Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Guolong Chen,Guangwu Hu,Yong Jiang,Chaoqin Zhang

DOI: https://doi.org/10.1109/iscc.2016.7543774

2016-01-01

Abstract:Current Internet packet forwarding only relies on destination IP address and thus neglects the validation of packet's IP source address for Internet accountability, which incurs many cyber-security threats. State-of-the-art solutions either have issues in spoofing packet filtering accuracy, e.g., false positive and false negative, or encounter scalability and deployment problems, i.e., end-host TCP/IP stack or router modification. In this article, we propose SAVSH, a practical IP source address validation scheme for Software Defined Networking (SDN) hybrid networks. SAVSH takes advantage of the SDN architecture which possesses global topological view and central control pattern, so that it can locate nodes for the SDN switch replacement and deploy filtering rules onto them with desirable IP prefix-level filtering accuracy. In the meantime, SAVSH also takes network dynamics (e.g., topology changes) into account. Finally, the established prototype experiment and typical topology simulations demonstrate SAVSH not only possesses desirable performance, but also owns the capability that trades the maximal validation effect with the minimal SDN switch deployment cost, which is up to more than 90% prefix coverage benefit to 15% deployment cost on average.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Jiamin Cao,Ying Liu,Mingxing Liu,Lin He,Yihao Jia,Fei Yang

DOI: https://doi.org/10.1109/IWQOS52092.2021.9521336

2021-01-01

Abstract:Source IP address spoofing has been a major vulnerability of the Internet for many years. Although much work has been done to study the problem extensively, spoofing continues to occur frequently and has led to many serious network attacks. Inter-AS source address validation (SAV) is considered an important defense method for AS to filter spoofed packets. However, existing work has been unable to drive inter-AS SAV deployment into practice due to the lack of deployment incentives and trust foundation. In this paper, we propose a practical and decentralized inter-AS SAV service framework, pSAV, to promote inter-AS SAV deployment. pSAV increases deployment incentives by treating SAV as a payable service and dividing the participant ASes into service subscribers, providers, and auditors. On the control plane, pSAV leverages blockchain as a trust foundation to provide service subscriptions and audits with automatic incentive allocation. On the data plane, pSAV leverages P4-programmable switches to provide flexible and high-performance SAV services. We prototype the pSAV control plane based on Hyperledger Fabric and implement various SAV techniques on Barefoot Tofino switches. The evaluation results show that (1) on the control plane, pSAV blockchain can provide high-performance service transactions (hundreds of transactions per second with second latency), and (2) on the data plane, pSAV can provide various high-throughput (hundreds of Gbps) SAV services using only one programmable switch.

Qizhao Zhou,Junqing Yu,Dong Li

DOI: https://doi.org/10.1016/j.comnet.2021.108075

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>We consider the problem of source address validation implementation (SAVI) in a Software-Defined Network (SDN) environment. The integration of SAVI and SDN can further address the challenges in a typical architecture such as the complexity of SAVI's deployment and the acquisition of security data in the access layer. A key aspect of this campaign consists of filtering forged packets and verifying the authenticity of the source address. A common strategy is to create bindings between the IP address of a node and a property of the host's network attachment. However, problem still accompany with the deployment of SAVI, including the performance cost of the SDN controller caused by the redundant validation process, especially in the case of an overflow of the flow table and other anomalous conditions in the network. Our contribution in this paper is to design and implement a dynamic framework for lightweight SAVI based on SDN (D-SAVI), which is an enhancement of SDN setups to allow proper source address validation on downstream network ingress ports, without incurring a large performance overhead. Initially, we proposed a fine-grained dual-level structure to match flow entry flexibly to complete the dynamic deployment of SAVI. A priority-based validation mechanism was added for further efficiency optimization. We then designed a state partition and transition module to optimize network performance under anomalous conditions, especially the communication performance between the controllers and switches in the SDN-based networks with a global view. Consequently, under the premise of network security, D-SAVI could filter out, with better packet forwarding efficiency, packets that do not match existing binding relationships. The experimental results demonstrate that our implementation provides source address verification with less resource consumption than existing methods.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lin He,Gang Ren,Ying Liu,Guanglei Song,E. Jinlong,Jiahai Yang,Mingwei Xu

DOI: https://doi.org/10.1109/MNET.123.2200111

IF: 10.294

2023-01-01

IEEE Network

Abstract:IP spoofing is prevalently used for anonymity and reflection attacks, e.g., distributed denial of service (DDoS) attacks, which have shown increasingly destructive power in recent years because today's Internet lacks validation on source addresses. Moreover, the fast deployment of IPv6 on the Internet may further aggravate the damages of DDoS attacks. This paper proposes a novel source address validation mechanism called SAV6, which leverages the huge IPv6 address space to validate source addresses at an inter-autonomous system (AS) granularity. In SAV6, each IPv6 address contains an AS number (ASN), whose corresponding AS announces the prefix of the address to other ASes. An AS can determine the authenticity of the source address by whether the ASN in the address matches the corresponding prefix after receiving an incoming packet. The performance evaluation of a SAV6 prototype shows that it adds little performance overhead to the deployed infrastructures and is a lightweight and deployable protocol.

Shuaicong Yu,Shuying Zhuang,Tao Yu,Changqing An,Jilong Wang

DOI: https://doi.org/10.1145/3646547.3688417

2024-01-01

Abstract:In the era of increasing network-based threats, particularly IP spoofing, Source Address Validation (SAV) is paramount for network security. The effective deployment of Inbound Source Address Validation (ISAV) is crucial yet often inadequate, posing significant risks to Internet infrastructure. This study presents ICMP_Sonar, a measurement system that deploys "rumors" -carefully crafted spoofed ICMP packets-to probe the network's defenses, revealing the "wise" networks with their robust ISAV implementations. ICMP_Sonar introduces two novel approaches that exploit the characteristics of ICMP unreachable messages and ICMP fragment needed messages, and exhibits the advantages of high coverage, fine granularity, low error rates, and the ability to measure in both IPv4 and IPv6. We also evaluate the applicability and security risks of ICMP error messages. Through large-scale measurements, ICMP_Sonar successfully covers 86M IPv4 hosts (0.8M IPv6 hosts), 3.5M IPv4 /24 subnets (24K IPv6 /40 subnets), and 59K IPv4 ASes (8.3K IPv6 ASes), surpassing the state-of-the-art dual-stack method's coverage by 16.2 (51.6), 2.9 (2.34), and 1.7 (1.7) times, respectively. The broad coverage across multiple granularities enables us to capture a more comprehensive and fine-grained view of ISAV deployment. Measurements show that while the percentage of ASes with no ISAV deployment is lower than previously identified, the percentage of ASes with partial ISAV deployment is much higher, indicating significant gaps in overall security. The analysis also reveals that ISAV deployment practices vary across different networks and between IPv4 and IPv6.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Lancheng Qin,Libin Liu,Li Chen,Dan Li,Yuqian Shi,Hongbing Yang

DOI: https://doi.org/10.1145/3673422.3674888

2024-01-01

Abstract:To mitigate the threats of source address spoofing, many source address validation (SAV) solutions have been proposed over the past few years. However, none of them are widely deployed in practice due to lack of understanding, lack of open source implementation, and performance concerns. To address these problems, we develop a unified framework UniSAV to facilitate the understanding, design, implementation, and evaluation of existing and future SAV solutions. With UniSAV, we implement existing SAV solutions and evaluate their performance in real topologies. UniSAV further helps us to design and implement a new SAV solution to improve the performance upon existing SAV solutions.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Bingyang Liu,Jun Bi,Yu Zhu

DOI: https://doi.org/10.1109/mnet.2015.7113230

IF: 10.294

2015-01-01

IEEE Network

Abstract:IP spoofing makes network attacks more destructive and harder to prevent. AS spoofing defenses mitigate these attacks by enforcing AS-level source address validity. Although many inter-AS defenses have been proposed, none is sufficiently deployed by Internet service providers. In this article we investigate the deployability of the defenses by evaluating their deployment benefit, deployment cost, and operational risk. Evaluation results reveal the technical features of highly deployable defenses, which can help improve existing defenses and the design of future defenses.

Guangwu Hu,Jianping Wu,Ke Xu,Wenlong Chen

DOI: https://doi.org/10.1109/ICCCN.2011.6005783

2011-01-01

Abstract:In current network, as we all know, packets delivered by routers only rely on destination-address-directed forwarding, but their source addresses are not checked. Consequently, this incurs many serious network security breach events which are hard to trackback. Under this situation, a switch (we call it SAVI switch) followed SAVI (Source Address Validation Improvement) framework proposed by IETF was invented which dedicates to resolving this problem in user local subnet. SAVI switch is a direct and very effective anti-spoofing device, but because it just steps into a phase of industrialization and for economical and incremental deployment reasons, these switches are not fully covered in domain. This results in two issues at the same time: 1)how to filter out and abandon those packets whose source IP addresses belong to SAVI switches coverage, but actually not, otherwise, this will severely compromise the SAVI switch access users' motivation and SAVI's promotion. 2) how to traceback those packets' source router-the first hop routers of spoofed packets. In this paper, we present SAVT, a practical and smart scheme for source address validation and traceback in campus network for all outbound packets, it just need less 25% routers as filter router can resolve those two questions in most condition. Experiments illustrate our proposal keeps the promise of practicality, stability and efficiency.

Xiang Chen,Hongyan Liu,Dong Zhang,Qun Huang,Haifeng Zhou,Chunming Wu,Qiang Yang

DOI: https://doi.org/10.1109/mnet.107.2100643

IF: 10.294

2022-01-01

IEEE Network

Abstract:Distributed denial-of-service (DDoS) attacks have long been the most severe and destructive attack on modern networks. Some solutions place several middleboxes that run security-oriented network functions (SNFs) in the network to defend against DDoS attacks. However, middleboxes are proprietary and fixed-function, making them costly and inflexible when handling attack dynamics. Another class of solutions exploits the capability of software-defined networking (SDN) and network function virtualization (NFV) to run virtualized SNFs on commodity servers. This reduces the cost of DDoS attack mitigation while enabling high flexibility by dynamically removing or adding SNF instances. However, this class of solutions sacrifices packet processing performance and incurs non-trivial end-to-end latency, which is unacceptable for many latency-sensitive internet services. Recently, the emergence of programmable switches brings a promising alternative solution: arbitrary SNFs can be directly performed in line-rate ASIC pipelines of programmable switches, enabling low-cost, flexible, and high-performance DDoS attack mitigation. In this article, we present an illustrative survey of recent solutions that leverage programmable switches to provide DDoS attack mitigation. Our survey can help understand how to make full use of the benefits of programmable switches to defend against DDoS attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yevheniya Nosyk,Maciej Korczyński,Qasim Lone,Marcin Skwarek,Baptiste Jonglez,Andrzej Duda

DOI: https://doi.org/10.1109/TNET.2023.3257413

2023-03-15

Abstract:Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.

Networking and Internet Architecture

Yuanjun Dai,An Wang,Yang Guo,Songqing Chen

DOI: https://doi.org/10.1145/3559759

IF: 5.3

2023-02-23

ACM Transactions on Internet Technology

Abstract:Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch , to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch . Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.

computer science, information systems, software engineering