Dezhang Kong,Xiang Chen,Hang Lin,Zhengyan Zhou,Yi Shen,Hongyan Liu,Qiumei Cheng,Xuan Liu,Dong Zhang,Chunming Wu,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tnsm.2024.3504563

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks. It provides packet-level visibility into network conditions by inserting telemetry data into packets, enabling unprecedented fine-grained network management. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present eight In-band Network Telemetry Manipulation Attacks that take advantage of INT’s weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we designed SecureINT, a security-enhanced INT prototype that provides encryption and integrity verification for INT packets. Specifically, SecureINT deploys Even-Mansour and SipHash for confidentiality and integrity, respectively. It also uses a zero-delay rotation mechanism, which enables administrators to dynamically change the version of the deployed Even-Mansour/SipHash running on programmable switches without the need to re-install new programs. In this way, SecureINT can provide lasting security for INT packets using the limited resources of programmable switches. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline. Besides, the overhead of the rotation mechanism running on the control plane is still minimal.

Dezhang Kong,Zhengyan Zhou,Yi Shen,Xiang Chen,Qiumei Cheng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/IWQoS57198.2023.10188809

2023-01-01

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks that provides fine-grained visibility into network conditions by inserting telemetry data into packets. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present four In-band Network Telemetry Manipulation Attacks that take advantage of INT's weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we design SecureINT, a novel INT prototype that ensures confidentiality and integrity for INT packets. To meet the stringent computational requirements of programmable switches, we comprehensively analyze possible attacks on the deployed encryption/hash algorithms and modify them accordingly without compromising their security. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline, providing encryption and integrity verification for INT packets with minimal overhead.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Jiahao Cao,Renjie Xie,Kun Sun,Qi Li,Guofei Gu,Mingwei Xu

DOI: https://doi.org/10.14722/ndss.2020.23040

2020-01-01

Abstract:Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

Wu Qingtao,Shao Zhiqing,Ding Zhiyi,Liu Gang

DOI: https://doi.org/10.1007/bf02829250

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queués status. We use the Netfilter's technique, a framework inside the Linux 2. 4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.

Xiang-dong QIAO,Tong YANG,Jing-wei ZHANG

DOI: https://doi.org/10.3969/j.issn.1009-3516.2007.04.018

2007-01-01

Abstract:Two different design schemes about firewall IPS module are brought up.In the first scheme snot-inline technique and the QUEUE action of netfilter are used to achieve dropping of attack data packet.In the second one,IPS about Denial of Service attack is achieved with the benefit of combination of synccokies,the new netfilter fuzzy match,PSD match,U32 match with an improvement on the firewall kernel.After comprehensive comparison,the module is developed according to the second scheme.The experiment shows that the designed module works well in defending main DOS attack.

Yudong Zhao,Ke Xu,Rashid Mijumbi,Meng Shen

DOI: https://doi.org/10.1007/978-3-319-22047-5_15

2015-01-01

Abstract:In recent years, the world has been shocked by the increasing number of network attacks that take advantage of router vulnerabilities to perform data interceptions. Such attacks are generally based on low cost, unidirectional, concealed mechanisms, and are very difficult to recognize let alone restrain. This is especially so, because the most affected parties - the users and Internet Service Providers (ISPs) - have very little control, if any, on router vulnerabilities. In this paper, we design, implement and evaluate a policy-based security system aimed at stopping such attacks from both the routing and switching network functions, by detecting any violations in the set policies. We prove the system's security completeness to data interception attacks. Based on simulations, we show that 100% of normal packets can pass through the policy-based system, and about 99.92% of intercepting ones would be caught. In addition, the performance of the proposed system is acceptable with regard to current TCP/IP networks.

Chuanpu Fu,Qi Li,Ke Xu,Xuewei Feng,Kun Sun

DOI: https://doi.org/10.1109/tnet.2021.3115517

2022-02-01

IEEE/ACM Transactions on Networking

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond. Our attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, thus building a shared IPID counter that forms a side channel in the victim. Second, the attacker detects the presence of TCP connections by observing the side channel of the shared IPID counter. Third, the attacker infers sequence and acknowledgment numbers of the detected connection by observing the side channel. Consequently, the attacker can completely hijack the connection, e.g., resetting the connection or poisoning the data stream. We evaluate the impacts of our attack in the real world, and we uncover that more than 20% of Alexa top 100k websites are vulnerable to our attack. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Moreover, we demonstrate that our attack can be further extended to exploit IPv4/IPv6 dual-stack networks on increasing the hash collisions and enlarging vulnerable populations. Finally, we analyze the root cause and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness in the real world.

Computer Science

刘飞,史晓敏

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.z1.220

2004-01-01

Abstract:With the development of network technology,network security can earlier expose to DoS attack.This paper introduces the principle and usual methods of DoS/DDoS attack, and proposes the design and implementation of Linux-gateway-based DoS/DDoS protection system. The system integrates the anti-scanning and anti-trace, stateful packet inspection, intrusion detection and protection technology. It can resist the usual attack of net scan and DOS/DDOS efficiently.

杨立光,王巍,舒国强,杨小虎

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.12.017

2004-01-01

Abstract:It goes beyond the capability of the single computer to capture, analyze and treat with large information transfered on Internet at real-time. The method that IP datagram is captured and diverted in the kernel of Linux operating system to subsequent processing computer is presented in the paper, which meets the technical request to analyze and react those information at real- time.

邢飞,伍卫国,刘轶,钱德沛

DOI: https://doi.org/10.3321/j.issn:0253-987X.2003.10.011

2003-01-01

Abstract:An improved scheme of UDP encapsulation is proposed, in which the whole IP package protected by IP security protocol (IPSec) is encapsulated by adding a UDP/IP header. The scheme can solve problems such as AH authentication failure and TCP invalidation resulted from the UDP encapsulation scheme presented by IETF. And the UDP encapsulation scheme is proposed to solve the problem of the incompatibility between network address translation (NAT) and virtual private network (VPN) based on IP-Sec. The performance detail of the scheme proposed is formulated, and it is easier to be implemented comparing with the original method. The influence of the proposed scheme of UDP encapsulation on the network performance and security in the operation process are discussed.

Xuewei Feng,Chuanpu Fu,Qi Li,Kun Sun,Ke Xu

DOI: https://doi.org/10.1145/3372297.3417884

2020-08-29

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet.

Cryptography and Security

Hongliang Zhu,Bin Tian,Fei Wang,Yang Xin,Yixian Yang

DOI: https://doi.org/10.1109/wicom.2011.6040151

2011-01-01

Abstract:In this paper, we proposed a security system which can accomplish several various functions. The primary applications of this system includes: (1) lawful interception for the data of voip, email, instant message and other kinds of data; (2) filtering abnormality data packages; (3) blocking the illegal URL or sites; (4) performing net traffic and flow analysis and user behavior analysis; (5) doing network bandwidth monitoring, DDOS traffic cleaning; (6) SPAM filtering and so on. All the problems we involved are the most concerned by the operators engaged in telecommunication. The system architecture and the function we designed are based on the research of Lawful Interception (ETSI).

唐续,刘心松,杨峰

DOI: https://doi.org/10.3969/j.issn.1002-137X.2003.02.035

2003-01-01

Computer Science

Abstract:In order to improve the performance of Linux network,new protocols should be implemented and added in original protocol stack. For this demand,this paper has analyzed Linux network stack architecture and implement technology,then presented a method that appended new protocols in the network stack of Linux. The processes of protocol register ,protocol operation,protocol header implement,packets receiving, user interface are involved in this method.

王莉,黄光明,刘志愚

DOI: https://doi.org/10.3969/j.issn.1673-629x.2004.04.023

2004-01-01

Abstract:With the rapid development of Internet, more and more nets began to connect to it which causes the great increasement of information quantity. While people enjoying the freedom of acquiring and promulgating information, they also in face of threats comes from Internet, which calls network security. Firewall, now has been an efficient measure to prevent destruction from Internet.Introduces the development of firewall in Linux kernel, including ipfwadm, ipchains and iptables. Then discusses the latest technology:Netfilter and the concept of Dimilitary Zone. Finally gives an example to implement the DMZ firewall with iptables on Linux.

Zhen Ling,Junzhou Luo,Danni Xu,Ming Yang,Xinwen Fu

DOI: https://doi.org/10.1109/infocom.2019.8737586

2019-04-01

Abstract:Diverse anonymous communication systems are widely deployed as they can provide the online privacy protection and Internet anti-censorship service. However, these systems are severely abused and a large amount of anonymous traffic is malicious. To mitigate this issue, we propose a novel and practical traceback technique to confirm the communication relationship between the suspicious server and the user. We leverage the software-defined network (SDN) switch at a destination server side to intercept target traffic towards the server and alter the advertised TCP window sizes so as to stealthily vary the traffic rate at the server. By carefully varying the traffic rate, we can successfully modulate a secret signal into the traffic. The traffic carrying the signal passes through the anonymous communication system and reaches the SDN switch at the user side. Then we can detect the modulated signal from the traffic so as to confirm the communication relationship between the server and the user. To validate the feasibility and effectiveness of our technique, extensive real-world experiments are performed using three popular anonymous communication systems, i.e., SSH tunnel, OpenVPN tunnel, and Tor. The results demonstrate that the detection rates approach 100% for SSH and Open VPN and 95% for Tor while the false positive rates are significantly low, approaching 0% for these three systems.

Lv Ya-lin,Wang Cheng,Pang Xi-yu

2009-01-01

Abstract:Compared with traditional wired networks, wireless mobile Ad hoc networks are prone to be threatened by interior attacks, malicious nodes always drop packets deliberately, send redundant packets arbitrarily as well as modify packets illegally. Through the analysis of these malicious behaviors, a trust evaluation model based on Linux Net-filter frame is proposed, which could monitor the illegal operations and evaluate the trust value of nodes, the Trust Dynamic Source Route (TDSR) protocol is implemented finally by this approach, which could improve the performance of the network.

张玉芳,熊忠阳,赖苏,张科,刘君,王银辉

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.04.028

2009-01-01

Computer Science

Abstract:The existing packet filtering firewall is helpless for the spread of network virus,making a study on the designed of anti-virus firewall is very necessary.This paper designed and realized an experimental anti-virus firewall in IPv6.The firewall was realized in the form of kernel loadable module,and can be used to filter virus above link layer.The special TCP/IP used for firewall is rebuilt because transparent mode firewall cannot be run in the original TCP/IP of Linux.The firewall can get and resolve IPv6 packets and the IPv6 in IPv4 tunnel packet.It can also traverse every extension header until higher protocol layers.The firewall uses open source software to filter the virus in the network and ensures network security.For working in the kernel mode,the detecting speed was improved.The experimental results show that the performance and function of the firewall achieve the desired objectives.

Ye Du,Jiqiang Liu,Jieyuan Li,Cheng Li

DOI: https://doi.org/10.1115/1.802977.paper187

2009-01-01

Abstract:Based on the analysis of several kinds of methods generally used to intercept network packets in different layers, a NDIS intermediate driver-based defense mechanism for SQL injection attack is proposed, and the structure is designed. The system is composed of NDIS-based data package capture module, SQL injection attack detection module and rules base. Characteristics of every entity are discussed in detail. Finally, experiments results show that the system can detect SQL injection attacks and intercept malicious packets effectively.

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security