Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

GuangJia Song,ZhenZhou Ji

DOI: https://doi.org/10.1371/journal.pone.0151612

IF: 3.7

2016-01-01

PLoS ONE

Abstract:Duplicate address detection (DAD) is an important component of the address resolution protocol (ARP) and the neighbor discovery protocol (NDP). DAD determines whether an IP address is in conflict with other nodes. In traditional DAD, the target address to be detected is broadcast through the network, which provides convenience for malicious nodes to attack. A malicious node can send a spoofing reply to prevent the address configuration of a normal node, and thus, a denial-of-service attack is launched. This study proposes a hash method to hide the target address in DAD, which prevents an attack node from launching destination attacks. If the address of a normal node is identical to the detection address, then its hash value should be the same as the "Hash_64" field in the neighboring solicitation message. Consequently, DAD can be successfully completed. This process is called DAD-h. Simulation results indicate that address configuration using DAD-h has a considerably higher success rate when under attack compared with traditional DAD. Comparative analysis shows that DAD-h does not require third-party devices and considerable computing resources; it also provides a lightweight security resolution.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Peng Kuang,Ying Liu,Lin He

DOI: https://doi.org/10.1109/icc40277.2020.9149310

2020-01-01

Abstract:Duplicate Address Detection (DAD) is an essential part of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. Due to the lack of verification of NDP messages, DAD is vulnerable to DoS attacks. Existing solutions suffer from high complexity, need to modify the NDP, or have a single point of failure. To solve the above problems, we propose P4DAD, a secure DAD mechanism described by P4. By creating and maintaining binding entries between IPv6 address and link-layer property of host, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modifications to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead, and has satisfactory scalability.

Lin He,Peng Kuang,Ying Liu,Gang Ren,Jiahai Yang

DOI: https://doi.org/10.1016/j.comnet.2021.108323

IF: 5.493

2021-10-01

Computer Networks

Abstract:Duplicate Address Detection (DAD) is one of the functions of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. However, due to the lack of verification of NDP messages, DAD is vulnerable to Denial of Service (DoS) attacks. Existing solutions suffer from high complexity and low security, need to modify the NDP, or have a single point of failure, which renders them infeasible to be deployed.To solve the above problems, we propose P4DAD, which is a secure DAD mechanism based on P4. By creating and maintaining a binding entry between an IPv6 address and a link-layer property of a host's network attachment, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modification to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead and has satisfactory scalability.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guangjia Song,Zhenzhou Ji

DOI: https://doi.org/10.1201/b19779-113

2016-01-01

Abstract:Duplicate Address Detection (DAD) is an important component of the address resolution protocols, which determines whether an Internet Protocol (IP) address can be used. In the traditional DAD process, critical information is broadcast through the network. This is a vulnerability that malicious nodes can exploit to mount attacks, resulting in failure to configure IP addresses. To resolve the issue, a new DAD process with variable-length prefix, DAD-vP, was proposed. With DAD-vP, prefix is used to indicate a specific range rather than the entire destination address being tested. This significantly increases the difficulty of mounting an attack. Simulation results show that when under attack, address configuration using the DAD-vP process has a much higher success rate compared to that using the traditional DAD process.

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Song Guangjia,Ji Zhenzhou

DOI: https://doi.org/10.1109/imccc.2015.150

2015-01-01

Abstract:Given the lack of authentication mechanisms, the address resolution protocols (ARPs) (address resolution protocol, neighbor discovery protocol, and so on) are vulnerable to attack, such as man in the middle and denial of service among others. Therefore, the safety problem of the address resolution (AR) has been significantly given focus, and, in this paper, two problems related to AR have been investigated. First, the indecisiveness of the AR is proven. Therefore, all decision methods adopted to ensure the AR are imperfect, second, the equivalence between the AR and the duplicate address detection (DAD) process is proven. Thus, the AR and the DAD process can be replaced by each other, and can even be completed by the same process which will significantly simplify the design and implementation of the address resolution protocol.

Guangjia SONG,Zhenzhou JI

DOI: https://doi.org/10.3969/j.issn.2095-2163.2015.02.008

2015-01-01

Abstract:Given the lack of authentication mechanisms, the address resolution protocols ( ARPs) ( address resolution pro-tocol, neighbor discovery protocol, and so on) are vulnerable to attack, such as man in the middle and denial of service a-mong others. Therefore, the safety problem of the address resolution ( AR) has been significantly given focus, and, in this paper, two problems related to AR have been investigated. First, the indecisiveness of the AR is proven. Therefore, all de-cision methods adopted to ensure the AR are imperfect;second, the equivalence between the AR and the duplicate address detection ( DAD) process is proven. Thus, the AR and the DAD process can be replaced by each other, and can even be completed by the same process which will significantly simplify the design and implementation of the ARPs.

Guang Yao,Jun Bi,Sen Wang,Yueran Zhang,Yitian Li

DOI: https://doi.org/10.1109/LCN.2010.5735746

2010-01-01

Abstract:In IPv6 network, before configuring any address, a node must perform Duplicate Address Detection (DAD) to ensure the address is unique on link. However, original DAD is unreliable and vulnerable. In this article, a pull model DAD is designed, which achieves improvements both in reliability and security through changing the solicitation model. Comparing with SEcure Neighbor Discovery (SEND), this proposal has advantage in lightweight overhead and flexibility of address generation. Through evaluation, it is found to be feasible and cost effective.

Guangjia Song,Zhenzhou Ji

2015-01-01

Abstract:Address resolution is an important component of network communication. It determines the correspondence relationship between the IP and MAC of the host. Given the public destination of address resolutions, existing address resolution protocols are vulnerable to deception attacks, such as man-in-the-middle or DoS. Thus, a new security protocol called seek secret man (SSM) is proposed to address this drawback. Further, we utilize the SSM protocol as prototype and design a secure address resolution process called AR-SSM. This technique uses encryption technology to hide the destination of the address resolution, thereby preventing an attacker from launching a pointed attack. The experimental and comparison results show that in the presence of malicious nodes, the address cache pollution rate of AR-SSM is far lower than that of the traditional address resolution process.

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1109/iscc.2008.4625684

2008-01-01

Abstract:IP source address spoofing is used by DDoS and DrDoS attacks in the Internet. This paper presents a signature-and-verification based IP spoofing prevention method, automatic peer-to-peer based anti-spoofing method (APPA). APPA has two levels: intra-AS (autonomous system) level and inter-AS level. In the intra-AS level, the end host tags a one-time key into each outgoing packet and the gateway at the AS border verifies the key. In inter-AS level, the gateway at the AS border tags a periodically changed key into the leaving packet and the gateway at border of the destination AS verifies and removes the key. The most prominent characteristic of APPA is the automatically synchronizing state-machine, which is used to update keys automatically and effectively. The benefits of APPA are: (1) preventing IP address spoofing strictly, end systems canpsilat even spoof addresses in the same AS or subnet, (2) providing very low running and management costs, (3) supporting anti-replay attacks and incremental deployment.

YiHao Jia,Ying Liu,Gang Ren

DOI: https://doi.org/10.1109/GLOBECOM38437.2019.9013151

2019-01-01

Abstract:IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economicsdriven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

CHEN Yazheng,LI Hewu

DOI: https://doi.org/10.11959/j.issn.2096-8930.2021017

2021-01-01

Abstract:LEO (Low Earth Orbit) satellites with high mobility in space-integrated-ground information network cause ground user terminals change connected satellites continuously, so user terminals can't keep stable IPv6 addresses.SLAAC (Stateless Address Auto-Confi guration) in space-integrated-ground information network to provide stable IPv6 addresses was investigated, and an eff ective SLAAC and DAD (Duplicate Address Detection) mechanism was proposed.Aiming at the scenario where the ground equipment in the LEO satellite constellation constantly switches the LEO satellites, an IPv6 stateless address automatic confi guration and duplicate address detection mechanism was proposed.The scope of duplicate address detection was reduced by introducing ground position information and satellite orbit information, thereby eff ectively reduced signaling overhead for duplicate address detection.

SONG Wei-Jia,ZHOU Chang-Ling,CUI Jian,SHANG Qun,ZHANG Bei

2008-01-01

Periodical of Ocean University of China

Abstract:ARP protocol is vulnerable to ARP Cache Poisoning, which fosters a variety of security issues such as Man-In-The-Middle attack. There are pros and cons of existing approaches to this issue.Based on the characteristics of ARP Cache Poisoning attacks,we combine the ARP inspection function of switches with dynamic IP-MAC binding algorithms to design a new solution to ARP Cache Poisoning.Our solution is flexible and deployment-friendly to large-scale networks.Experiment demonstrates the effectiveness of the solution.

Yang Liu,Ke Dong,Liang Dong,Bin Li

2008-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon is seriously threaten the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Longjiang Li,Yunze Cai,Xiaoming Xu,Yonggang Li

DOI: https://doi.org/10.1007/s11277-007-9340-x

IF: 2.017

2007-01-01

Wireless Personal Communications

Abstract:The autoconfiguration algorithm of the mobile node addresses is important in the practical usage of most mobile ad hoc networks (MANETs). The passive Duplicate Address Detection (PDAD) protocols can detect address conflicts in a passive manner and thus have very low protocol overhead. However, the blindly random assignment algorithm used in PDAD leads to a high initial conflict probability. In this paper, we propose a novel concept of address agent, based on which arises a novel autoconfiguration approach, to obtain the least address conflict probability. Most features of PDAD are inherited, e.g., address conflicts are still detected in a passive manner based on anomalies in routing protocol traffic. Analysis and simulation show that our algorithm outperforms existing methods.