Design and performance analysis of an efficient single flow IP traceback technique in the AS level

Network security is a major challenge for big and small companies. The Internet topology is vulnerable to Distributed Denial of Service (DDoS) attacks as it provides an opportunity to an attacker to send a large volume of traffic to a victim, which can limit its Internet availability. The main problem in the prevention of the DDoS attack, also known as the flooding attack, is how to find the source of traffic flooding. This is because the spoofed source Internet protocol (IP) address of packets is not affected on its routing. As a result, IP traceback techniques are proposed to find the source of attack and in general, to find the source of any packet. Doing so, the IP traceback techniques can help us to prevent the Denial of Service (DoS) and DDoS attacks. In this paper, we propose an efficient Single Flow IP Traceback (SFT) technique in the Autonomous System (AS) level. Furthermore, a path signature generation algorithm is presented for detecting and filtering the spoofed traffic. Our solution assumes a secure Border Gateway Protocol (BGP)‐routing infrastructure for exchanging authenticated messages in order to learn the path signatures, and it uses a marking algorithm in the flow level for transmission of the traceback messages. Because in our technique less bits are required to mark the IP header packet, the required storage space for any unique path to the victim is significantly decreased. Compared with the other existing techniques, the obtained results demonstrate that our technique has the least marking rate, overhead processing on the middle nodes, and destination's computational cost while offering the highest accuracy in tracebacking attack.     

Deployment and validation of out of band IP traceback approach (OBTA) in wireless mesh network

Wireless mesh networks (WMNs) have acquired recently enormous attention and momentum; therefore, security aspects have been a fundamental concern for them. Among catastrophic threats on WMNs, Denial‐of‐Service attacks that have become a severe danger because of their plug‐and‐play structural design. Unfortunately, preventing a Denial‐of‐Service attack presents a challenging issue. This fact is induced with the appearance of the source IP addresses spoofing. The resolution key of this issue is to reveal the attack source based on the path through which the attack packet passes. For this, many researchers in IP traceability field propose various methods and techniques to deal with the issue. In this article, we conceive a novel approach named out of band IP traceback approach in WMN (IEEE 802.11s). We create a new architecture using signaling messages for discovering the real source(s) of IP packets. Our solution is based on a security‐oriented signaling protocol. This protocol allows specialized signaling entities to communicate via reliable signaling information. This fact permits us to perform a simple and efficient traceback. In our novel approach, we use 2 radios: the first one transmits normal data packets whereas the second is reserved to exchange IP traceback information. The performance of the proposed scheme is analyzed via simulation analysis using the Network Simulator 3. The simulation results show that our scheme is efficient in dealing with the traceback problem in WMN environments.     

Seamless Support for Mobile Internet Protocol Based Cellular Environments

Cellular is the inevitable architecture for the Personal Communication Service system (PCS) in the coming future. Access to the Internet via cellular networks is expected to become an essential portion of future wireless service offerings. Providing seamless support for IP based packet switched services has become an important issue.The Internet Engineering Task Force's (IETF's) mobile IP protocol offers a standard solution for wide-area mobility at the IP layer. However, Mobile IP does not solve all of the problems involved in providing mobile Internet access to cellular users, especially during handoff period. Thus, IPv6 might be a good candidate to solve this problem.IPv6 is a new version of the Internet Protocol that was standardized by the IETF. It supports mobility and is presently being standardized by the IETF Mobile IP Working Group. At the same time, cellular is an inevitable architecture for the Personal Communication Service system (PCS).This paper introduces the current cellular support based on the Mobile Internet Protocol version 6. We will point out the short-falls using Mobile IP and try to emphasize protocols especially for mobile management schemes that can optimize a high speed mobile station moving among small wireless cells. A comparison between those schemes and future work will be presented.     

路由器防范拒绝服务攻击技术研究

拒绝服务攻击给网络安全带来了巨大的威胁，防范DDoS攻击一直是安全领域的一个重要课题。介绍了路由器防范拒绝服务攻击的技术，包括IP路径重构技术、在源端防范DDoS策略、防范IP地址欺骗的机制和基于拥塞控制的方法，指出了进一步的研究方向。     

AAA architecture for mobile IPv6 based on WLAN

Mobility support for Internet devices is quite important for consumer electronics. The number of the hand‐held devices is growing quickly. However, there are not enough IP addresses for the number of the rapidly growing devices in the All‐IP generation. Internet Protocol version 6 (IPv6) was therefore adopted to solve these problems. Our purposed structure is based on IEEE 802.11. However, IEEE 802.11 has a serious security drawback. Further, from the Internet Service Providers' point of view, accounting is a potential problem. A mechanism combining Mobile IPv6 and AAA based on IEEE 802.11 to overcome these problems is essential. Both Internet Protocol version 4 (IPv4) and IPv6 support IP security (IPsec) when data packets are exchanged across the IP network. IPsec operates at the IP layer. It can support system authentication and authorization, However, it lacks a system accounting function. Therefore ISPs cannot establish correct billing for their services. This is the reason why we chose to combine the wireless network and AAA functions. In this paper, the AAA mechanism is used to protect security, with the architecture having authentication, authorization, and accounting functions. We will discuss the benefits of AAA and state the reason why we choose to combine AAA with the mobility architecture. Copyright © 2004 John Wiley & Sons, Ltd.     

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2–4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi.     

A Low Latency Handoff Algorithm for Voice over IP Traffics in the Next Generation Packet-Based Cellular Networks: Cellular Mobile IPv6

In the mobile communication environments, Mobile IP is defined to provide users roaming everywhere and transmit information freely. It integrates communication and network systems into Internet. The Mobile IPv6 concepts are similar to Mobile IP, and some new functions of IPv6 bring new features and schemes for mobility support. Two major problems in mobile environments are packet loss and handoff. To solve those problems, a mobile management scheme – the cellular mobile IPv6 (CMIv6) is proposed. Our approach isbased on the Internet Protocol version 6 and is compatible with the Mobile IPv6 standard. Besides, it also combines with the cellular technologies which is an inevitable architecture for the future Personal Communication Service system (PCS). In this paper, {Cellular Mobile IPv6 (CMIv6)}, a new solutionmigrated from Mobile IPv6, is proposed for mobile nodes moving among small wireless cells at high speed. This is important for future mobile communication trends. CMIv6 can solve the problems of communication break off within smaller cellular coverage during high-speed movement when packet-switched data or the real-time voice messages are transmitted. Voice over IP (VoIP) packets were chosen to verify this system. The G.723.1 Codec scheme was selected because it has better jitter resistance than GSM and G729 in a packet-based cellular network. Simulation results using OPNET show smooth and non-breaking handoffs during high-speed movement.     

QoS Management Structure for Mobile IPv6

1IntroductionMobile users want to enjoy multi media and other real-ti me services in the Internet . Thus the Internet Engi-neering Task Force (IETF) has introduced the MobileIPv4[1]and Mobile IPv6[2]to interoperate seamlesslywith protocols that provide real-ti me services in the In-ternet. Multi-Protocol Label Switching ( MPLS) is afast label-based switching technology that integrates thelabel-swapping paradigm with network-layer routing[3].Resource Reservation Protocol ( RSVP)[4 ~…     

On IP traceback

In this article we present the current state of the art in IP traceback. The rising threat of cyber attacks, especially DDoS, makes the IP traceback problem very relevant to today's Internet security. Each approach is evaluated in terms of its pros and cons. We also relate each approach to practical deployment issues on the existing Internet infrastructure. The functionality of each approach is discussed in detail and then evaluated. We conclude with a discussion on some legal implications of IP traceback.     

基于IXP 1200平台的DDoS攻击防御研究

分布式拒绝服务攻击（DDoS）已经成为互联网最大的威胁之一.提出了一种基于Intel IXP1200网络处理器平台的DDoS防御系统的设计方案,并实际实现了一个防御系统D-Fighter.提出了解决DDoS攻击的两个关键技术：数据包认证和细微流量控制的原理和方法,并在D-Fighter中设计实现.经过实际网络测试环境的应用测试表明,D-Fighter达到了设计目标,对DDoS攻击的防御有较好的效果.     

新网络环境下应用层DDoS攻击的剖析与防御

针对新网络环境下近两年新出现的应用层分布式拒绝服务攻击,本文将详细剖析其原理与特点,并分析现有检测机制在处理这种攻击上的不足.最后,本文提出一种基于用户行为的检测机制,它利用Web挖掘的方法通过Web访问行为与正常用户浏览行为的偏离程度检测与过滤恶意的攻击请求,并通过应用层与传输层的协作实现对攻击源的隔离.     

Topology-assisted deterministic packet marking for IP traceback

A novel deterministic packet marking (DPM) for IP traceback against denial of service (DoS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.     

IPv6的安全机制及其对现有网络安全体系的影响

IPv6不但解决了当今IP地址匮乏的问题,并且由于它引入了加密和认证机制,实现了基于网络层的身份认证,确保了数据包的完整性和机密性,因此,可以说IPv6实现了网络层安全。但是,这种安全不是绝对的。并且由于IPv6的安全机制,给当前的网络安全体系带来了新的挑战,致使许多在现有的网络中对保护网络安全中起着重要作用的工具受到巨大的冲击,急需安全专家进一步研究和积累经验,尽快找出合适的解决方法。     

自治系统的攻击入口追溯技术研究

针对因特网上的DDoS攻击,捉出一种新的以自治系统为单位的攻击入口追溯模型,通过在入口链路端进行地址标记,受害主机能以较低的运算复杂度还原出攻击入口。详细描述了算法的物理模型和数学依据,给出了还原虚报率和关联函数的理论公式。对自治系统结构与出入口链路的关系作了阐述,并讨论了该模型的部署应用。具体的示例和试验表明,该算法效果理想,具有理论和衫价值。     

An IPv4-IPv6 translation mechanism for SIP overlay network in UMTS all-IP environment

Both IPv6 and session initiation protocol (SIP) are default protocols for Universal Mobile Telecommunications System (UMTS) all-Internet protocol (IP) network. In the existing mobile telecommunications environments, an IPv6-based UMTS all-IP network needs to interwork with other Internet protocol version 4 (IPv4)-based SIP networks. Therefore, mobile SIP applications are typically offered through an overlay structure over the IPv4-Internet protocol version 6 (IPv6) interworking environments. Based on 3GPP 23.228, we propose an IPv4-IPv6 translation mechanism (i.e., SIPv6 translator) that integrates different IP infrastructures (i.e., IPv4 and IPv6) to provide an overlay network for transparent SIP application deployment. In this paper, we present the architecture and the call flows of the SIPv6 translator. An analytic model is proposed to investigate the fault tolerance issue of our approach. Our study provides guidelines to select appropriate number of processors for fault tolerance.     

IPv6对域名系统的需求及其解决方法的研究

IPV6协议是取代IPV4的下一代网络协议，它具有许多新的特性与功能。域名系统（DNS）是Internet的基础架构，IPV6的新特性也需要DNS的支持，因此，DNS势必要升级以满足IPV6的需求，文章从IPV6的地址空间，IPV6地址自动配置和即插即用，IPV6的移动性，IPV4到IPV6的过渡等几方面对IPV6对DNS的需求及其解决方法进行了分析和研究。     

Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Information-Theoretic Foundation

Tracing attack packets to their sources, known as IP traceback, is an important step to counter distributed denial-of-service (DDoS) attacks. In this paper, we propose a novel packet logging based (i.e., hash-based) traceback scheme that requires an order of magnitude smaller processing and storage cost than the hash-based scheme proposed by Snoeren , thereby being able to scalable to much higher link speed (e.g., OC-768). The baseline idea of our approach is to sample and log a small percentage (e.g., 3.3%) of packets. The challenge of this low sampling rate is that much more sophisticated techniques need to be used for traceback. Our solution is to construct the attack tree using the correlation between the attack packets sampled by neighboring routers. The scheme using naive independent random sampling does not perform well due to the low correlation between the packets sampled by neighboring routers. We invent a sampling scheme that improves this correlation and the overall efficiency significantly. Another major contribution of this work is that we introduce a novel information-theoretic framework for our traceback scheme to answer important questions on system parameter tuning and the fundamental tradeoff between the resource used for traceback and the traceback accuracy. Simulation results based on real-world network topologies (e.g., Skitter) match very well with results from the information-theoretic analysis. The simulation results also demonstrate that our traceback scheme can achieve high accuracy, and scale very well to a large number of attackers (e.g., $5000+$).      

Micro-mobility mechanism for smooth handoffs in an integrated ad-hoc and cellular IPv6 network under high-speed movement

The success of the Internet has attracted more people to take part in network navigation. Numerous wireless-communication devices have rapidly evolved in the past decade. The demand for mobile communications is increasing and packet data services through Internet protocol (IP) networks have become a trend. To supply more IP addresses to network devices and improve network performance, a new IP version 6 (IPv6) was developed by the Internet Engineering Task Force in 1994. IPv6 supports certain features that make mobility management more efficient in mobile IP. A cellular architecture is needed to improve the communications quality and to reduce power consumption, both at the base and mobile stations. In a cellular environment, handoffs occur frequently. Reducing the defects caused by handoffs is extremely important in the mobile network environment. This is especially important for high-speed moving devices. In this paper, a handoff strategy called neighbor-assisted agent architecture, which takes advantage of the ad-hoc network to improve handoff performance, is proposed. Timing analytical and simulation results show that the proposed mechanism can provide a better solution than mobile IP for handoff breaks during high-speed movement.     

An AS-level overlay network for IP traceback

Distributed denial of service attacks currently represent a serious threat to the appropriate operation of Internet services. To deal with this threat, we propose an overlay network that provides an IP-traceback scheme at the level of autonomous systems. Our proposed autonomous system-level IP-traceback system contrasts with previous works because it does not require a priori knowledge of the network topology and allows single-packet traceback and incremental deployment. Our first contribution is a new extension to the Border Gateway Protocol update-message community attribute that enables information to be passed across autonomous systems that are not necessarily involved in the overlay network. The second contribution is a new sequence-marking process to remove ambiguities in the traceback path. Two different strategies for incremental system deployment are investigated and evaluated. We show that strategic placement of the system on highly connected autonomous systems produces relevant results for IP traceback even if the system operates on only a few autonomous systems. The main conclusion is that the proposed system is suitable for large-scale networks such as the Internet because it provides efficient traceback and allows incremental deployment.     

IPSec及其实现机制研究

IPSec(Internet协议安全)是一种可无缝为IP引入安全机制的新一代因特网安全协议套件，它在IP层提供安全服务，即适用于目前的IP版本(IPv4)，也适用于下一代IP(IPv6)。IPSec提供的基本服务包括：访问控制、数据源验证、重放包拒绝以及机密性保证机制。本文介绍了IPSec体系结构，对IPSec协议各个组成部分及其实现机制进行了分析，给出了IPSec的实现机制及其应用方式，介绍了其优点，最后简单讨论了IPSec的局限性和未来发展的方向。