research-article

LOT: A Defense Against IP Spoofing and Flooding Attacks

Authors:
Yossi Gilad

Bar-Ilan University

Bar-Ilan University
View Profile

,
Amir Herzberg

Bar-Ilan University

Bar-Ilan University
View Profile

ACM Transactions on Information and System Security Volume 15 Issue 2Article No.: 6pp 1–30https://doi.org/10.1145/2240276.2240277

Published:01 July 2012Publication History

ACM Transactions on Information and System Security

Abstract

We present LOT, a lightweight plug and play secure tunneling protocol deployed at network gateways. Two communicating gateways, A and B, running LOT would automatically detect each other and establish an efficient tunnel, securing communication between them. LOT tunnels allow A to discard spoofed packets that specify source addresses in B’s network and vice versa. This helps to mitigate many attacks, including DNS poisoning, network scans, and most notably (Distributed) Denial of Service (DoS).

LOT tunnels provide several additional defenses against DoS attacks. Specifically, since packets received from LOT-protected networks cannot be spoofed, LOT gateways implement quotas, identifying and blocking packet floods from specific networks. Furthermore, a receiving LOT gateway (e.g., B) can send the quota assigned to each tunnel to the peer gateway (A), which can then enforce near-source quotas, reducing waste and congestion by filtering excessive traffic before it leaves the source network. Similarly, LOT tunnels facilitate near-source filtering, where the sending gateway discards packets based on filtering rules defined by the destination gateway. LOT gateways also implement an intergateway congestion detection mechanism, allowing sending gateways to detect when their packets get dropped before reaching the destination gateway and to perform appropriate near-source filtering to block the congesting traffic; this helps against DoS attacks on the backbone connecting the two gateways.

LOT is practical: it is easy to manage (plug and play, requires no coordination between gateways), deployed incrementally at edge gateways (not at hosts and core routers), and has negligible overhead in terms of bandwidth and processing, as we validate experimentally. LOT storage requirements are also modest.

References

Advanced Network Architecture Group. 2011. ANA Spoofer Project. http://spoofer.csail.mit.edu/index.php.Google Scholar
Aharoni, M. and Hidalgo, W. M. 2005. Cisco SNMP configuration attack with a GRE tunnel. In Security Focus. http://www.securityfocus.com/infocus/1847.Google Scholar
Aiello, Ioannidis, and McDaniel. 2003. Origin authentication in interdomain routing. In Proceedings of the 10th ACM Conference on Computer and Communications Security (SIGSAC). 165--178. Google ScholarDigital Library
Anderson, T. E., Roscoe, T., and Wetherall, D. 2004. Preventing Internet denial-of-service with capabilities. Comput. Comm. Rev. 34, 1, 39--44. Google ScholarDigital Library
Argyraki, K. and Cheriton, D. 2005a. Active Internet traffic filtering: Real-time response to denial-of-service attacks. In Proceedings of the USENIX Annual Technical Conference, General Track. 135--148. Google ScholarDigital Library
Argyraki, K. and Cheriton, D. 2005b. Network capabilities: The good, the bad and the ugly. In Proceedings of the 4th Workshop on Hot Topics in Networks.Google Scholar
Badishi, G., Herzberg, A., and Keidar, I. 2007. Keeping Denial-of-Service Attackers in the Dark. IEEE Trans. Depend. Secur. Comput. 4, 3, 191--204. Google ScholarDigital Library
Badishi, G., Herzberg, A., Keidar, I., Romanov, O., and Yachin, A. 2008. An empirical study of denial of service mitigation techniques. In Proceedings of the IEEE Symposium on Reliable Distributed Systems (SRDS). 115--124. Google ScholarDigital Library
Baker, F. and Savola, P. 2004. Ingress filtering for multihomed networks. RFC 3704 (Best Current Practice). The Internet Society. Google ScholarDigital Library
Bellovin, S. 2003. ICMP traceback messages. http://tools.ietf.org/html/draft-ietf-itrace-04.Google Scholar
Bernstein, D. 1996. TCP SYN cookies. http://cr.yp.to/syncookies.html.Google Scholar
Beverly, R. and Bauer, S. 2005. The Spoofer Project: Inferring the extent of source address filtering on the Internet. In Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). Google ScholarDigital Library
Bremler-Barr, A. and Levy, H. 2005. Spoofing Prevention Method. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 536--547.Google Scholar
Chang, R. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Comm. Mag. 40, 42--51. Google ScholarDigital Library
Cisco Systems. 2007. Pre-Fragmentation for IPsec VPNs. http://www.ciscosystems.cd/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pre_frag_vpns.pdf.Google Scholar
Daemen, J. and Rijmen, V. 2002. The Design of Rijndael: AES--the Advanced Encryption Standard. Springer Verlag. Google ScholarDigital Library
Dean, D., Franklin, M., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inform. Syst. Secur. 5, 2, 119--137. Google ScholarDigital Library
Dommety, G. 2000. Key and sequence number extensions to GRE. RFC 2890 (Proposed Standard). The Internet Society. Google ScholarDigital Library
Eddy, W. 2007. TCP SYN flooding attacks and common mitigations. RFC 4987 (Informational). The Internet Society.Google Scholar
Ehrenkranz, T., Li, J., and McDaniel, P. 2010. Realizing a source authentic Internet. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks (SecureComm). 217--234.Google ScholarCross Ref
Farinacci, D., Li, T., Hanks, S., Meyer, D., and Traina, P. 2000. Generic routing encapsulation (GRE). RFC 2784 (Proposed Standard). Updated by RFC 2890. The Internet Society. Google ScholarDigital Library
Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice 38). Updated by RFC 3704. The Internet Society. Google ScholarDigital Library
Gilad, Y. and Herzberg, A. 2009. Lightweight opportunistic tunneling (LOT). In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 104--119. Google ScholarDigital Library
Gilad, Y. and Herzberg, A. 2011a. Considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the USENIX Workshop on Offensive Technologies. Google ScholarDigital Library
Gilad, Y. and Herzberg, A. 2011b. Lightweight opportunistic tunneling. Tech. rep. http://u.cs.biu.ac.il/~herzbea/security/TR/11_02.pdf.Google Scholar
Gilmore, J. 2003. FreeS/WAN Project. www.freeswan.org.Google Scholar
Goldreich, O. 2001. Foundations of Cryptography. Vol. 1: Basic Tools. Cambridge University Press. Google ScholarDigital Library
Harris, B. and Hunt, R. 1999. TCP/IP security threats and attack methods. Comput. Comm. 22, 885--897. Google ScholarDigital Library
Heffernan, A. 1998. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385 (Proposed Standard). The Internet Society. Google ScholarDigital Library
Heffner, J., Mathis, M., and Chandler, B. 2007. IPv4 reassembly errors at high data rates. RFC 4963 (Informational). The Internet Society.Google Scholar
Hoffman, P. 2005. Cryptographic suites for IPsec. RFC 4308 (Proposed Standard). The Internet Society.Google Scholar
Huici, F. and Handley, M. 2007. An edge-to-edge filtering architecture against DoS. Comput. Comm. Rev. 37, 2, 39--50. Google ScholarDigital Library
IANA. 2002. Special-use IPv4 addresses. RFC 3330 (Informational). The Internet Society. Google ScholarDigital Library
Ioannidis, J. and Bellovin, S. M. 2002. Implementing Pushback: Router-based defense against DDoS attacks. In NDSS. The Internet Society.Google Scholar
Jiang, G. 2002. Multiple vulnerabilities in SNMP. Comput. 35, 4, 2--4. Google ScholarDigital Library
Kaminsky, D. 2008. It’s the end of the cache as we know it. In Proceedings of the Black Hat Conference. http://www.doxpara.com/DMK_BO2K8.ppt.Google Scholar
Karlin, J., Forrest, S., and Rexford, J. 2006. Pretty good BGP: Improving BGP by cautiously adopting routes. In Proceedings of the IEEE International Conference on Network Protocols (ICNP). IEEE Computer Society, 290--299. Google ScholarDigital Library
Kaufman, C. 2005. Internet key exchange (IKEv2) protocol. RFC 4306 (Proposed Standard). Updated by RFC 5282. The Internet Society.Google Scholar
Kaufman, C., Perlman, R. J., and Sommerfeld, B. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). 2--7. Google ScholarDigital Library
Kent, C. A. and Mogul, J. C. 1987. Fragmentation Considered Harmful. Res. rep. 87/3, Western Research Laboratory.Google Scholar
Kent, S. and Seo, K. 2005. Security architecture for the Internet protocol. RFC 4301 (Proposed Standard). The Internet Society.Google Scholar
Kent, S., Lynn, C., and Seo, K. 2000. Secure border gateway protocol (S-BGP). IEEE J. Sel. Areas Comm. 18, 4, 582--592. Google ScholarDigital Library
Killalea, T. 2000. Recommended Internet service provider security services and procedures. RFC 3013 (Best Current Practice). The Internet Society. Google ScholarDigital Library
Klein, A. 2007. BIND 9 DNS cache poisoning. Tech. rep., Trusteer, Ltd.Google Scholar
Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. 2006. PHAS: A prefix hijack alert system. In Proceedings of the 15th Conference on USENIX Security Symposium. Google ScholarDigital Library
Lakshminarayanan, K., Adkins, D., Perrig, A., and Stoica, I. 2004. Taming IP packet flooding attacks. Comput. Comm. Rev. 34, 1, 45--50. Google ScholarDigital Library
Lemon, J. 2002. Resisting SYN flood DoS attacks with a SYN cache. In Proceedings of BSDCo., S. J. Leffler, Ed., USENIX, 89--97. Google ScholarDigital Library
Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., and Zhang, L. 2008. Learning the valid incoming direction of IP packets. Comput. Netw. 52, 2, 399--417. Google ScholarDigital Library
Mogul, J. and Deering, S. 1990. Path MTU discovery. RFC 1191 (Draft Standard). The Internet Society. Google ScholarDigital Library
Moore, D., Voelker, G., and Savage, S. 2001. Inferring internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium. Google ScholarDigital Library
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L. 2004. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. 27--40. Google ScholarDigital Library
Park, K. and Lee, H. 2001. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 15--26. Google ScholarDigital Library
Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Comm. Rev. 31, 3, 38--47. Google ScholarDigital Library
Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1, 1--42. Google ScholarDigital Library
Postel, J. 1981a. Internet control message protocol. RFC 792 (Standard). Updated by RFCs 950, 4884. The Internet Society. Google ScholarDigital Library
Postel, J. 1981b. Internet protocol. RFC 791 (Standard). Updated by RFC 1349. The Internet Society.Google Scholar
Richardson, M. 2005. A method for storing IPsec keying material in DNS. RFC 4025 (Proposed Standard). The Internet Society.Google Scholar
Richardson, M. and Redelmeier, D. 2005. Opportunistic encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational). The Internet Society.Google Scholar
Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. 2000. Practical network support for IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 295--306. Google ScholarDigital Library
Sherwood, R., Bhattacharjee, B., and Braud, R. 2005. Misbehaving TCP receivers can cause Internet-wide congestion collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). 383--392. Google ScholarDigital Library
Snoeren, A. C. 2001. Hash-based IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 3--14. Google ScholarDigital Library
Song, D. X. and Perrig, A. 2001. Advanced and authenticated marking schemes for IP traceback. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 878--886.Google Scholar
Srisuresh, P. and Egevang, K. 2001. Traditional IP Network Address Translator (Traditional NAT). RFC 3022 (Informational). The Internet Society. Google ScholarDigital Library
Studer, A. and Perrig, A. 2009. The coremelt attack. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 37--52. Google ScholarDigital Library
Touch, J., Black, D., and Wang, Y. 2008. Problem and applicability statement for Better-Than-Nothing Security (BTNS). RFC 5387 (Informational). The Internet Society.Google Scholar
Wang, H., Jin, C., and Shin, K. G. 2007a. Defense against spoofed ip traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 1, 40--53. Google ScholarDigital Library
Wang, L., Wu, Q., and Luong, D. 2007b. Engaging edge networks in preventing and mitigating undesirable network traffic. In Proceedings of the 3rd IEEE Workshop on Secure Network Protocols (NPSec). 1--6. Google ScholarDigital Library
White, R. 2003. Securing BGP through secure origin BGP. Internet Protocol J. 6, 15--22.Google Scholar
Williams, N. and Richardson, M. 2008. Better-Than-Nothing security: An unauthenticated mode of IPsec. RFC 5386 (Proposed Standard). The Internet Society.Google Scholar
Yaar, A., Perrig, A., and Song, D. X. 2004. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy. 130--143.Google Scholar
Yang, X., Wetherall, D., and Anderson, T. E. 2008. TVA: A DoS-limiting network architecture. IEEE/ACM Trans. Netw. 16, 6, 1267--1280. Google ScholarDigital Library

Index Terms

LOT: A Defense Against IP Spoofing and Flooding Attacks
1. Networks
  1. Network protocols

Recommendations

Defense against spoofed IP traffic using hop-count filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...
Read More
Review: TCP/IP security threats and attack methods

The TCP/IP protocol suite is vulnerable to a variety of attacks ranging from password sniffing to denial of service. Software to carry out most of these attacks is freely available on the Internet. These vulnerabilities-unless carefully controlled-can ...
Read More
Throttling spoofed SYN flooding traffic at the source

TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Transactions on Information and System Security Volume 15, Issue 2
July 2012
138 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2240276
Issue’s Table of Contents

Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 July 2012
- Accepted: 1 November 2011
- Revised: 1 September 2011
- Received: 1 September 2010
Published in tissec Volume 15, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
IP spoofing
denial of service
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 15
  Total Citations
  View Citations
- 1,688
  Total Downloads
- Downloads (Last 12 months)19
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

LOT: A Defense Against IP Spoofing and Flooding Attacks

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Defense against spoofed IP traffic using hop-count filtering

Review: TCP/IP security threats and attack methods

Throttling spoofed SYN flooding traffic at the source

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

LOT: A Defense Against IP Spoofing and Flooding Attacks

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Defense against spoofed IP traffic using hop-count filtering

Review: TCP/IP security threats and attack methods

Throttling spoofed SYN flooding traffic at the source

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media