Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1109/iscc.2008.4625684

2008-01-01

Abstract:IP source address spoofing is used by DDoS and DrDoS attacks in the Internet. This paper presents a signature-and-verification based IP spoofing prevention method, automatic peer-to-peer based anti-spoofing method (APPA). APPA has two levels: intra-AS (autonomous system) level and inter-AS level. In the intra-AS level, the end host tags a one-time key into each outgoing packet and the gateway at the AS border verifies the key. In inter-AS level, the gateway at the AS border tags a periodically changed key into the leaving packet and the gateway at border of the destination AS verifies and removes the key. The most prominent characteristic of APPA is the automatically synchronizing state-machine, which is used to update keys automatically and effectively. The benefits of APPA are: (1) preventing IP address spoofing strictly, end systems canpsilat even spoof addresses in the same AS or subnet, (2) providing very low running and management costs, (3) supporting anti-replay attacks and incremental deployment.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Lu Xi

2008-01-01

Abstract:IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem,we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes,and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes,MASK can not only enlarge the domain of the spoofing prevention service,but also filter spoofing packets in advance. Through analysis and simulations,we demonstrate MASK's accuracy and effectiveness.

Bingyang Liu,Jun Bi,Yu Zhu

DOI: https://doi.org/10.1109/mnet.2015.7113230

IF: 10.294

2015-01-01

IEEE Network

Abstract:IP spoofing makes network attacks more destructive and harder to prevent. AS spoofing defenses mitigate these attacks by enforcing AS-level source address validity. Although many inter-AS defenses have been proposed, none is sufficiently deployed by Internet service providers. In this article we investigate the deployability of the defenses by evaluating their deployment benefit, deployment cost, and operational risk. Evaluation results reveal the technical features of highly deployable defenses, which can help improve existing defenses and the design of future defenses.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icccn.2013.6614204

2013-01-01

Abstract:While making the Internet totally trustworthy is intractable, making as trustworthy as possible is a crucial problem. Within this landscape, authentication of the IP source address remains one important topic in need of further study. However, most source address validation methods are difficult to implement in practice because of deployment difficulties. This research designs an efficient inter-domain distributed source address validation solution (CatchIt). By employing a novel routing choice notification scheme, CatchIt makes the deployed ASes intelligent by allowing them cooperate to acquire the valid incoming path information of packets. With such knowledge, the deployed ASes can accurately authenticate the source address without the need for any modifications to the de facto routing protocol and packet structure. Moreover, CatchIt helps the deployed ASes proactively and quickly filter spoofed packets before they imperil the network. CatchIt also avoids any false positive, even under partial deployment. Our evaluation also shows that CatchIt is effective and accurate when catching spoofed packets while incurring a low overhead; CatchIt maintains an early deploy and rapidly benefit incremental deployment incentive mechanism.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icnp.2012.6459939

2012-01-01

Abstract:The authentication of the IP source address remains one of the most important steps in making the Internet as trustworthy as possible. With existing anti-spoofing solutions, deployed ASes lack cooperation when exchanging routing decisions and disseminations. In general, this makes anti-spoofing mechanisms inefficient and does not adapt to incremental deployment. By introducing routing choice feedback, we propose a distributed inter-domain anti-spoofing solution (Umbrella). In Umbrella, the deployed ASes can acquire approximate global routing choice information. Our approach offers gains in efficiency through the verification of the packets forwarding path and the construction of dynamically spoofing packets filter. Our experimental analysis of Umbrella shows it to be both effective and incrementally deployable.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.26599/tst.2018.9010025

2018-01-01

Tsinghua Science & Technology

Abstract:IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (IETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing. In this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.

Bi Jun,Liu Bingyang,Wu Jianping,Shen Yan

DOI: https://doi.org/10.1016/s1007-0214(09)70097-5

2009-01-01

Tsinghua Science & Technology

Abstract:A signature-and-verification-based method, automatic peer-to-peer anti-spoofing （APPA）, is proposed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS random number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS （autonomous system） level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

Jie Li,Jun Bi,Jianping Wu,Wei Zhang

DOI: https://doi.org/10.1109/nca.2012.20

2012-01-01

Abstract:The functional deficiency of the Internet architecture enables attackers the ability to easily to spoof IP source address. The traditional signature-and-verification based anti-spoofing methods are often limited by essential process based on an explicit analysis and process of the IP header and does not adapt to incremental deployment. This paper designs a multi-fence countermeasure based inter-domain source address validation method named VIP. By employing intelligent originating information label and extended MPLS based cloud and network, VIP enables lightweight-label-based packet forwarding and validation. And VIP offers gains in efficiency by reducing the load on both forwarding tables and validation processing without negative influences and complex operations on de facto networks. In addition to enhanced scalability, VIP may facilitate incremental deployment in the long run.

Jiamin Cao,Ying Liu,Mingxing Liu,Lin He,Yihao Jia,Fei Yang

DOI: https://doi.org/10.1109/IWQOS52092.2021.9521336

2021-01-01

Abstract:Source IP address spoofing has been a major vulnerability of the Internet for many years. Although much work has been done to study the problem extensively, spoofing continues to occur frequently and has led to many serious network attacks. Inter-AS source address validation (SAV) is considered an important defense method for AS to filter spoofed packets. However, existing work has been unable to drive inter-AS SAV deployment into practice due to the lack of deployment incentives and trust foundation. In this paper, we propose a practical and decentralized inter-AS SAV service framework, pSAV, to promote inter-AS SAV deployment. pSAV increases deployment incentives by treating SAV as a payable service and dividing the participant ASes into service subscribers, providers, and auditors. On the control plane, pSAV leverages blockchain as a trust foundation to provide service subscriptions and audits with automatic incentive allocation. On the data plane, pSAV leverages P4-programmable switches to provide flexible and high-performance SAV services. We prototype the pSAV control plane based on Hyperledger Fabric and implement various SAV techniques on Barefoot Tofino switches. The evaluation results show that (1) on the control plane, pSAV blockchain can provide high-performance service transactions (hundreds of transactions per second with second latency), and (2) on the data plane, pSAV can provide various high-throughput (hundreds of Gbps) SAV services using only one programmable switch.

Jun Bi,Jianping Wu,Miao Zhang

DOI: https://doi.org/10.1007/11807964_69

2006-01-01

Abstract:The lack of verifying source address in Internet makes it easy for attackers to spoof the source IP address. One of challenges of Internet has been recognized is building mechanisms in routers to verify the source address. This paper discusses Source Address Spoofing Prevention (SASP) mechanisms, presents a formal description on SASP network and SASP router, proposes a hierarchical SASP architecture, and presents some design principles of SASP mechanisms.

Bingyang Liu,Jun Bi,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/tifs.2013.2296437

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:IP spoofing-based flooding attacks are a serious and open security problem on the current Internet. The best current antispoofing practices have long been implemented in modern routers. However, they are not sufficiently applied due to the lack of deployment incentives, i.e., an autonomous system (AS) can hardly gain additional protection by deploying them. In this paper, we propose mutual egress filtering (MEF), a novel antispoofing method, which provides continuous deployment incentives. The MEF is implemented on the AS border routers using access control lists (ACLs). It drops an outbound packet whose source address does not belong to the local AS if the packet is related to a spoofing attack against other MEF-enabled ASes. By this means, only the deployers of the MEF can gain protection, whereas nondeployers cannot free ride. As more ASes deploy MEF, deployment incentives become higher. We present the system design of MEF, and propose an optimal prefix compression algorithm to compact the ACL into the routers' limited hardware resource. With theoretical analysis and simulations with real Internet data, our evaluation results show that MEF is the only method that achieves monotonically increasing deployment incentives for all types of spoofing attacks, and the system design is lightweight and practical. The prefix compression algorithm advances the state-of-the-art by generalizing the functionalities and reducing the overhead in both time and space.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Fabrice Mvah,Vianney Kengne Tchendji,Clémentin Tayou Djamegni,Ahmed H. Anwar,Deepak K. Tosh,Charles Kamhoua

DOI: https://doi.org/10.1016/j.cose.2023.103696

IF: 5.105

2024-01-06

Computers & Security

Abstract:The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

computer science, information systems

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1007/978-3-540-74819-9_105

2007-01-01

Abstract:SPM (Spoofing Prevention Method) proposed a peer-to-peer anti-spoofing method which could effectively filter spoofed packets and support incremental deployment. However, mechanism of SPM key updating has some serious problems: (1) heavy management cost; (2) risk of becoming the target of DOS/DDOS attacks during the key updating; (3) limitation of the scale of the SPM union; (4) impossibility of tackling the threat of real-time packet sniffing. This paper proposes an Automatic Peer-to-Peer Anti-spoofing Method (APPA). APPA resolves the key management problem and could effectively prevent source address spoofing.