Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

Tobias Bühler,Alexandros Milolidakis,Romain Jacob,Marco Chiesa,Stefano Vissicchio,Laurent Vanbever

DOI: https://doi.org/10.48550/arXiv.2301.12843

2023-01-30

Abstract:The lack of security of the Internet routing protocol (BGP) has allowed attackers to divert Internet traffic and consequently perpetrate service disruptions, monetary frauds, and even citizen surveillance for decades. State-of-the-art defenses rely on geo-distributed BGP monitors to detect rogue BGP announcements. As we show, though, attackers can easily evade detection by engineering their announcements. This paper presents Oscilloscope, an approach to accurately detect BGP hijacks by relying on real-time traffic analysis. As hijacks inevitably change the characteristics of the diverted traffic, the key idea is to track these changes in real time and flag them. The main challenge is that "normal" Internet events (e.g., network reconfigurations, link failures, load balancing) also change the underlying traffic characteristics - and they are way more frequent than hijacks. Naive traffic analyses would hence lead to too many false positives. We observe that hijacks typically target a subset of the prefixes announced by Internet service providers and only divert a subset of their traffic. In contrast, normal events lead to more uniform changes across prefixes and traffic. Oscilloscope uses this observation to filter out non-hijack events by checking whether they affect multiple related prefixes or not. Our experimental evaluation demonstrates that Oscilloscope quickly and accurately detects hijacks in realistic traffic traces containing hundreds of events.

Networking and Internet Architecture

Guang Yao,Jun Bi,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/TIFS.2014.2381873

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now. This paper proposes passive IP traceback (PIT) that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way, PIT can find the spoofers without any deployment requirement. This paper illustrates the causes, collection, and the statistical results on path backscatter, demonstrates the processes and effectiveness of PIT, and shows the captured locations of spoofers through applying PIT on the path backscatter data set. These results can help further reveal IP spoofing, which has been studied for long but never well understood. Though PIT cannot work in all the spoofing attacks, it may be the most useful mechanism to trace spoofers before an Internet-level traceback system has been deployed in real.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Christian Bassey,Francis Jeremiah,Rustem Iuzlibaev,Opeyemi Oloruntola,Success Imakuh

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1716

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:These days, quite a large number of application servers are being considered to be easily spoofed. Even though technologies like DNSSec, DNS over HTTPS/TLS, and DNSCurve have always been suitable for this type of problem, many developers need help to exercise the complete chain of trust. Implementing the mentioned protocols might be a matter of time, inexperience, or impossibility. In this paper, some workarounds that rely on BGP Autonomous System numbers (AS) are shown, and protocols therein are described by way of Unicast Reverse Path Forwarding (uRPF), its benefits and drawbacks from an analytical standpoint, as well as the primary flow to defend end systems, are presented. Our approach focuses on filtering malicious traffic closer to the source by identifying anomalies in BGP AS path information. The methodology is implemented and tested using Snort as an Intrusion Detection System (IDS) to capture and analyze DNS request patterns, then MikroTik router configurations are used for strict uRPF and ingress filtering, demonstrating the practical application of this solution proposed solution in real-world network environments.

Henry Birge-Lee,Maria Apostolaki,Jennifer Rexford

2024-08-19

Abstract:As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Cryptography and Security,Networking and Internet Architecture

Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/tc.2015.2439287

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Ben A. Scott,Michael N. Johnstone,Patryk Szewczyk

DOI: https://doi.org/10.3390/s24196414

IF: 3.9

2024-10-03

Sensors

Abstract:The Internet's default inter-domain routing system, the Border Gateway Protocol (BGP), remains insecure. Detection techniques are dominated by approaches that involve large numbers of features, parameters, domain-specific tuning, and training, often contributing to an unacceptable computational cost. Efforts to detect anomalous activity in the BGP have been almost exclusively focused on single observable monitoring points and Autonomous Systems (ASs). BGP attacks can exploit and evade these limitations. In this paper, we review and evaluate categories of BGP attacks based on their complexity. Previously identified next-generation BGP detection techniques remain incapable of detecting advanced attacks that exploit single observable detection approaches and those designed to evade public routing monitor infrastructures. Advanced BGP attack detection requires lightweight, rapid capabilities with the capacity to quantify group-level multi-viewpoint interactions, dynamics, and information. We term this approach advanced BGP anomaly detection. This survey evaluates 178 anomaly detection techniques and identifies which are candidates for advanced attack anomaly detection. Preliminary findings from an exploratory investigation of advanced BGP attack candidates are also reported.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yinan Jing,Jingtao Li,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/aina.2006.22

2006-01-01

Abstract:Distributed denial-of-service attacks have become the major threat to Internet today. IP traceback is one of the most effective techniques to defeat these attacks by identifying attack sources even in the presence of IP spoofing. Because of low marking packet utilization, the convergence time of traditional probabilistic packet marking (PPM) schemes is still too long. In order to shorten the convergence time, a distributedlog- based IP traceback scheme is proposed. Theoretical analysis and simulation results show that this scheme not only can converge more quickly than previous PPM schemes, but also has much less log overhead than other log-based schemes.

Haipeng Qu,Purui Su,Dongdai Lin,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-540-31957-3_109

2005-01-01

Abstract:DDoS attack is a big problem to the Internet community due to its high-profile, severe damage, and the difficulty in defending against it. Several countermeasures are proposed for it in the literature, among which, Probabilistic Packet Marking (PPM) first developed by Savage et al. is promising. However, the PPM marking schemes have the limitations in two main aspects: high computation overhead and large number of false positives. In this paper, a new packet marking scheme is proposed, which is more practical because of higher precision, and computationally more efficient compared with the PPM scheme proposed by Savage. Furthermore, this scheme can achieve a more higher precision than Advanced Marking Schemes in case of the victim knowing the map of its upstream routers.

Hongcheng Tian,Jun Bi

DOI: https://doi.org/10.1109/lcomm.2012.051512.120467

IF: 3.5529

2012-01-01

IEEE Communications Letters

Abstract:IP traceback can be used to find the origins and paths of attacking traffic. However, so far, most approaches for IP traceback are hard to be deployed in the Internet because of deployment difficulties. In this paper, we present an incrementally deployable approach based on sampled flows for IP traceback (SampleTrace). In SampleTrace, it is not necessary to deploy any dedicated traceback software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the packet number that the attacking flow comprises. According to Bernoulli's Law of Large Numbers, when a large number of attacking flows are practically traced back in the Internet by SampleTrace, the successfully-traced back relative frequency will approach the successfully-traced back probability.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Hongcheng Tian,Jun Bi,Xiaoke Jiang,Wei Zhang

DOI: https://doi.org/10.1109/internet.2010.32

2010-01-01

Abstract:For existing probabilistic marking technologies for IP traceback, such as Probabilistic Packet Marking (PPM), TTL-based Packet Marking (TPM) and Dynamic Probabilistic Packet Marking (DPPM), it is difficult to reconstruct attack path(s) fast and defend against spoofed marks. In this paper, we present Adaptive Probabilistic Marking scheme (APM), where the TTL value of each packet is set to a uniform number at the first-hop router, and each router deduces the distance that each packet has already traveled, and then adaptively marks the packet with the probability inversely proportional to the distance. We theoretically prove that, in APM, the victim requires the fewest packets for a successful traceback, the effect of spoofed marks can be eliminated. NS2 experiments show, in APM, the time for the victim to collect all the obligatory marks for the path reconstruction is reduced by more than 20% compared with existing schemes, and spoofed marks cannot reach the victim.

Jun He,Yahui Li,Han Zhang,Ming Wang,Changqing An,Jilong Wang

DOI: https://doi.org/10.1109/icc45041.2023.10278923

2023-01-01

Abstract:Prefix hijackings have always been a significant security issue in BGP and have continued to occur in recent years. Detecting prefix hijackings is a vital part of defending against them. Most detection approaches mainly rely on the feed from the monitors of public route collector infrastructures. We propose an injected sub-prefix hijacking that utilizes the BGP communities attribute and AS path poisoning to control the propagation of invalid sub-prefix routes. This attack only pollutes neighboring ASes, thus guaranteeing the invisibility to monitors. Then the attacker can stealthily hijack traffic passing through the polluted ASes. Through extensive simulations, we show that this attack has an enormous impact and propose the crucial indicator affecting the attacker's capability. Finally, we demonstrate that existing defenses are difficult to handle this attack and then propose several defense strategies against it.

Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Yangyang Wang,Mingwei Xu

DOI: https://doi.org/10.1145/3405837.3411403

2020-01-01

Abstract:On the Internet, Border Gateway Protocol (BGP) is the standard to construct inter-domain routes among autonomous systems (ASes). Data traffic follows the inverse direction of BGP route propagation. For the outbound traffic, an AS can make its own selection in the range of the routes received from its peering neighbor ASes, and change the traffic outbound paths for better performance or bypassing failures. It is more difficult for ASes to control inbound traffic paths because it cannot determine the selection for remote ASes. An AS only has to manipulate BGP path attributes of the advertised prefixes it owns to trigger the potential path change from other ASes to itself.

JING Yi-nan,WANG Xue-ping,XIAO Xiao-chun,ZHANG Gen-du

DOI: https://doi.org/10.1049/cp:20061579

2006-01-01

Abstract:Distributed denial-of-service attack is one of the major threats to Internet currently.IP traceback is a technique to trace back the attack sources in presence of IP spoofing,and plays a key role in defense for DDoS attacks.Compared with other IP traceback techniques,the probabilistic packet marking (PPM) scheme has more advantages.However,because of low marking information utilization,its traceback speed is still too slow.In order to traceback attackers as quickly as possible,a logless fast IP traceback (LFIT) scheme is proposed,which uses a few router storage space and in-band channel to improve the marking information utilization. Simulation results show that it has two distinct advantages,namely faster traceback speed and little router and network overhead.

W Liu,Hx Duan,Y Feng,Yb Li,P Ren

2004-01-01

Abstract:This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. We first analyze the limitation of Edge Sampling Algorithm (ESA) [1], then present a new scheme IESA for providing traceback information in IP packets, which marking the packet with a dynamic marking probability to ensure that the victim receives all the marked packets with equal probability. This scheme can reduce greatly the possibility that a marked packet farther away from victim is remarked by the router nearer to the victim, hence greatly reduces the number of packets needed to reconstruct the attack path, and therefore greatly reduces the reconstruction time.