DOI QR코드

DOI QR Code

Updated SSDP Scheme for DDoS Attack Defense

  • Huang, Haiou (College of Computer Science and Technology, Jilin University) ;
  • Hu, Liang (College of Computer Science and Technology, Jilin University) ;
  • Chu, Jianfeng (College of Computer Science and Technology, Jilin University)
  • Received : 2017.09.20
  • Accepted : 2018.04.26
  • Published : 2018.09.30

Abstract

Abusing the Simple Server Discovery Protocol (SSDP) can induce an SSDP attack (including SSDP DoS, DDoS, DRDoS) posing a significant threat to UPnP devices. Rapid and extensive developments in computer technology, especially in regards to IoT, have made Upnp devices an indispensable part of our daily lives - but also render them susceptible to a variety of SSDP attacks without suitable countermeasures. This paper proposes the Two-dimensional table scheme, which provides high security at a reasonable computational cost. The feasibility and effectiveness of the proposed scheme are also validated by comparison against four other schemes (Stateless connections, Failing-together, Cookie, and Client puzzle).

Keywords

References

  1. Cyrill Bannwart. Black Hat USA 2016 / DEF CON 24, September, 2016.
  2. The State of the Internet [security] / Q1 2015, May, 2015.
  3. The State of the Internet [security] / Q2 2017, August, 2017.
  4. Blackscreen. DDoS 攻击的发展和应对, June, 2015.
  5. C. Rossow, "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," in Proc. of the 2014 Network and Distributed System Security Symposium, pp. 23-26, February, 2014.
  6. P. Ferguson and D. Senie. "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," BCP38 - RFC 2827, May, 2000.
  7. Anthony Sequeira, "BCP38 - RFC2827 Network Ingress Filtering: Defeat DoS with Forged Source Addresses," October, 2015.
  8. Marc Kuhrer, Thomas Hupperich, Christian Rossow and Thorsten Holz, "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks," in Proc. of the 23rd USENIX Security Symposium, pp. 111-125, August 20-22, 2014.
  9. Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar and Michael Bailey, "Bohatei: Flexible and Elastic DDoS Defense,", in Proc. of the 24th USENIX Security Symposium, pp.817-832, August 12-14, 2015.
  10. SSDP reflection DDoS attacks threat advisory, akamai's [state of the internet] / Threat Advisory, October, 2014.
  11. IPv4 Multicast Address Space Registry, 2016.
  12. IPv6 Multicast Address Space Registry, 2016.
  13. Srinivas Arukonda and Samta Sinha, "The Innocent Perpetrators: Reflectors and Reflect ion Attacks," ACSIJ Advances in Computer Science, Vol. 4, No.13, pp. 94-98, January, 2015.
  14. Tuomas Aura and Pekka Nikander, "Stateless connections," in Proc. of International Conference on Information and Communications Security (ICICS'97), pp. 87-97, November 11-14, 1997.
  15. K. Matsuura and H. Imai, "Protection of Authenticated Key-agreement Protocol against a Denial-of-Service Attack," in Proc. of the International Symposium on Information Theory and Its Applications (ISITA'98), pp. 466-470, October, 1998.
  16. L. Jiang, C. Xu, X. Wang and Y. Zhou, "Analysis and Comparison of the Network Security Protocol with DoS/DDoS Attack Resistance Performance," in Proc. of High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conference on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on .IEEE, pp. 1785-1790, August 24-26, 2015.
  17. K. Matsuura and H. Imai, "Resolution of ISAKMP/Oakley key-agreement protocol resistant against Denial-of-Service attack," in Proc. of Internet Workshop (IWS'99), pp. 17-24, February 18-20, 1999.
  18. K. Matsuura and H. Imai, "Modification of Internet Key Exchange Resistant against Denial-of-Service," in Proc. of Internet Workshop 2000 (IWS 2000), pp.167-174, February, 2000.
  19. V. Ragavi and G. Geetha, "Mitigating DoS Using Sensing Keys," in Proc. of Computing Sciences (ICCS), 2012 International Conference on .IEEE, pp. 312-315, September 14-15, 2012.
  20. Y. Zheng, "Digital signcryption or how to achieve cost (signature & encryption) << cost (signature) + cost (encryption)," in Proc. of 17th Annual International Cryptology Conference Santa Barbara, pp. 165-179, August 17-21, 1997.
  21. Ak, Murat, Turgut Hanoymak, and Ali Aydin Selcuk, "IND-CCA secure encryption based on a Zheng-Seberry scheme," Journal of Computational and Applied Mathematics, vol. 259, no.2, pp. 529-535, March, 2014. https://doi.org/10.1016/j.cam.2013.06.042
  22. C.P. Schnorr, "Efficient signature generation by smart cards," Journal of Cryptology, vol. 4, no. 3, pp. 161-174, January, 1991. https://doi.org/10.1007/BF00196725
  23. Valluri, Maheswara Rao, "An identification protocol based on the twisted ring-root extraction problem," in Proc of Industrial Control Systems Security (WCICSS), 2015 World Congress on. IEEE, pp. 95-97, December 14-15, 2015.
  24. Cynthia Dwork and Moni Naor, "Pricing via processing or combatting junk mail," in Proc. of the 12th Annual International Cryptology Conference on Advances in Cryptology, pp.139-147, August 16-20, 1992.
  25. Ari Juels and John Brainard, "Client puzzles: A cryptographic countermeasure against connection depletion attacks," in Proc. 1999 Network and Distributed Systems Security Symposium (NDSS), pp. 151-165, February, 1999.
  26. P.Karn and B.Simpson, "Photuris: Session Key Management Protocol," IETF Network Working Group- RFC 2522, March, 1999.
  27. Martin Abadi and Roger Needham, "Prudent Engineering Practice for Cryptographic Protocols," IEEE Transactions on Software Engineering, vol. 22, no.1, pp. 6-15, January, 1996. https://doi.org/10.1109/32.481513