Lu Xi

2008-01-01

Abstract:IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem,we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes,and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes,MASK can not only enlarge the domain of the spoofing prevention service,but also filter spoofing packets in advance. Through analysis and simulations,we demonstrate MASK's accuracy and effectiveness.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Bo Wu,Ke Xu,Qi Li,Zhuotao Liu,Yih-Chun Hu,Martin J. Reuel,Meng Shen,Fan Yang

DOI: https://doi.org/10.1109/iwqos.2018.8624169

2018-01-01

Abstract:The Internet lacks verification of source authenticity and path compliance between the planned packet delivery paths and the real delivery paths, which allows attackers to construct attacks like source spoofing and traffic hijacking attacks. Thus, it is essential to enable source and path verification in networks to detect forwarding anomalies and ensure correct packet delivery. However, most of the existing security mechanisms can only capture anomalies but are unable to locate the detected anomalies. Besides, they incur significant computation and communication overhead, which exacerbates the packet delivery performance. In this paper, we propose a high-efficient packet forwarding verification mechanism called PPV for networks, which verifies packet source and their forwarding paths in real time. PPV enables probabilistic packet marking in routers instead of verifying all packets. Thus, it can efficiently identify forwarding anomalies by verifying markings. Moreover, it localizes packet forwarding anomalies, e.g., malicious routers, by reconstructing packet forwarding paths based on the packet markings. We implement PPV prototype in Click routers and commodity servers, and conducts real experiments in a real testbed built upon the prototype. The experimental results demonstrate the efficiency and performance of PPV. In particular, PPV significantly improves the throughput and the goodput of forwarding verification, and achieves around 2 times and 3 times improvement compared with the-state-of-art OPT scheme, respectively.

Fan Yang,Ke Xu,Qi Li,Rongxing Lu,Bo Wu,Tong Zhang,Yi Zhao,Meng Shen

DOI: https://doi.org/10.1109/iwqos49365.2020.9213001

2020-01-01

Abstract:No matter from the perspective of detection or defense, source and path validations are fundamentally primitive in constructing security mechanisms to greatly enhance network immunity in the face of malicious attacks, such as injection, traffic hijacking and hidden threats. However, existing works for source and path verification still impose a non-trivial operational overhead and lack adjustment capability for path dynamic changes. In this paper, we propose a flexible and convenient source and path validation protocol called PSVM, which uses an authentication structure PIC composed of ordered pieces to carry out packet verification. Specifically, in the basic PSVM protocol, PIC (related to cryptographic computation) in the packet header does not require any update during packet verification, which thus enables a lower processing overhead in routers. To cope with the challenge of path policy changes in the running protocol, the dynamic PSVM protocol supports controllable adjustment and migration, especially in the case of avoiding a malicious node or region. Our evaluation of a prototype experiment on Click demonstrates that the verification efficiency of PSVM is barely influenced by payload size or path length. Compared to the baseline of normal IP routing, the throughput reduction ratio of the basic PSVM is about 13%, which is much better than 28% of existing best solution Origin and Path Trace (OPT). In addition, for a 35-hop path with 30 pieces of PIC needed to be adjusted in dynamic PSVM, the throughput reduction ratio of routing cross node performing the adjustment operation after normal verification is only 2.4%.

Jiliang Li,Yuan Su,Rongxing Lu,Zhou Su,Weizhi Meng,Meng Shen

DOI: https://doi.org/10.1109/tdsc.2024.3392299

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network path validation aims to give more control over the forwarding path of data packets in a path-aware network, which shields the network from security threats and allows end hosts to receive better services. Therefore, network path validation becomes a vital primitive for secure and reliable Internet services in the next generation networks. The path validation enables end hosts and intermediate router nodes to check whether a packet has followed the intended path. However, the existing solutions fail to protect path privacy and incur significant bandwidth and computation overhead on packet transferring, which degrades packet delivery performance. In this paper, we propose the StealthPath to protect path privacy and improve delivery efficiency. Firstly, StealthPath uses lightweight cryptographic primitives to generate nested proofs and ensures all nodes on the path to check the compliance of the forwarding path efficiently. Secondly, StealthPath hides the forwarding path in the proofs and reduces the proof size from linear to constant, which protects the path information and path length, and decreases the bandwidth consumption. Moreover, StealthPath allows on-path nodes to extract their proofs and the next hop address from proof without leaking on-path node index. Finally, StealthPath is proved to resist various attacks and preserves the path privacy. The experiments show that StealthPath saves nearly 60% header size and bandwidth, and is more efficient than state-of-the-art schemes.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Jie Li,Jun Bi,Jianping Wu,Wei Zhang

DOI: https://doi.org/10.1109/nca.2012.20

2012-01-01

Abstract:The functional deficiency of the Internet architecture enables attackers the ability to easily to spoof IP source address. The traditional signature-and-verification based anti-spoofing methods are often limited by essential process based on an explicit analysis and process of the IP header and does not adapt to incremental deployment. This paper designs a multi-fence countermeasure based inter-domain source address validation method named VIP. By employing intelligent originating information label and extended MPLS based cloud and network, VIP enables lightweight-label-based packet forwarding and validation. And VIP offers gains in efficiency by reducing the load on both forwarding tables and validation processing without negative influences and complex operations on de facto networks. In addition to enhanced scalability, VIP may facilitate incremental deployment in the long run.

Qianmei Wu,Wei Cheng,Sylvain Guilley,Fan Zhang,Wei Fu

DOI: https://doi.org/10.46586/tches.v2022.i3.192-222

2022-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Code-based masking is a highly generalized type of masking schemes, which can be instantiated into specific cases by assigning different encoders. It captivates by its side-channel resistance against higher-order attacks and the potential to withstand fault injection attacks. However, similar to other algebraically-involved masking schemes, code-based masking is also burdened with expensive computational overhead. To mitigate such cost and make it efficient, we contribute to several improvements to the original scheme proposed by Wang et al. in TCHES 2020. Specifically, we devise a computationally friendly encoder and accordingly accelerate masked gadgets to leverage efficient implementations. In addition, we highlight that the amortization technique introduced by Wang et al. does not always lead to efficient implementations as expected, but actually decreases the efficiency in some cases. From the perspective of practical security, we carry out an extensive evaluation of the concrete security of code-based masking in the real world. On one hand, we select three representative variations of code-based masking as targets for an extensive evaluation. On the other hand, we aim at security assessment of both encoding and computations to investigate whether the state-of-the-art computational framework for code-based masking reaches the security of the corresponding encoding. By leveraging both leakage assessment tool and side-channel attacks, we verify the existence of “security order amplification” in practice and validate the reliability of the leakage quantification method proposed by Cheng et al. in TCHES 2021. In addition, we also study the security decrease caused by the “cost amortization” technique and redundancy of code-based masking. We identify a security bottleneck in the gadgets computations which limits the whole masked implementation. To the best of our knowledge, this is the first time that allows us to narrow down the gap between the theoretical security order under the probing model (sometimes with simulation experiments) and the concrete side-channel security level of protected implementations by code-based masking in practice.

Heyu Chang,Xiaobing Zhang,Nianwen Si,Ping Wu

DOI: https://doi.org/10.1016/j.cose.2024.103906

IF: 5.105

2024-05-28

Computers & Security

Abstract:By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9% additional forwarding delay and less than 8% throughput degradation.

computer science, information systems

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Bi Jun,Liu Bingyang,Wu Jianping,Shen Yan

DOI: https://doi.org/10.1016/s1007-0214(09)70097-5

2009-01-01

Tsinghua Science & Technology

Abstract:A signature-and-verification-based method, automatic peer-to-peer anti-spoofing （APPA）, is proposed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS random number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS （autonomous system） level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Hang Yu,Zhenhao He,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2019.8925299

2019-01-01

Abstract:The SM3-MAC algorithm is a Message Authentication Code (MAC) algorithm based on the SM3 hash algorithm proposed by Office of Security Commercial Code Administration in 2010. In this paper, a masking scheme for SM3-MAC algorithm using key mask is proposed. Then, 5,000 power traces are collected by software simulation with Hamming distance model. We can prove that the unmasked SM3-MAC hardware is vulnerable to first-order power analysis, while the masked SM3-MAC hardware does not have register leakage under the Hamming distance model. After that, the SAKURA-G FPGA board is used to collect two sets of power traces of the masked SM3-MAC hardware, each of which contains 3,000 traces. The Test Vector Leakage Assessment (TVLA) methodology proves that there is a 99.999% chance that no first-order power leakage is detected in the masked SM3-MAC hardware. Finally, the feasibility of second-order power analysis is discussed, and the effects of different pre-processing functions on correlation are investigated. A second-order test has been carried out to analyze the second-order security of the masked SM3-MAC hardware, which proves that there exists second-order leakage.

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1109/iscc.2008.4625684

2008-01-01

Abstract:IP source address spoofing is used by DDoS and DrDoS attacks in the Internet. This paper presents a signature-and-verification based IP spoofing prevention method, automatic peer-to-peer based anti-spoofing method (APPA). APPA has two levels: intra-AS (autonomous system) level and inter-AS level. In the intra-AS level, the end host tags a one-time key into each outgoing packet and the gateway at the AS border verifies the key. In inter-AS level, the gateway at the AS border tags a periodically changed key into the leaving packet and the gateway at border of the destination AS verifies and removes the key. The most prominent characteristic of APPA is the automatically synchronizing state-machine, which is used to update keys automatically and effectively. The benefits of APPA are: (1) preventing IP address spoofing strictly, end systems canpsilat even spoof addresses in the same AS or subnet, (2) providing very low running and management costs, (3) supporting anti-replay attacks and incremental deployment.

Guangwu Hu,Jianping Wu,Ke Xu,Wenlong Chen

DOI: https://doi.org/10.1109/ICCCN.2011.6005783

2011-01-01

Abstract:In current network, as we all know, packets delivered by routers only rely on destination-address-directed forwarding, but their source addresses are not checked. Consequently, this incurs many serious network security breach events which are hard to trackback. Under this situation, a switch (we call it SAVI switch) followed SAVI (Source Address Validation Improvement) framework proposed by IETF was invented which dedicates to resolving this problem in user local subnet. SAVI switch is a direct and very effective anti-spoofing device, but because it just steps into a phase of industrialization and for economical and incremental deployment reasons, these switches are not fully covered in domain. This results in two issues at the same time: 1)how to filter out and abandon those packets whose source IP addresses belong to SAVI switches coverage, but actually not, otherwise, this will severely compromise the SAVI switch access users' motivation and SAVI's promotion. 2) how to traceback those packets' source router-the first hop routers of spoofed packets. In this paper, we present SAVT, a practical and smart scheme for source address validation and traceback in campus network for all outbound packets, it just need less 25% routers as filter router can resolve those two questions in most condition. Experiments illustrate our proposal keeps the promise of practicality, stability and efficiency.

Gongming Zhao,Hongli Xu,Jianchun Liu,Chen Qian,Juncheng Ge,Liusheng Huang

DOI: https://doi.org/10.1109/ICNP.2019.8888123

2019-01-01

Abstract:The past decades have seen a proliferation of middlebox deployment in various networks, including backbone networks and datacenters. Since network flows have to traverse specific service function chains (SFCs) for security and performance enhancement, it becomes much complex for SFC routing due to routing loops, traffic dynamics and scalability requirement. The existing SFC routing solutions may consume many resources (e.g., TCAM) on the data plane and lead to massive overhead on the control plane, which decrease the scalability of middlebox networks. Due to SFC requirement and potential routing loops, solutions like traditional default paths (e.g., using ECMP) that are widely used in non-middlebox networks will no longer be feasible. In this paper, we present and implement a scalable and flexible middlebox policy enforcement (SAFE-ME) system to minimize the TCAM usage and control overhead. To this end, we design the smart tag operations for construction of default SFC paths with less TCAM rules in the data plane, and present lightweight SFC routing update with less control overhead for dealing with traffic dynamics in the control plane. We implement our solution and evaluate its performance with experiments on both physical platform (Pica8) and Open vSwitch (OVS), as well as large-scale simulations. Both experimental and simulation results show that SAFE-ME can greatly improve scalability (e.g., TCAM cost, update delay, and control overhead) in middlebox networks. For example, our system can reduce the control traffic overhead by about 83% while achieving almost the similar middlebox load, compared with state-of-the-art solutions.

Yang Xiang,Xingang Shi,Jianping Wu,Zhiliang Wang,Xia Yin

DOI: https://doi.org/10.1016/j.comnet.2012.11.019

2012-01-01

Abstract:The inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security problem of BGP has attracted considerable attention, and although several solutions have been proposed, none of them have been widely deployed due to weaknesses such as high computational cost or potential security compromise. This paper proposes Fast Secure BGP (FS-BGP), an efficient mechanism for securing AS paths and preventing prefix hijacking by signing critical AS path segments. We prove that FS-BGP can achieve a similar level of security as S-BGP, but with much higher efficiency. Our experiments use BGP UPDATE data collected from real backbone routers. Compared with S-BGP, FS-BGP only requires a very small cache, and can reduce the cost of signing and verification by orders of magnitude. Indeed, the signing and verification can be accomplished as fast as the most bursty BGP UPDATE arrivals, which implies that FS-BGP will hardly delay the propagation of routing information.

Jie Li,Jianping Wu,Ke Xu

DOI: https://doi.org/10.1109/glocom.2011.6133740

2012-01-01

Chinese Journal of Computers

Abstract:Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.

Guolong Chen,Guangwu Hu,Yong Jiang,Chaoqin Zhang

DOI: https://doi.org/10.1109/iscc.2016.7543774

2016-01-01

Abstract:Current Internet packet forwarding only relies on destination IP address and thus neglects the validation of packet's IP source address for Internet accountability, which incurs many cyber-security threats. State-of-the-art solutions either have issues in spoofing packet filtering accuracy, e.g., false positive and false negative, or encounter scalability and deployment problems, i.e., end-host TCP/IP stack or router modification. In this article, we propose SAVSH, a practical IP source address validation scheme for Software Defined Networking (SDN) hybrid networks. SAVSH takes advantage of the SDN architecture which possesses global topological view and central control pattern, so that it can locate nodes for the SDN switch replacement and deploy filtering rules onto them with desirable IP prefix-level filtering accuracy. In the meantime, SAVSH also takes network dynamics (e.g., topology changes) into account. Finally, the established prototype experiment and typical topology simulations demonstrate SAVSH not only possesses desirable performance, but also owns the capability that trades the maximal validation effect with the minimal SDN switch deployment cost, which is up to more than 90% prefix coverage benefit to 15% deployment cost on average.