Phoolproof Phishing Prevention

Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing reports in August 2005, a 56% jump over the number of reports in December 2004. For financial institutions, phishing is a particularly insidious problem, since trust forms the foundation for customer relationships, and phishing attacks undermine confidence in an institution. Phishing attacks succeed by exploiting a user’s inability to distinguish legitimate sites from spoofed sites. Prior research focuses on assisting the user in making this distinction, but they require the user to make the right security decision every time. A single mistake results in a total compromise of the user’s online account. Unfortunately, humans are ill-suited for performing the security checks necessary for secure authentication. Fundamentally, users should be authenticated using information that they cannot readily reveal to malicious parties. Our system eliminates reliance on perfect user behavior and protects a user’s account even in the presence of keyloggers and other forms of spyware. We demonstrate the practicality of our system with a working prototype. Ultimately, placing less reliance on the user during the authentication process will enhance security and eliminate many forms of fraud

Don’t Talk to Zombies: Mitigating DDoS Attacks via Attestation (CMU-CyLab-09-009)

Distributed Denial-of-Service (DDoS) attacks typically originate from exploited endhosts controlled by a remote attacker. Current network-based DDoS defenses can only filter out malicious traffic based on the traffic’s inherent properties; they cannot filter based on properties of the endhost that generated the traffic. We observe that the identity of the code that has generated a packet offers powerful predicates for filtering, and we develop a secure, general architecture, Assayer, for in-network filtering based on endhost properties. Our proposed Assayer architecture leverages hardwarebased attestation mechanisms to enable legitimate endhosts to embed secure proofs of code identity in packets. Receivers can specify traffic policies, which are enforced by on-path prioritizers. We design Assayer to achieve scalability, efficiency, and incremental deployability. We implement and evaluate a basic Assayer prototype and find that the perceived application overhead, felt only during periods of significant network congestion, is less than 12%. Our simulations indicate that our architecture, even when deployed only at the victim’s ISP, provides excellent protection against a botnet of 100,000 attacking hosts

SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks

One of the fundamental limitations of the Internet is the inability of a packet flow recipient to halt disruptive flows before they consume the recipient’s network link resources. Critical infrastructures and businesses alike are vulnerable to DoS attacks or flash-crowds that can incapacitate their networks with traffic floods. Unfortunately, current mechanisms require per-flow state at routers, ISP collaboration, or the deployment of an overlay infrastructure to defend against these events. In this paper, we present SIFF, a Stateless Internet Flow Filter, which allows an end-host to selectively stop individual flows from reaching its network, without any of the common assumptions listed above. We divide all network traffic into two classes, privileged (prioritized packets subject to recipient control) and unprivileged (legacy traffic). Privileged channels are established through a capability exchange handshake. Capabilities are dynamic and verified statelessly by the routers in the network, and can be revoked by quenching update messages to an offending host. SIFF is transparent to legacy clients and servers, but only updated hosts will enjoy the benefits of it

Secure Hierarchical In-Network Aggregation in Sensor Networks

In-network aggregation is an essential primitive for performing queries on sensor network data. However, most aggregation algorithms assume that all intermediate nodes are trusted. In contrast, the standard threat model in sensor network security assumes that an attacker may control a fraction of the nodes, which may misbehave in an arbitrary (Byzantine) manner. We present the first algorithm for provably secure hierarchical in-network data aggregation. Our algorithm is guaranteed to detect any manipulation of the aggregate by the adversary beyond what is achievable through direct injection of data values at compromised nodes. In other words, the adversary can never gain any advantage from misrepresenting intermediate aggregation computations. Our algorithm incurs only O(∆ log2 n) node congestion, supports arbitrary tree-based aggregator topologies and retains its resistance against aggregation manipulation in the presence of arbitrary numbers of malicious nodes. The main algorithm is based on performing the S UM aggregation securely by first forcing the adversary to commit to its choice of intermediate aggregation results, and then having the sensor nodes independently verify that their contributions to the aggregate are correctly incorporated. We show how to reduce secure MEDIAN, COUNT, and AVERAGE to this primitive

FastPass: Providing First-Packet Delivery

This paper introduces FastPass, an architecture that thwarts flooding attacks by providing destinations with total control over their upstream network capacity. FastPass explores an extreme design point, providing complete resistance to directed flooding attacks. FastPass builds upon prior work on network capabilities and addresses the oft-noted problem that in such schemes, a sender must first get one packet through with no protection against DoS. FastPass provides cryptographic availability tokens to senders that routers verify before expiditing their delivery. We present two variants of the tokens. The first uses light-weight public key cryptography and is practical in high-speed routers with modest hardware additions. The second uses a symmetric hashchaining scheme and is easily implemented in software. In sharp contrast to prior systems, our evaluation shows that hosts using FastPass can quickly communicate regardless of the size of the attack directed against the nodes

StackPi : a new defense mechanism against IP spoofing and DDoS attacks

Abstract: "Today's Internet hosts are threatened by IP spoofing attacks and large scale Distributed Denial-of-Service (DDoS) attacks. We propose a new defense mechanism, StackPi, which unlike previous approaches, allows the host being attacked, or its upstream ISP, to filter out attack packets and to detect spoofed source IP addresses, on a per-packet basis. In StackPi, a packet is marked deterministically by routers along its path towards the destination. Packets traveling along the same path will have the same marking so that an attack victim need only identify the StackPi marks of attack packets to filter out all further attack packets with the same marking. In addition, the victim can associate StackPi marks with source IP addresses to detect source IP address spoofing by changes in the corresponding StackPi mark. StackPi filtering can thus defend against not only DDoS attacks, but also many IP spoofing attacks -- such as TCP hijacking, and multicast source spoofing attacks. Because each complete mark fits within a single packet, the StackPi defense responds quickly to attacks and can be effective after the first attack packet in a IP spoofing attack, or after a small number of attack packets in the case of a DDoS attack. StackPi also supports incremental deployment, such that significant benefits are realized even if only one third of Internet routers implement StackPi marking. We show these results through analysis and simulations based on several real Internet topologies.

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks

Distributed Denial of Service (DDoS) attacks continue to plague the Internet. Defense against these attacks is complicated by spoofed source IP addresses,which make it difficult to determine a packet's true origin.We propose Pi (short for Path Identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing. Pi features many unique properties. It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier. This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers' identifiers on a per packet basis. The Pi scheme performs well under large-scale DDoSattacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking. Pi marking and filtering are both extremely light-weight and require negligible state. We use traceroute maps of real Internet topologies (e.g. CAIDA's Skitter [5] and Burch and Cheswick's InternetMap [3, 14]) to simulate DDoS attacks and validate our design

Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing

The popularity of “Trust-on-first-use” (Tofu) authentication, used by SSH and HTTPS with self-signed certificates, demonstrates significant demand for host authentication that is low-cost and simple to deploy. While Tofu-based applications are a clear improvement over completely insecure protocols, they can leave users vulnerable to even simple network attacks. Our system, PERSPECTIVES, thwarts many of these attacks by using a collection of “notary” hosts that observes a server’s public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server’s key over time (recognizing short-lived attacks). Clients can download these records on-demand and compare them against an unauthenticated key, detecting many common attacks. PERSPECTIVES explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use. We also analyze the security provided by PERSPECTIVES and describe our experience building and deploying a publicly available implementation

Random Key Predistribution Schemes for Sensor Networks

Key establishment in sensor networks is a challenging problem because asymmetric key cryptosystems are unsuitable for use in resource constrained sensor nodes, and also because the nodes could be physically compromised by an adversary. We present three new mechanisms for key establishment using the framework of pre-distributing a random set of keys to each node. First, in the q-composite keys scheme, we trade off the unlikeliness of a large-scale network attack in order to significantly strengthen random key predistribution's strength against smaller-scale attacks. Second, in the multipath-reinforcement scheme, we show how to strengthen the security between any two nodes by leveraging the security of other links. Finally, we present the random-pairwise keys scheme, which perfectly preserves the secrecy of the rest of the network when any node is captured, and also enables node-to-node authentication and quorum-based revocation

Help Me Help You: Using Trustworthy Host-Based Information in the Network (CMU-CyLab-09-016)

As hardware support for improved endhost security becomes ubiquitous, it is important to consider how network security and performance can benefit from these improvements. If endhosts (or at least portions of each endhost) can be trusted, then network infrastructure no longer needs to arduously and imprecisely reconstruct data already known by the endhosts. Through the design of a general-purpose architecture we call Assayer, we explore the issues in providing trusted host-based data, including the balance between useful information and user privacy, and the tradeoffs between security and efficiency. We also evaluate the usefulness of such information in three case studies. To gain insight into the performance we could expect from such a system, we implement and evaluate a basic Assayer prototype. Our prototype requires fewer than 1,000 lines of code on the endhost. Endhosts can annotate their outbound traffic in a few microseconds, and these annotations can be checked efficiently; even packet-level annotations on a gigabit link can be checked with a loss in throughput of only 3.7-18.3%