Abstract
We present LOT, a lightweight plug and play secure tunneling protocol deployed at network gateways. Two communicating gateways, A and B, running LOT would automatically detect each other and establish an efficient tunnel, securing communication between them. LOT tunnels allow A to discard spoofed packets that specify source addresses in B’s network and vice versa. This helps to mitigate many attacks, including DNS poisoning, network scans, and most notably (Distributed) Denial of Service (DoS).
LOT tunnels provide several additional defenses against DoS attacks. Specifically, since packets received from LOT-protected networks cannot be spoofed, LOT gateways implement quotas, identifying and blocking packet floods from specific networks. Furthermore, a receiving LOT gateway (e.g., B) can send the quota assigned to each tunnel to the peer gateway (A), which can then enforce near-source quotas, reducing waste and congestion by filtering excessive traffic before it leaves the source network. Similarly, LOT tunnels facilitate near-source filtering, where the sending gateway discards packets based on filtering rules defined by the destination gateway. LOT gateways also implement an intergateway congestion detection mechanism, allowing sending gateways to detect when their packets get dropped before reaching the destination gateway and to perform appropriate near-source filtering to block the congesting traffic; this helps against DoS attacks on the backbone connecting the two gateways.
LOT is practical: it is easy to manage (plug and play, requires no coordination between gateways), deployed incrementally at edge gateways (not at hosts and core routers), and has negligible overhead in terms of bandwidth and processing, as we validate experimentally. LOT storage requirements are also modest.
- Advanced Network Architecture Group. 2011. ANA Spoofer Project. http://spoofer.csail.mit.edu/index.php.Google Scholar
- Aharoni, M. and Hidalgo, W. M. 2005. Cisco SNMP configuration attack with a GRE tunnel. In Security Focus. http://www.securityfocus.com/infocus/1847.Google Scholar
- Aiello, Ioannidis, and McDaniel. 2003. Origin authentication in interdomain routing. In Proceedings of the 10th ACM Conference on Computer and Communications Security (SIGSAC). 165--178. Google ScholarDigital Library
- Anderson, T. E., Roscoe, T., and Wetherall, D. 2004. Preventing Internet denial-of-service with capabilities. Comput. Comm. Rev. 34, 1, 39--44. Google ScholarDigital Library
- Argyraki, K. and Cheriton, D. 2005a. Active Internet traffic filtering: Real-time response to denial-of-service attacks. In Proceedings of the USENIX Annual Technical Conference, General Track. 135--148. Google ScholarDigital Library
- Argyraki, K. and Cheriton, D. 2005b. Network capabilities: The good, the bad and the ugly. In Proceedings of the 4th Workshop on Hot Topics in Networks.Google Scholar
- Badishi, G., Herzberg, A., and Keidar, I. 2007. Keeping Denial-of-Service Attackers in the Dark. IEEE Trans. Depend. Secur. Comput. 4, 3, 191--204. Google ScholarDigital Library
- Badishi, G., Herzberg, A., Keidar, I., Romanov, O., and Yachin, A. 2008. An empirical study of denial of service mitigation techniques. In Proceedings of the IEEE Symposium on Reliable Distributed Systems (SRDS). 115--124. Google ScholarDigital Library
- Baker, F. and Savola, P. 2004. Ingress filtering for multihomed networks. RFC 3704 (Best Current Practice). The Internet Society. Google ScholarDigital Library
- Bellovin, S. 2003. ICMP traceback messages. http://tools.ietf.org/html/draft-ietf-itrace-04.Google Scholar
- Bernstein, D. 1996. TCP SYN cookies. http://cr.yp.to/syncookies.html.Google Scholar
- Beverly, R. and Bauer, S. 2005. The Spoofer Project: Inferring the extent of source address filtering on the Internet. In Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). Google ScholarDigital Library
- Bremler-Barr, A. and Levy, H. 2005. Spoofing Prevention Method. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 536--547.Google Scholar
- Chang, R. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Comm. Mag. 40, 42--51. Google ScholarDigital Library
- Cisco Systems. 2007. Pre-Fragmentation for IPsec VPNs. http://www.ciscosystems.cd/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pre_frag_vpns.pdf.Google Scholar
- Daemen, J. and Rijmen, V. 2002. The Design of Rijndael: AES--the Advanced Encryption Standard. Springer Verlag. Google ScholarDigital Library
- Dean, D., Franklin, M., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inform. Syst. Secur. 5, 2, 119--137. Google ScholarDigital Library
- Dommety, G. 2000. Key and sequence number extensions to GRE. RFC 2890 (Proposed Standard). The Internet Society. Google ScholarDigital Library
- Eddy, W. 2007. TCP SYN flooding attacks and common mitigations. RFC 4987 (Informational). The Internet Society.Google Scholar
- Ehrenkranz, T., Li, J., and McDaniel, P. 2010. Realizing a source authentic Internet. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks (SecureComm). 217--234.Google ScholarCross Ref
- Farinacci, D., Li, T., Hanks, S., Meyer, D., and Traina, P. 2000. Generic routing encapsulation (GRE). RFC 2784 (Proposed Standard). Updated by RFC 2890. The Internet Society. Google ScholarDigital Library
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice 38). Updated by RFC 3704. The Internet Society. Google ScholarDigital Library
- Gilad, Y. and Herzberg, A. 2009. Lightweight opportunistic tunneling (LOT). In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 104--119. Google ScholarDigital Library
- Gilad, Y. and Herzberg, A. 2011a. Considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the USENIX Workshop on Offensive Technologies. Google ScholarDigital Library
- Gilad, Y. and Herzberg, A. 2011b. Lightweight opportunistic tunneling. Tech. rep. http://u.cs.biu.ac.il/~herzbea/security/TR/11_02.pdf.Google Scholar
- Gilmore, J. 2003. FreeS/WAN Project. www.freeswan.org.Google Scholar
- Goldreich, O. 2001. Foundations of Cryptography. Vol. 1: Basic Tools. Cambridge University Press. Google ScholarDigital Library
- Harris, B. and Hunt, R. 1999. TCP/IP security threats and attack methods. Comput. Comm. 22, 885--897. Google ScholarDigital Library
- Heffernan, A. 1998. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385 (Proposed Standard). The Internet Society. Google ScholarDigital Library
- Heffner, J., Mathis, M., and Chandler, B. 2007. IPv4 reassembly errors at high data rates. RFC 4963 (Informational). The Internet Society.Google Scholar
- Hoffman, P. 2005. Cryptographic suites for IPsec. RFC 4308 (Proposed Standard). The Internet Society.Google Scholar
- Huici, F. and Handley, M. 2007. An edge-to-edge filtering architecture against DoS. Comput. Comm. Rev. 37, 2, 39--50. Google ScholarDigital Library
- IANA. 2002. Special-use IPv4 addresses. RFC 3330 (Informational). The Internet Society. Google ScholarDigital Library
- Ioannidis, J. and Bellovin, S. M. 2002. Implementing Pushback: Router-based defense against DDoS attacks. In NDSS. The Internet Society.Google Scholar
- Jiang, G. 2002. Multiple vulnerabilities in SNMP. Comput. 35, 4, 2--4. Google ScholarDigital Library
- Kaminsky, D. 2008. It’s the end of the cache as we know it. In Proceedings of the Black Hat Conference. http://www.doxpara.com/DMK_BO2K8.ppt.Google Scholar
- Karlin, J., Forrest, S., and Rexford, J. 2006. Pretty good BGP: Improving BGP by cautiously adopting routes. In Proceedings of the IEEE International Conference on Network Protocols (ICNP). IEEE Computer Society, 290--299. Google ScholarDigital Library
- Kaufman, C. 2005. Internet key exchange (IKEv2) protocol. RFC 4306 (Proposed Standard). Updated by RFC 5282. The Internet Society.Google Scholar
- Kaufman, C., Perlman, R. J., and Sommerfeld, B. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). 2--7. Google ScholarDigital Library
- Kent, C. A. and Mogul, J. C. 1987. Fragmentation Considered Harmful. Res. rep. 87/3, Western Research Laboratory.Google Scholar
- Kent, S. and Seo, K. 2005. Security architecture for the Internet protocol. RFC 4301 (Proposed Standard). The Internet Society.Google Scholar
- Kent, S., Lynn, C., and Seo, K. 2000. Secure border gateway protocol (S-BGP). IEEE J. Sel. Areas Comm. 18, 4, 582--592. Google ScholarDigital Library
- Killalea, T. 2000. Recommended Internet service provider security services and procedures. RFC 3013 (Best Current Practice). The Internet Society. Google ScholarDigital Library
- Klein, A. 2007. BIND 9 DNS cache poisoning. Tech. rep., Trusteer, Ltd.Google Scholar
- Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. 2006. PHAS: A prefix hijack alert system. In Proceedings of the 15th Conference on USENIX Security Symposium. Google ScholarDigital Library
- Lakshminarayanan, K., Adkins, D., Perrig, A., and Stoica, I. 2004. Taming IP packet flooding attacks. Comput. Comm. Rev. 34, 1, 45--50. Google ScholarDigital Library
- Lemon, J. 2002. Resisting SYN flood DoS attacks with a SYN cache. In Proceedings of BSDCo., S. J. Leffler, Ed., USENIX, 89--97. Google ScholarDigital Library
- Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., and Zhang, L. 2008. Learning the valid incoming direction of IP packets. Comput. Netw. 52, 2, 399--417. Google ScholarDigital Library
- Mogul, J. and Deering, S. 1990. Path MTU discovery. RFC 1191 (Draft Standard). The Internet Society. Google ScholarDigital Library
- Moore, D., Voelker, G., and Savage, S. 2001. Inferring internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium. Google ScholarDigital Library
- Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L. 2004. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. 27--40. Google ScholarDigital Library
- Park, K. and Lee, H. 2001. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 15--26. Google ScholarDigital Library
- Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Comm. Rev. 31, 3, 38--47. Google ScholarDigital Library
- Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1, 1--42. Google ScholarDigital Library
- Postel, J. 1981a. Internet control message protocol. RFC 792 (Standard). Updated by RFCs 950, 4884. The Internet Society. Google ScholarDigital Library
- Postel, J. 1981b. Internet protocol. RFC 791 (Standard). Updated by RFC 1349. The Internet Society.Google Scholar
- Richardson, M. 2005. A method for storing IPsec keying material in DNS. RFC 4025 (Proposed Standard). The Internet Society.Google Scholar
- Richardson, M. and Redelmeier, D. 2005. Opportunistic encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational). The Internet Society.Google Scholar
- Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. 2000. Practical network support for IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 295--306. Google ScholarDigital Library
- Sherwood, R., Bhattacharjee, B., and Braud, R. 2005. Misbehaving TCP receivers can cause Internet-wide congestion collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). 383--392. Google ScholarDigital Library
- Snoeren, A. C. 2001. Hash-based IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 3--14. Google ScholarDigital Library
- Song, D. X. and Perrig, A. 2001. Advanced and authenticated marking schemes for IP traceback. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 878--886.Google Scholar
- Srisuresh, P. and Egevang, K. 2001. Traditional IP Network Address Translator (Traditional NAT). RFC 3022 (Informational). The Internet Society. Google ScholarDigital Library
- Studer, A. and Perrig, A. 2009. The coremelt attack. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 37--52. Google ScholarDigital Library
- Touch, J., Black, D., and Wang, Y. 2008. Problem and applicability statement for Better-Than-Nothing Security (BTNS). RFC 5387 (Informational). The Internet Society.Google Scholar
- Wang, H., Jin, C., and Shin, K. G. 2007a. Defense against spoofed ip traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 1, 40--53. Google ScholarDigital Library
- Wang, L., Wu, Q., and Luong, D. 2007b. Engaging edge networks in preventing and mitigating undesirable network traffic. In Proceedings of the 3rd IEEE Workshop on Secure Network Protocols (NPSec). 1--6. Google ScholarDigital Library
- White, R. 2003. Securing BGP through secure origin BGP. Internet Protocol J. 6, 15--22.Google Scholar
- Williams, N. and Richardson, M. 2008. Better-Than-Nothing security: An unauthenticated mode of IPsec. RFC 5386 (Proposed Standard). The Internet Society.Google Scholar
- Yaar, A., Perrig, A., and Song, D. X. 2004. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy. 130--143.Google Scholar
- Yang, X., Wetherall, D., and Anderson, T. E. 2008. TVA: A DoS-limiting network architecture. IEEE/ACM Trans. Netw. 16, 6, 1267--1280. Google ScholarDigital Library
Index Terms
- LOT: A Defense Against IP Spoofing and Flooding Attacks
Recommendations
Defense against spoofed IP traffic using hop-count filtering
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...
Review: TCP/IP security threats and attack methods
The TCP/IP protocol suite is vulnerable to a variety of attacks ranging from password sniffing to denial of service. Software to carry out most of these attacks is freely available on the Internet. These vulnerabilities-unless carefully controlled-can ...
Throttling spoofed SYN flooding traffic at the source
TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such ...
Comments