域间IP欺骗防御服务增强机制

IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文.     

域间IP欺骗防御服务净化机制

IP地址真实性验证成为构建可信网络的基础,基于粗粒度的源-目的自治域标识(密钥)的域间IP欺骗报文过滤机制具有处理简单、保护范围广、部署激励高等优点,却存在不能过滤自治域内子网间IP欺骗报文等不足.而细粒度的源-目的子网标识能够解决过滤粒度粗的问题,却带来了更严重的处理复杂、计算和存储开销大等同题.针对IP欺骗防御机制的计算复杂度和过滤粒度之间的矛盾,提出一种新颖的域间IP欺骗防御服务净化机制RISP.RISP立足于域间IP欺骗防御,根据自治域内拓扑结构的稳定性,引入非对称的细粒度的源子网-目的自治域标识方式,实现对自治域间和自治域内子网间IP欺骗报文的检测与过滤.根据主要的IP欺骗报文攻击的流特征,引入流异常检测机制,实现细粒度标识的动态触发,进一步降低细粒度标识的计算和存储开销,同时对子网内恶意数据流进行流速限制.RISP在不增加自治域内防御实体的情况下,使得防御实体能够过滤自治域内子网间IP欺骗报文,计算和存储开销小,过滤粒度细,而且具有较高的部署激励.     

IPv6传输路径的可定义分段认证方法

互联网的源地址欺骗和传输路径不一致,会引出拒绝服务、非法流量窃取等多种攻击行为,网络安全受到严重威胁.所以,数据包的传输路径验证受到广泛关注.传统的包标记方案主要针对IPv4,在网络层和传输层之间加入新的字段.本文根据IPv6首部特点,提出一种分段的源认证和路径验证方案(Source and Path Verification, SPV),实现源地址真实性验证,数据面的传输路径一致性验证与错位定位.发送端在IPv6头部添加标识,任意选择部分中间路由器作为检查节点.仅由检查节点对上述数据包执行标识字段的识别和验证,无需所有途经节点都具有验证能力,提升了安全验证效率.当检查节点验证失败后,将记录发送给源端.通过新增的标识字段,发送端能够根据回传信息执行高效可靠的故障定位.通过修改标识字段的最高位,可实现自定义的路径验证,仅对某一段路径进行验证.本文通过模拟实验验证了方案的通信开销与故障定位效率,证明了本方案的可行性.     

基于数据包标记的伪造IP DDoS攻击防御

提出一种基于数据包标记的伪造IP DDoS攻击防御方案,该方案在IP数据包中嵌入一个路径相关的16位标识,通过检测标识计数器临界值判断是否发生了DDoS攻击,对伪造地址的IP数据包进行过滤,达到对DDoS攻击进行有效防御的目的。仿真实验表明,该方案对于伪造的IP数据包具有较高的识别率。     

基于散列值的以数据为中心路由协议

无线传感网络难以直接采用TCP/IP路由协议,须建立专用以数据为中心的路由协议.已有的以数据为中心的路由协议并未采用对节点全网标号.网络中传感节点在收到不同节点转发过来报文的时候难判断数据是否来自同一个汇聚节点.传统的基于IP的全网统一标识方法暂时无法适合无线传感网络.提出了一种新的节点标识命名机制,根据节点对自身的描述,通过某个散列函数生成一个散列值来标识节点.各节点描述不一致,使得标识节点自身的散列值也不一致.用此方式为节点生成一个全网统一标号.在此新的命名机制之上,提出了一种新的以数据为中心的路由协议.最后在MATLAB上仿真验证了本路由协议的性能,证明本路由协议随着网络规模的增大,各方面的优势更加明显.     

基于协同的域间路由路径真实性验证机制

BGP节点在交互路由信息的过程中,不对AS_PATH属性的真实性进行验证,致使恶意节点可以通过发布伪造路由对特定自治域施加恶意影响.尽管已有多种方案提出,但都不能有效应对伪造AS_PATH类型攻击的问题.为此,提出一种基于协同查询的域间路由路径真实性验证机制DAIR.该机制的参与节点通过查询全局邻接信息和对等节点的邻接信息,验证更新报文AS_PATH属性的真实性.分析与实验结果表明,DAIR能够有效地防范自治系统遭受AS_PATH伪造或篡改攻击,且仅需少数核心节点参与即可获得很好效果.     

虫洞攻击检测与防御技术

虫洞攻击是一种针对Ad hoc路由协议,破坏网络路由机制的攻击,它是Ad hoc网络的重大安全威胁。该文提出一种基于信任评估的端到端虫洞检测方法,估算源节点和目的节点间最短路径长度,根据路由长度和邻居节点信任度来选择路由,从而检测和防御虫洞 攻击。     

移动自组网中的MAC地址动态分配

减小动态源路由协议DSR的开销、提高无线信道的利用率的关键是在协议运行时,使用1 B的MAC地址对节点进行标识.该文研究了如何为特定IP地址标识的网络节点动态分配MAC地址,实现了一种基于预测的无冲突MAC地址动态分配方法,其中所引入的开销较低.实际应用表明,该分配方法具有较强的适用性、可靠性.     

一种满足QoS约束的自适应多径Ad Hoc网络路由协议

提出一种以网关为中心的满足QoS约束的自适应多径路由协议GC-AQMR.该协议不仅保证建立从源节点到网关的链路不相交的多条路由,同时使中间节点也保留到网关的多径路由信息,当网络拥塞或路径失效时,中间节点根据这些信息可自适应地进行路由调整.模拟实验表明：采用GC-AQMR协议的SWAN系统在报文转发率、平均端到端时延、实时业务公平性以及端到端平均吞吐量等性能指标上,均优于基于AODV协议的SWAN系统.     

基于快速公钥签名的自组网QoS多播路由认证

提出了一个新的具备安全功能的Ad hoc网多QoS约束的多播路由协议NSQMRAN。该协议采用新型公钥签名算法NTRUSign作为密码机制为路由报文签名，加强了安全性。NSQMRAN为Ad hoc网QoS多播路由协议增加了源认证机制，从而提供了QoS多播路由报文的来源真实性、数据完整性和抗否认等安全服务以抵御恶意节点的攻击。基于NS2的仿真结果表明，在Ad hoc网中，与采用RSA公钥算法的协议相比，采用NTRUSign的NSQMRAN协议网络性能较好，产生较少的端到端延迟。     

MASK: An efficient mechanism to extend inter-domain IP spoofing preventions

IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem, we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK can not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance. Through analysis and simulations, we demonstrate MASK＇s accuracy and effectiveness.     

基于域间路由的分布式分组过滤有效性研究

消除伪造源地址分组是互联网安全可信的内在要求.基于路由的分布式分组过滤具有良好的效果,但是目前对其有效性缺乏严密的理论分析.基于域间路由传播和互联网拓扑的分层特征,建立路由传播数模型和理想AS图模型,以此为工具分析了基于域间路由的最大过滤和半最大过滤有效性.结论印证并从理论上解释了前人研究中的实验结果.最大过滤能够消除绝大多数的伪造分组,虽然无法达到100％,但可以将伪造成功的自治系统数量限制为互联网AS路径的平均长度.在理想AS图上,半最大过滤与最大过滤的有效性相同,但是存储和计算开销要小很多,为实际中部署半最大过滤提供了理论依据.理论模型分析揭示了基于域间路由的分布式分组过滤的内在优缺点,有助于设计辅助措施和在整个互联网全面而合理地部署.     

互联网自治域间IP源地址验证技术综述

当前互联网是基于目的地址转发,对源地址不做验证.而互联网很多安全问题的根源在于源地址的不可信.另一方面,随着互联网规模和复杂度的增大以及对政治、经济利益影响的加深,域间路由系统对互联网的稳定运行起着愈发关键作用.美国国土安全部将域间路由安全问题列入了美国信息安全的国家战略.近年来,以IP源地址伪造为主要方式的分布式拒绝服务攻击不断地对互联网的安全性和可用性造成极大的破坏,这其中以跨越多个管理域和国家的攻击最为频繁.因此,建立以自治域为单位的源地址验证防御体系对互联网的安全意义重大.尽管在相关的标准和研究领域已经提出了多种域间源地址验证技术,但是目前仍未有适用于大规模部署的技术方案.本文对域间源地址验证的已有研究和标准进展进行了细致的梳理.首先,本文分析了源地址安全性缺失的原因及后果,结合国际标准化领域的研究现状,指出了域间源地址验证的重要意义.其次,本文从域间源地址验证技术的特征类别入手,对已有各类研究成果的技术原理和优缺点进行了深入的总结,对研究的演进脉络进行了详细的分析,并在此基础上提出了目前域间源地址验证技术面临的困境及原因.最后,本文提出了域间源地址验证技术未来可能的研究发展方向及设计原则建议,为后续相关研究工作的开展提供参考.     

Packet forwarding with source verification

Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.     

Controlling IP Spoofing through Interdomain Packet Filters

The distributed denial-of-service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in border gateway protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.     

VASE: Filtering IP spoofing traffic with agility

Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.     

Building an Identity Management Infrastructure for Today…and Tomorrow

ABSTRACT

The basis of denial of service (DoS)/distributed DoS (DDoS) attacks lies in overwhelming a victim's computer resources by flooding them with enormous traffic. This is done by compromising multiple systems that send a high volume of traffic. The traffic is often formulated in such a way that it consumes finite resources at abnormal rates either at victim or network level. In addition, spoofing of source addresses makes it difficult to combat such attacks. This paper adopts a twofold collaborative mechanism, wherein the intermediate routers are engaged in markings and the victim uses these markings for detecting and filtering the flooding attacks. The markings are used to distinguish the legitimate network traffic from the attack so as to enable the routers near the victim to filter the attack packets. The marked packets are also helpful to backtrack the true origin of the spoofed traffic, thus dropping them at the source rather than allowing them to traverse the network. To further aid in the detection of spoofed traffic, Time to Live (TTL) in the IP header is used. The mappings between the IP addresses and the markings along with the TTLs are used to find the spurious traffic. We provide numerical and simulated experimental results to show the effectiveness of the proposed system in distinguishing the legitimate traffic from the spoofed. We also give a statistical report showing the performance of our system.     

A router-based technique to mitigate reduction of quality (RoQ) attacks

We propose a router-based technique to mitigate the stealthy reduction of quality (RoQ) attacks at the routers in the Internet. The RoQ attacks have been shown to impair the QoS sensitive VoIP and the TCP traffic in the Internet. It is difficult to detect these attacks because of their low average rates. We also show that our generalized approach can detect these attacks even if they employ the source IP address spoofing, the destination IP address spoofing, and undefined periodicity to evade several router-based detection systems. The detection system operates in two phases: in phase 1, the presence of the RoQ attack is detected from the readily available per flow information at the routers, and in phase 2, the attack filtering algorithm drops the RoQ attack packets. Assuming that the attacker uses the source IP address and the destination IP address spoofing, we propose to detect the sudden increase in the traffic load of all the expired flows within a short period. In a network without RoQ attacks, we show that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. We further propose a simple filtering solution to drop the attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. Our results show that we can successfully detect and mitigate RoQ attacks even with the source and destination IP addresses spoofed. The detection system is implemented in the ns2 simulator. In the simulations, we use the flowid field available in ns2 to implement per-flow logic, which is a combination of the source IP address, the destination IP address, the source port, and the destination port. We also discuss the real implementation of the proposed detection system.