Journal of Communications and Networks

  • 제18권6호
  • /
  • Pages.948-961
  • /
  • 2016
  • /
  • 1229-2370(pISSN)
  • /
  • 1976-5541(eISSN)
한국통신학회 (The Korean Institute of Commucations and Information Sciences)
권호 표지
DOI QR코드

DOI QR Code

Coordination of Anti-Spoofing Mechanisms in Partial Deployments

  • An, Hyok (Department of Computer Science and Engineering, Korea University) ;
  • Lee, Heejo (Department of Computer Science and Engineering, Korea University) ;
  • Perrig, Adrian (Department of Computer Science, ETH Zurich)
  • 투고 : 2016.02.23
  • 심사 : 2016.08.01
  • 발행 : 2016.12.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Internet protocol (IP) spoofing is a serious problem on the Internet. It is an attractive technique for adversaries who wish to amplify their network attacks and retain anonymity. Many approaches have been proposed to prevent IP spoofing attacks; however, they do not address a significant deployment issue, i.e., filtering inefficiency caused by a lack of deployment incentives for adopters. To defeat attacks effectively, one mechanism must be widely deployed on the network; however, the majority of the anti-spoofing mechanisms are unsuitable to solve the deployment issue by themselves. Each mechanism can work separately; however, their defensive power is considerably weak when insufficiently deployed. If we coordinate partially deployed mechanisms such that they work together, they demonstrate considerably superior performance by creating a synergy effect that overcomes their limited deployment. Therefore, we propose a universal anti-spoofing (UAS) mechanism that incorporates existing mechanisms to thwart IP spoofing attacks. In the proposed mechanism, intermediate routers utilize any existing anti-spoofing mechanism that can ascertain if a packet is spoofed and records this decision in the packet header. The edge routers of a victim network can estimate the forgery of a packet based on this information sent by the upstream routers. The results of experiments conducted with real Internet topologies indicate that UAS reduces false alarms up to 84.5% compared to the case where each mechanism operates individually.

키워드

과제정보

연구 과제번호 : Development of Vulnerability Discovery Technologies for IoT Software Security

연구 과제 주관 기관 : Institute for Information & Communications Technology Promotion (IITP)

참고문헌

  1. CERT, "Cert advisory ca-1996-21 TCP SYN flooding and IP spoofing attacks," Sept. 1996.
  2. H. Lee, M. Kwon, G. Hasker, and A. Perrig, "BASE: An incrementally deployable mechanism for viable IP spoofing prevention," in Proc. ACM AsiaCCS, 2007, pp. 20-31.
  3. D. Lee. (2014, Feb.). Huge hack 'ugly sign of future' for Internet threats. BBC. [Online]. Available: http://www.bbc.com/news/technology-2613 6774.
  4. C. Rossow, "Amplification hell: Revisiting network protocols for DDoS abuse," NDSS, Feb. 2014, pp. 23-26.
  5. A. Mangla. (2006). Distributed reflection denial of service: A bandwidth attack. [Online]. Aviliable: http://palpapers.plynt.com/issues/2006Apr/ddos-reflection/
  6. G. Yao, J. Bi, and A. V. Vasilakos, "Passive IP traceback: Disclosing the locations of IP spoofers from path backscatter," IEEE Trans. Inf. Forensics and Security, vol. 10, no. 3, pp. 471-484, 2015. https://doi.org/10.1109/TIFS.2014.2381873
  7. CAIDA. (2016). The UCSD Network Telescope. [Online]. Available: https://www.caida.org/projects/network_telescope/
  8. R. Beverly, A. Berger, Y. Hyun, and k. claffy, "Understanding the efficacy of deployed Internet source address validation filtering," ACM SIGCOMM IMC, Nov. 2009, pp. 356-369.
  9. J. Kwon et al., "An incrementally deployable anti-spoofing mechanism for software-defined networks," Comput. Commun., vol. 64, pp. 1-20, 2015. https://doi.org/10.1016/j.comcom.2015.03.003
  10. F. Baker and P. Savola, "Ingress filtering for multihomed networks," BCP 84, RFC 3704, Mar., Tech. Rep., 2004.
  11. K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets," in Proc. ACM SIGCOMM, Aug. 2001, pp. 15-26.
  12. D. Anstee, J. Escobar, C. Chui, and G. Sockrider, "Worldwide infrastructure security report volume X," Arbor Networks, Tech. Rep., 2015.
  13. A. Yaar, A. Perrig, and D. Song, "Pi: A path identification mechanism to defend against DDoS attacks," IEEE S&P, pp. 93-107, 2003.
  14. S. T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks," Commun. Surveys Tuts., vol. 15, no. 4, pp. 2046-2069, 2013. https://doi.org/10.1109/SURV.2013.031413.00127
  15. P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing," BCP 38, RFC 2827 May, Tech. Rep., 2000.
  16. A. Yaar, A. Perrig, and D. Song, "StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense," IEEE J. Sel. Areas Commun., vol. 24, no. 10, pp. 1853-1863, 2006. https://doi.org/10.1109/JSAC.2006.877138
  17. G. Yao, J. Bi, and P. Xiao, "VASE: Filtering IP spoofing traffic with agility," Comput. Netw., vol. 57, no. 1, pp. 243-257, 2013. https://doi.org/10.1016/j.comnet.2012.08.018
  18. B. Liu, J. Bi, and A. Vasilakos, "Towards incentivizing anti-spoofing deployment," IEEE Trans. Inf. Forensics Security, vol. 9, no. 3, pp. 436-450, Mar. 2014. https://doi.org/10.1109/TIFS.2013.2296437
  19. H.Wang, C. Jin, and K. G. Shin, "Defense against spoofed IP traffic using hop-count filtering," IEEE/ACM Trans. Netw., vol. 15, no. 1, pp. 40-53, Feb. 2007. https://doi.org/10.1109/TNET.2006.890133
  20. M. Abliz, "Internet denial of service attacks and defense mechanisms," Tech. Rep. TR-11-178, 2011.
  21. S. Yu, W. Zhou, S. Guo, and M. Guo, "A dynamical deterministic packet marking scheme for DDoS traceback," in Proc. IEEE GLOBECOM,2013, pp. 729-734.
  22. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage, "Inferring internet denial-of-service activity," ACM Trans. Comput. Syst., vol. 24, no. 2, pp. 115-139, 2006. https://doi.org/10.1145/1132026.1132027
  23. J. Markoff and N. Perlroth. (2013, Mar.). Firm is accused of sending spam, and fight jams Internet. The New York Times. [Online]. Available: http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?smid=pl-share
  24. M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, "DNS amplification attack revisited," Computers & Security, vol. 39, pp. 475-485, 2013. https://doi.org/10.1016/j.cose.2013.10.001
  25. D. Lee. (2013, Mar.). Global Internet slows after 'biggest attack in history'. BBC. [Online]. Available: http://www.bbc.co.uk/news/technology-21954636
  26. R. Lemos. (2014, Jan). Amplified DDoS attacks broke bandwidth records in 2013: Arbor report. eWeek. [Online]. Available: http://www.eweek.com/security/amplified-ddos-attacks-broke-bandwidth-records-in-2013-arbor-report.html
  27. A. Liska. (2013, Dec.). Hackers spend Christmas break launching large scale NTP-reflection attacks. Symantec. [Online]. Available: http://www.symantec.com/connect/blogs/hackers-spend-christmasbreak- launching-large-scale-ntp-reflection-attacks
  28. R. Beverly and S. Bauer. (2016). ANA Spoofer Project. [Online]. Availble: http://spoofer.cmand.org/
  29. T. Ehrenkranz and J. Li, "On the state of IP spoofing defense," ACMTrans. Internet Technol., vol. 9, no. 2, p. 6, 2009.
  30. F. Baker et al., "Addressing the challenge of IP spoofing," Internet Society, Tech. Rep., 2015.
  31. S. Yu, G. Wang, and W. Zhou, "Modeling malicious activities in cyber space," IEEE Netw., vol. 29, no. 6, pp. 83-87, 2015. https://doi.org/10.1109/MNET.2015.7340429
  32. D. Seo, H. Lee, and A. Perrig, "APFS: Adaptive probabilistic filter scheduling against distributed denial-of-service attacks," Computers & Security, vol. 39, pp. 366-385, 2013. https://doi.org/10.1016/j.cose.2013.09.002
  33. L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, "Statistical approaches to DDoS attack detection and response," DISCEX, 2003, pp. 303-314.
  34. S. Savage, D.Wetherall, A. Karlin, and T. Anderson, "Network support for IP traceback," IEEE/ACM Trans. Netw., vol. 9, no. 3, pp. 226-237, 2001. https://doi.org/10.1109/90.929847
  35. S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in Proc. ACM SIGCOMM, 2000, pp. 295-306.
  36. I. Stoica and H. Zhang, "Providing guaranteed services without per flow management," in Proc. ACM SIGCOMM, Aug. 1999, pp. 81-94.
  37. A. Bremler-Barr and H. Levy, "Spoofing prevention method," in Proc. INFOCOM, vol. 1, 2005, pp. 536-547.
  38. M. Adler, "Trade-offs in probabilistic packet marking for IP traceback," J. ACM, vol. 52, no. 2, pp. 217-244, 2005. https://doi.org/10.1145/1059513.1059517
  39. D. Dean, M. Franklin, and A. Stubblefield, "An algebraic approach to IP traceback," ACM Trans. Inf. Syst. Security, vol. 5, no. 2, pp. 119-137, 2002. https://doi.org/10.1145/505586.505588
  40. A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer, "Single-packet IP traceback," IEEE/ACM Trans. Netw., vol. 10, no. 6, pp. 721-734, 2002. https://doi.org/10.1109/TNET.2002.804827
  41. CAIDA. (2016). The CAIDA IPv4 Routed /24 Topology Dataset - April 9, 2012 and May 19, 2013. [Online]. Available: http://www.caida.org/data/active/ipv4_routed_24_topology_dataset.xml
  42. S. McClure, S. Shah, and S. Shah, Web hacking: Attacks and defense. Addison-Wesley Longman Publishing Co., Inc., 2002.
  43. B. Parno et al., "Portcullis: Protecting connection setup from denial-of-capability attacks," in Proc. ACM SIGCOMM, Aug. 2007, pp. 289-300.
  44. CAIDA. (2014). The CAIDA UCSD Macroscopic Topology Dataset. [Online]. Available: http://www.caida.org/tools/measurement/skitter/
  45. B. Liu, J. Bi, and Y. Zhu, "A deployable approach for inter-AS anti-spoofing," in Proc. IEEE ICNP. IEEE, 2011, pp. 19-24.
  46. H. An, H. Lee, and A. Perrig, "UAS: Universal anti-spoofing by incorporating existing mechanisms," in Proc. IEEE LCN, 2013, pp. 448-451.