An Integrated Approach to Prevent Address Spoofing in IPv6 Links

We propose an integrated approach to protect from address spoofing for both IPv6 and Layer-2 addresses, and from address resolution attacks. The proposed approach is an extension to the FCFS SAVI specification, and relies on the inspection and generation of standard Neighbor Solicitation messages. It does not require host modification and manual configuration is only needed to indicate the ports to which routers connect.CCG10-UC3M-TIC-5624 project funded by Comunidad de Madrid. Ministry of Science and Innovation of Spain, QUARTET project (TIN2009-13992-C02-01)Publicad

Network layer access control for context-aware IPv6 applications

As part of the Lancaster GUIDE II project, we have developed a novel wireless access point protocol designed to support the development of next generation mobile context-aware applications in our local environs. Once deployed, this architecture will allow ordinary citizens secure, accountable and convenient access to a set of tailored applications including location, multimedia and context based services, and the public Internet. Our architecture utilises packet marking and network level packet filtering techniques within a modified Mobile IPv6 protocol stack to perform access control over a range of wireless network technologies. In this paper, we describe the rationale for, and components of, our architecture and contrast our approach with other state-of-the- art systems. The paper also contains details of our current implementation work, including preliminary performance measurements

Adaptive Response System for Distributed Denial-of-Service Attacks

The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses

Why internet protocols need incentives

Internet routers are a commons. While modest regulatory measures have generally been successful for Information Communication Technologies (ICT), this paper argues that the lack of regulation has hindered the technological evolution of the Internet in some areas. This issue is examined through five Internet problems, and the technological solutions adopted. The key contribution of this paper is the explanation of these issues and the identification of areas where misaligned incentives promote inadequate solutions or inaction. The paper reviews the available measures to encourage the adoption of globally beneficial Internet technologies

Improving the accuracy of spoofed traffic inference in inter-domain traffic

Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. We argue that broader visibility into the spoofing problem may lie in the capability to infer lack of Source Address Validation (SAV) compliance from large, heavily aggregated Internet traffic data, such as traffic observable at Internet Exchange Points (IXPs). The key idea is to use IXPs as observatories to detect spoofed packets, by leveraging Autonomous System (AS) topology knowledge extracted from Border Gateway Protocol (BGP) data to infer which source addresses should legitimately appear across parts of the IXP switch fabric. In this thesis, we demonstrate that the existing literature does not capture several fundamental challenges to this approach, including noise in BGP data sources, heuristic AS relationship inference, and idiosyncrasies in IXP interconnec- tivity fabrics. We propose Spoofer-IX, a novel methodology to navigate these challenges, leveraging Customer Cone semantics of AS relationships to guide precise classification of inter-domain traffic as In-cone, Out-of-cone ( spoofed ), Unverifiable, Bogon, and Unas- signed. We apply our methodology on extensive data analysis using real traffic data from two distinct IXPs in Brazil, a mid-size and a large-size infrastructure. In the mid-size IXP with more than 200 members, we find an upper bound volume of Out-of-cone traffic to be more than an order of magnitude less than the previous method inferred on the same data, revealing the practical importance of Customer Cone semantics in such analysis. We also found no significant improvement in deployment of SAV in networks using the mid-size IXP between 2017 and 2019. In hopes that our methods and tools generalize to use by other IXPs who want to avoid use of their infrastructure for launching spoofed-source DoS attacks, we explore the feasibility of scaling the system to larger and more diverse IXP infrastructures. To promote this goal, and broad replicability of our results, we make the source code of Spoofer-IX publicly available. This thesis illustrates the subtleties of scientific assessments of operational Internet infrastructure, and the need for a community focus on reproducing and repeating previous methods.A constatação de que uma rede encaminhará tráfego falsificado geralmente requer um ponto de vantagem ativo de medição nessa rede, impedindo efetivamente uma visão abrangente dessa vulnerabilidade global da Internet. Isto posto, argumentamos que uma visibilidade mais ampla do problema de spoofing pode estar na capacidade de inferir a falta de conformidade com as práticas de Source Address Validation (SAV) a partir de dados de tráfego da Internet altamente agregados, como o tráfego observável nos Internet Exchange Points (IXPs). A ideia chave é usar IXPs como observatórios para detectar pacotes falsificados, aproveitando o conhecimento da topologia de sistemas autônomos extraído dos dados do protocolo BGP para inferir quais endereços de origem devem aparecer legitimamente nas comunicações através da infra-estrutura de um IXP. Nesta tese, demonstramos que a literatura existente não captura diversos desafios fundamentais para essa abordagem, incluindo ruído em fontes de dados BGP, inferência heurística de relacionamento de sistemas autônomos e características específicas de interconectividade nas infraestruturas de IXPs. Propomos o Spoofer-IX, uma nova metodologia para superar esses desafios, utilizando a semântica do Customer Cone de relacionamento de sistemas autônomos para guiar com precisão a classificação de tráfego inter-domínio como In-cone, Out-of-cone ( spoofed ), Unverifiable, Bogon, e Unassigned. Aplicamos nossa metodologia em análises extensivas sobre dados reais de tráfego de dois IXPs distintos no Brasil, uma infraestrutura de médio porte e outra de grande porte. No IXP de tamanho médio, com mais de 200 membros, encontramos um limite superior do volume de tráfego Out-of-cone uma ordem de magnitude menor que o método anterior inferiu sob os mesmos dados, revelando a importância prática da semântica do Customer Cone em tal análise. Além disso, não encontramos melhorias significativas na implantação do Source Address Validation (SAV) em redes usando o IXP de tamanho médio entre 2017 e 2019. Na esperança de que nossos métodos e ferramentas sejam aplicáveis para uso por outros IXPs que desejam evitar o uso de sua infraestrutura para iniciar ataques de negação de serviço através de pacotes de origem falsificada, exploramos a viabilidade de escalar o sistema para infraestruturas IXP maiores e mais diversas. Para promover esse objetivo e a ampla replicabilidade de nossos resultados, disponibilizamos publicamente o código fonte do Spoofer-IX. Esta tese ilustra as sutilezas das avaliações científicas da infraestrutura operacional da Internet e a necessidade de um foco da comunidade na reprodução e repetição de métodos anteriores

Intrusion Detection for Smart Grid Communication Systems

Transformation of the traditional power grid into a smart grid hosts an array of vulnerabilities associated with communication networks. Furthermore, wireless mediums used throughout the smart grid promote an environment where Denial of Service (DoS) attacks are very effective. In wireless mediums, jamming and spoofing attack techniques diminish system operations thus affecting smart grid stability and posing an immediate threat to Confidentiality, Integrity, and Availability (CIA) of the smart grid. Intrusion detection systems (IDS) serve as a primary defense in mitigating network vulnerabilities. In IDS, signatures created from historical data are compared to incoming network traffic to identify abnormalities. In this thesis, intrusion detection algorithms are proposed for attack detection in smart grid networks by means of physical, data link, network, and session layer analysis. Irregularities in these layers provide insight to whether the network is experiencing genuine or malicious activity

IP addressing, transition and security in 5G networks

The number of devices on the Internet is always increasing and there is need for reliable IP addressing. 5G network will be built on two main technologies; SDN and NFV which will make it elastic and agile compared to its predecessors. Elasticity will ensure that additional devices can always be added to the network. IPv4 addresses are already depleted and cannot support the expansion of the Internet to ensure the realization of future networks. IPv6 addressing has been proposed to support 5G networking because of the sufficient number of addresses that the protocol provides. However, IPv4 addressing will still be used concurrently with IPv6 addressing in networks until they become fully IPv6 based. The structure of IPv4 header is different from IPv6 header hence the two protocols are incompatible. There is need for seamless intercommunication between devices running IPv4 and IPv6 in future networks. Three technologies namely; Dual Stack, Tunneling and Translation have been proposed to ensure that there is smooth transition from IPv4 to IPv6 protocol. This dissertation demonstrates Tunneling of IPv6 over IPv4. Also, this research work reviews network security threats of past networks that are likely to be experienced in 5G networks. To counter them, reliable IP security strategies used in current networks are proposed for use in next generation networks. This dissertation evaluates and analyzes IPv4, IPv6 network and Tunneling models in an SDN network environment. The performance of an IPv4 only network is compared to the IPv6 only network. Also, devices addressed with both protocols are connected. The results obtained illustrate that IPv4 and IPv6 devices can effectively communicate in a 5G network environment. In addition, a tunnel is used to run IPv6 protocol over an IPv4 network. The devices on both ends of the tunnel could communicate with each other effectively