computationally intensive and induces the traffic overhead, SLA leverages FPGA (Field Programmable Gate Array) based ECC (Elliptic Curve Cryptography) hardware cryptography accelerator to decrease the computation and traffic overhead. SLA provides incremental deployment and offers incentives for both of hosts and ASes. We find that the SLA is feasible for Gigabit links and can effectively mitigate source spoofing in both of intra-domain and inter-domain networks.

Xinyu Yang,Jie Lin,Wei Yu,Xinwen Fu,Genshe Chen,Erik P. Blasch

DOI: https://doi.org/10.4018/978-1-4666-0104-8.ch015

2012-01-01

Abstract:Cyber-physical systems (CPS) are systems with a tight coupling of the cyber aspects of computing and communications with the physical aspects of dynamics and engineering that abide by the laws of physics. The real-time monitoring provided by wireless sensor networks (WSNs) is essential for CPS, as it provides rich and pertinent information on the condition of physical systems. In WSNs, the attackers could inject false measurements to the controller through compromised sensor nodes, which not only threaten the security of the system, but also consume significant network resources and pose serious threats to the lifetime of sensor networks. To mitigate false data injection (FDI) measurement attacks, a number of situation aware en-route filtering schemes to filter false data inside the networks have been developed. In this book chapter, the authors first review those existing situation aware en-route filter mechanisms such as: Statistical En-route Filtering (SEF), Location-Based Resilient Secrecy (LBRS), Location-ware End-to-end Data Security (LEDS), and Dynamic En-route Filtering Scheme (DEFS). The authors then compare the performance of those schemes via both the theoretical analysis and simulation study. These extensive simulations validate findings that most of the schemes can filter out false data within few hops, and the filtering efficiency increases as the number of hops increases and the filtering efficiency of most schemes decreases rapidly as the number of compromised nodes increases.

Zhou Zhang,Ying Liu,Jianping Wu,Gang Ren,Jun Bi

DOI: https://doi.org/10.1109/LANMAN.2015.7114734

2015-01-01

Abstract:IP spoofing based attacks remains a serious and open security problem due to the fact that the current Internet implements no source address authentication mechanisms. A series of anti-spoofing practices have long been proposed while their actual implementation seems far from satisfactory. Route based filters were extensively studied in the design of Inter-AS source address validation methods. Traditional route based filters only use route direction information to establish filtering rules, causing inherited fake negatives. A novel inter-AS filter based on route path vector is proposed to reduce or even eliminate such fake negatives in this article. We name the filter IPVF (Inter-AS Path Vector Filter), which utilizes the route information of both path and distance, exhibits measurable increase in performance and incurs acceptable additional bandwidth cost. Moreover, traditional route based filtering rules is easy to be deduced by attackers. Since the filtering rules of IPVF could change over time by setting parameters, its actual improvement in performance could be exponentially increased.

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2012.6289219

2012-01-01

Abstract:Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers.In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network.We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

Gongming Zhao,Hongli Xu,Jianchun Liu,Chen Qian,Juncheng Ge,Liusheng Huang

DOI: https://doi.org/10.1109/ICNP.2019.8888123

2019-01-01

Abstract:The past decades have seen a proliferation of middlebox deployment in various networks, including backbone networks and datacenters. Since network flows have to traverse specific service function chains (SFCs) for security and performance enhancement, it becomes much complex for SFC routing due to routing loops, traffic dynamics and scalability requirement. The existing SFC routing solutions may consume many resources (e.g., TCAM) on the data plane and lead to massive overhead on the control plane, which decrease the scalability of middlebox networks. Due to SFC requirement and potential routing loops, solutions like traditional default paths (e.g., using ECMP) that are widely used in non-middlebox networks will no longer be feasible. In this paper, we present and implement a scalable and flexible middlebox policy enforcement (SAFE-ME) system to minimize the TCAM usage and control overhead. To this end, we design the smart tag operations for construction of default SFC paths with less TCAM rules in the data plane, and present lightweight SFC routing update with less control overhead for dealing with traffic dynamics in the control plane. We implement our solution and evaluate its performance with experiments on both physical platform (Pica8) and Open vSwitch (OVS), as well as large-scale simulations. Both experimental and simulation results show that SAFE-ME can greatly improve scalability (e.g., TCAM cost, update delay, and control overhead) in middlebox networks. For example, our system can reduce the control traffic overhead by about 83% while achieving almost the similar middlebox load, compared with state-of-the-art solutions.

Bingyang Liu,Jun Bi,Yu Zhu

DOI: https://doi.org/10.1109/mnet.2015.7113230

IF: 10.294

2015-01-01

IEEE Network

Abstract:IP spoofing makes network attacks more destructive and harder to prevent. AS spoofing defenses mitigate these attacks by enforcing AS-level source address validity. Although many inter-AS defenses have been proposed, none is sufficiently deployed by Internet service providers. In this article we investigate the deployability of the defenses by evaluating their deployment benefit, deployment cost, and operational risk. Evaluation results reveal the technical features of highly deployable defenses, which can help improve existing defenses and the design of future defenses.

Tianxiang Dai,Haya Shulman

DOI: https://doi.org/10.1145/3485832.3485917

2024-04-16

Abstract:To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets. Inferring the extent of spoofability at Internet scale is challenging and despite multiple efforts the existing studies currently cover only a limited set of the Internet networks: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software on volunteer networks, or assume specific properties, like traceroute loops. Improving coverage of the spoofing measurements is critical. In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of ingress filtering. SMap evaluates spoofability of networks utilising standard protocols that are present in almost any Internet network. We applied SMap for Internet-wide measurements of ingress filtering: we found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies. Our measurements with SMap provide the first comprehensive view of ingress filtering deployment in the Internet as well as remediation in filtering spoofed packets over a period of two years until May 2021. We set up a web service at <a class="link-external link-https" href="https://smap.cad.sit.fraunhofer.de" rel="external noopener nofollow">this https URL</a> to perform continual Internet-wide data collection with SMap and display statistics from spoofing evaluation. We make our datasets as well as the SMap (implementation and the source code) publicly available to enable researchers to reproduce and validate our results, as well as to continually keep track of changes in filtering spoofed packets in the Internet.

Cryptography and Security