SAVI K Xu,G Hu,J Bi,M Xu

2012-01-01

Abstract:Many proposals have been presented for preventing IP spoofing from occurring in network. An outstanding of them is the SAVI (Source Address Validation Improvement) proposal which was advocated by IETF SAVI workgroup for solving this problem from user access switch. SAVI Working Group is developing standardize mechanisms that prevent nodes attached to the same IP link from spoofing each other’s IP addresses, and achieve IP source address validation at a finer granularity. However, up to now, to the best of our knowledge, none of them has focused on the scenarios of 4over6 transition, that is, IPv4 packets transit IPv6 network and arrive at other edge IPv4 network (s). With the boom of IPv6 networks, this issue becomes more and more urgent. In addition, since 4over6 plans are plenty and various, one solution cannot meet all requirements of these plans. This document describes a framework of IP …

SAVI K Xu,G Hu,J Bi,M Xu

2012-01-01

Abstract:IP spoofing always is bothering us along with the Internet invention. With the rapid development of IPv6 next generation Internet, this issue is more prominent. Existing IP anti-spoofing proposals, including SAVI (Source Address Validation Improvement) which was advocated by IETF, only focused on single-stack or simple network scenarios. To the best of our knowledge, none of them has paid attention to the IPv4/IPv6 transition scenarios. However, since transition schemes are plenty and various, one solution cannot meet all requirements of them. In this draft, we present a SAVI-based general frame-work for IP source address validation and traceback in the IPv4/IPv6 transition scenarios, which achieve this by extracting out essential and mutual properties from these schemes, and forming sub-solutions for each property. When one transition scheme is composed from various properties, its IP source address …

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

LI Dan,QIN Lancheng,WU Jianping,SU Yingying,XU Mingwei,SHI Xingang,GU Yunan,LIN Tao

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020289

2020-01-01

Abstract:At the beginning of the design of the Internet architecture,it assumed that all network members were trusted,and did not fully consider the security threat brought by the untrusted network members.For a long time,routers only forward packets based on the destination IP address of the packet,and do not carry out any verification on the source IP address of the packet.The lack of packet level authenticity on the Internet results in the header being maliciously altered.A real source address verification mechanism with routing synchronization and dynamic filtering were proposed.This mechanism constructs the filter table based on the prefix-topology mapping synchronization,the problem of inconsistent state between the filter table and the route caused by routing asymmetry were solved,false positives and false negatives was avoided,and a low-overhead and low-latency source address verification of the IP address prefix level granularity in the address domain were realized.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Wang Hong,Li Sudan,Liu YaPing,Bi Jun,Wu JianPing

2011-01-01

Abstract:This memo describes SAVO SAVI, a source address validation mechanism for IPv6 networks based on the OSPFv3 protocol within Intra-Domain field. The proposed mechanism is intended to complement ingress filtering techniques to provide a higher granularity on the control of the forged source addresses and it can deal with the asymmetric routing for which the common uRPF scheme ([RFC2827]) may fail.The proposed SAVO mechanism does not need any additional communication between the routers in which the SAVO mechanism has been implemented and deployed. It can be incrementally deployed by the network manager and when it is only partially deployed it still helps to restrict the effect of the source address forging. It provides proactive incentives for the users who deploy it for they will be able to filter the packets with forged source address to a certain range, especially when the forged addresses …

Jun Bi,Jianping Wu,Miao Zhang

DOI: https://doi.org/10.1007/11807964_69

2006-01-01

Abstract:The lack of verifying source address in Internet makes it easy for attackers to spoof the source IP address. One of challenges of Internet has been recognized is building mechanisms in routers to verify the source address. This paper discusses Source Address Spoofing Prevention (SASP) mechanisms, presents a formal description on SASP network and SASP router, proposes a hierarchical SASP architecture, and presents some design principles of SASP mechanisms.

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icccn.2013.6614204

2013-01-01

Abstract:While making the Internet totally trustworthy is intractable, making as trustworthy as possible is a crucial problem. Within this landscape, authentication of the IP source address remains one important topic in need of further study. However, most source address validation methods are difficult to implement in practice because of deployment difficulties. This research designs an efficient inter-domain distributed source address validation solution (CatchIt). By employing a novel routing choice notification scheme, CatchIt makes the deployed ASes intelligent by allowing them cooperate to acquire the valid incoming path information of packets. With such knowledge, the deployed ASes can accurately authenticate the source address without the need for any modifications to the de facto routing protocol and packet structure. Moreover, CatchIt helps the deployed ASes proactively and quickly filter spoofed packets before they imperil the network. CatchIt also avoids any false positive, even under partial deployment. Our evaluation also shows that CatchIt is effective and accurate when catching spoofed packets while incurring a low overhead; CatchIt maintains an early deploy and rapidly benefit incremental deployment incentive mechanism.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

YiHao Jia,Gang Ren,Ying Liu

DOI: https://doi.org/10.13328/j.cnki.jos.005318

2018-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:The current Internet is based on the destination address forwarding in which the source address remains unverified.However,one of the root causes of Internet security problems is the untrustworthy source address.As the Internet plays an increasingly important role in political and economic fields,the security of the Inter-domain Internet becomes more crucial.For instance,the US Department of Homeland Security (DHS) has included the Inter-domain routing security in the national strategy of US information security.In recent years,innovation and evolution of the Internet are significantly undermined by the IP spoofing based distributed denial of service attacks,most of which are Inter-domain and transnational.Therefore,the Inter-domain source address validation becomes extremely important for Internet security.Although there are many techniques proposed in the relevant fields,none of them are appropriate for large-scale deployment.This paper reviews the existing research and standard progress of Inter-domain source address validation technology.First,the reasons and consequences of the lack of source address security are analyzed,and the significance of source address validation is illustrated by examining the progress of the technical standardization.Next,the advantages and disadvantages of various existing important source address validation methods are summarized.Then,the difficulties and challenges faced by the current Inter-domain source address validation technology are discussed.Finally,the prospective research directions and design principles are proposed as a reference for potential future works.

Jie Li,Jun Bi,Jianping Wu,Wei Zhang

DOI: https://doi.org/10.1109/nca.2012.20

2012-01-01

Abstract:The functional deficiency of the Internet architecture enables attackers the ability to easily to spoof IP source address. The traditional signature-and-verification based anti-spoofing methods are often limited by essential process based on an explicit analysis and process of the IP header and does not adapt to incremental deployment. This paper designs a multi-fence countermeasure based inter-domain source address validation method named VIP. By employing intelligent originating information label and extended MPLS based cloud and network, VIP enables lightweight-label-based packet forwarding and validation. And VIP offers gains in efficiency by reducing the load on both forwarding tables and validation processing without negative influences and complex operations on de facto networks. In addition to enhanced scalability, VIP may facilitate incremental deployment in the long run.

Wang Hong,Li Sudan,Liu YaPing,Lv Shaohe,Bi Jun,Wu JianPing

2011-01-01

Abstract:This memo describes SAVO SAVI, a source address validation mechanism for IPv6 networks based on the OSPFv3 protocol within Intra-Domain field. The proposed mechanism is intended to complement ingress filtering techniques to provide a higher granularity on the control of the forged source addresses and it can deal with the asymmetric routing for which the common uRPF scheme ([RFC2827]) may fail.

Yao Guang,Bi Jun

DOI: https://doi.org/10.3969/j.issn.1000-0801.2008.01.005

2009-01-01

Abstract:Source address spoofing has become a widely used mechanism for attacks because it can be easily launched and is difficult to defend against and trace. Therefore,the classification of network attacks based on source address spoofing is very important.This paper presents a survey of the modes of source address spoofing and their effect on the Internet.The source address spoofing attacks are related to the attacker,the victim and the spoofed host.Source address spoofing attacks can be classified into six categories based on the position of the host being spoofed.This classification clarifies the problems of source address spoofing which will lead to improved prevention methods as a foundation of a trustworthy Internet architecture.

JianPing Wu,Gang Ren,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0142-x

2008-01-01

Science in China Series F Information Sciences

Abstract:The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

Guangwu Hu,Jianping Wu,Ke Xu,Wenlong Chen

DOI: https://doi.org/10.1109/ICCCN.2011.6005783

2011-01-01

Abstract:In current network, as we all know, packets delivered by routers only rely on destination-address-directed forwarding, but their source addresses are not checked. Consequently, this incurs many serious network security breach events which are hard to trackback. Under this situation, a switch (we call it SAVI switch) followed SAVI (Source Address Validation Improvement) framework proposed by IETF was invented which dedicates to resolving this problem in user local subnet. SAVI switch is a direct and very effective anti-spoofing device, but because it just steps into a phase of industrialization and for economical and incremental deployment reasons, these switches are not fully covered in domain. This results in two issues at the same time: 1)how to filter out and abandon those packets whose source IP addresses belong to SAVI switches coverage, but actually not, otherwise, this will severely compromise the SAVI switch access users' motivation and SAVI's promotion. 2) how to traceback those packets' source router-the first hop routers of spoofed packets. In this paper, we present SAVT, a practical and smart scheme for source address validation and traceback in campus network for all outbound packets, it just need less 25% routers as filter router can resolve those two questions in most condition. Experiments illustrate our proposal keeps the promise of practicality, stability and efficiency.

Mingjiang Ye,Jianping Wu,Miao Zhang

DOI: https://doi.org/10.1007/978-3-540-72590-9_125

2007-01-01

Abstract:The lack of source IP address checking makes it easy for the attackers to spoof the source address. Spoofing Prevention Method (SPM), as a prospective candidate to be deployed in the Internet, is a newly proposed scheme to solve this problem. However, there is no work on SPM prototype system. In this paper, we present our experience in achieving a prototype system for SPM. In addition to realizing the basic idea of SPM described in the original paper, we make the following three contributions: First, the detail design is made for the whole SPM system architecture and detail mechanisms. Second, several important issues for SPM system are addressed, e.g., how to carry the key required by SPM, the MTU problem, etc. Third, a prototype system is made and some experiments are done with this prototype system.

JUN BI

2010-01-01

Abstract:Evaluation 66 Conclusion and Future Work 69 Acknowledgments 70 References 70Software-defined networking (SDN) has become a promising trend for future Internet development. Current researches mainly focus on flow management, security, and quality of service (QoS) using OpenFlow [1] switch in data center network or campus network. However, the number of OpenFlow application cases to resolve a real problem in a production network is still limited. In the production network, where routers are dominant, some of the challenges in the implementation and deployment of SDN are the integration of existing protocols inside a network device with new protocols, the tradeoff between hardware cost, and deployment profit of network evolution to SDN. In this chapter, by analyzing the challenges of the current OpenFlow in the production network, we propose three extensions of OpenFlow on FlowTable, control mode, and OpenFlow protocol. Based on these extensions, a commercial OpenFlow-enabled router, named OpenRouter, is designed and implemented using only available and existing hardware in a commercial router. OpenRouter brings the abilities of control openness; integration of inside/outside protocols; and flexibility of OpenFlow message structure, low-cost implementation, and deployment. We expect that OpenRouter may accelerate the large-scale application and deployment of OpenFlow in the production network. Currently, the Internet suffers source address spoofing–based attacks based on the observation from the The cooperative association for internet data analysis (CAIDA) data set [2]. Filtering traffic with forged source …