87 research outputs found
Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance
The way in which addressing and forwarding are implemented in the Internet
constitutes one of its biggest privacy and security challenges. The fact that
source addresses in Internet datagrams cannot be trusted makes the IP Internet
inherently vulnerable to DoS and DDoS attacks. The Internet forwarding plane is
open to attacks to the privacy of datagram sources, because source addresses in
Internet datagrams have global scope. The fact an Internet datagrams are
forwarded based solely on the destination addresses stated in datagram headers
and the next hops stored in the forwarding information bases (FIB) of relaying
routers allows Internet datagrams to traverse loops, which wastes resources and
leaves the Internet open to further attacks. We introduce PEAR (Provenance
Enforcement through Addressing and Routing), a new approach for addressing and
forwarding of Internet datagrams that enables anonymous forwarding of Internet
datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and
prevents Internet datagrams from looping, even in the presence of routing-table
loops.Comment: Proceedings of IEEE Globecom 2016, 4-8 December 2016, Washington,
D.C., US
Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks
Denial of Service (DoS) attacks are one of the most challenging threats to
Internet security. An attacker typically compromises a large number of
vulnerable hosts and uses them to flood the victim's site with malicious
traffic, clogging its tail circuit and interfering with normal traffic. At
present, the network operator of a site under attack has no other resolution
but to respond manually by inserting filters in the appropriate edge routers to
drop attack traffic. However, as DoS attacks become increasingly sophisticated,
manual filter propagation becomes unacceptably slow or even infeasible.
In this paper, we present Active Internet Traffic Filtering, a new automatic
filter propagation protocol. We argue that this system provides a guaranteed,
significant level of protection against DoS attacks in exchange for a
reasonable, bounded amount of router resources. We also argue that the proposed
system cannot be abused by a malicious node to interfere with normal Internet
operation. Finally, we argue that it retains its efficiency in the face of
continued Internet growth.Comment: Briefly describes the core ideas of AITF, a protocol for facing
Denial of Service Attacks. 6 pages lon
NOVEL SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK
IP spoofing is a attack in which attacker launch the attack by using forged source IP address. It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now. Here it proposes passive IP traceback (PIT) that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way, PIT can find the spoofers without any deployment requirement. Here it illustrates the causes, collection, and the statistical results on path backscatter, demonstrates the processes and effectiveness of PIT, and shows the captured locations of spoofers through applying PIT on the path backscatter data set. These results can help further reveal IP spoofing, which has been studied for long but never well understood
Centralized prevention of denial of service attacks
The world has come to depend on the Internet at an increasing rate for communication, e-commerce, and many other essential services. As such, the Internet has become an integral part of the workings of society at large. This has lead to an increased vulnerability to remotely controlled disruption of vital commercial and government operations---with obvious implications. This disruption can be caused by an attack on one or more specific networks which will deny service to legitimate users or an attack on the Internet itself by creating large amounts of spurious traffic (which will deny services to many or all networks). Individual organizations can take steps to protect themselves but this does not solve the problem of an Internet wide attack. This thesis focuses on an analysis of the different types of Denial of Service attacks and suggests an approach to prevent both categories by centralized detection and limitation of excessive packet flows
Non-intrusive IP Traceback for DDoS Attacks
The paper describes a Non-Intrusive IP traceback scheme which uses sampled traffic under non-attack conditions to build and maintains caches of the valid source addresses transiting network routers. Under attack conditions, route anomalies are detected by determining which routers have been used for unknown source addresses, in order to construct the attack graph. Results of simulation studies are presented. Our approach does not require changes to the Internet routers or protocols. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. Our algorithm is simple and efficient, allowing for a fast traceback and the scheme is scalable due to the distribution of processing workload. Copyright 2007 ACM
DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATHWAY BACKSCATTER IN PASSIVE IP TRACEBACK
It is very long known attackers may use forged source IP address to obscure their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now. This paper proposes passive IP traceback (PIT) that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way, PIT can find the spoofers without any deployment requirement. This paper illustrates the causes, collection, and the statistical results on path backscatter, demonstrates the processes and effectiveness of PIT, and shows the captured locations of spoofers through applying PIT on the path backscatter data set. These results can help further reveal IP spoofing, which has been studied for long but never well understood. Though PIT cannot work in all the spoofing attacks, it may be the most useful mechanism to trace spoofers before an Internet-level traceback system has been deployed in real
EXPLORATIVE STUDY ON THE CYBER-ATTACK SOURCE TRACEBACK TECHNOLOGIES FOR BRIGHT INTERNET
In order to cope with the various types of cyber-attacks in the Internet, several methods of tracking the source of attack have been developed. However, until recently, most of them are defensive security methods rather than preventive one. In order to settle the Bright Internet, which is still in its early stage, it is necessary to establish a technical source tracking method. For this, a standard and evaluation criteria are needed to determine which technology would be appropriate for the Bright Internet requirements. In this paper, we classify cyber-attack source traceback technologies and derive some criteria for the evaluation of the technologies for the Bright Internet. Using the criteria, we can evaluate existing traceback technologies from the perspective of the Bright Internet. In this article, we try to evaluate SAVA, PPM, iTrace, Controlled flooding, Input Debugging, Central Track, IPSec, SPIE(Hash-based), and Marking+Logging methods. Based on this research, future research will require in-depth verification of traceback technologies that reflects all the principles of the Bright Internet in practice
Defending grid web services from XDoS attacks by SOTA
Grid Web Services are still relevantly a new to business systems, and as more systems are being attached to it, any threat to it could bring collapse and huge harm. Some of these potential threats to Grid Web services come in a new form of a new denial of service attack (DoS), called XML Denial of Service or XDOS attacks. Though, as yet, there have not been any reported attacks from the media, we have observed these attacks are actually far less complex to implement than any previous Denial of Service (DoS), but still just as affective. Current security applications for grid web services (WS-Security for example), based on our observations, and are not up to job of handling the problem. In this paper, we build on our previous work called Service Oriented Traceback Architecture (SOTA), and apply our model to Grid Networks that employ web services. We further introduce a filter defence system, called XDetector, to work in combination with SOTA. Our results show that SOTA in conjunction with XDetector makes for an effective defence against XDoS attacks and upcoming DXDoS.<br /
- …