SOS: an architecture for mitigating DDoS attacks

We propose an architecture called secure overlay services (SOS) that proactively prevents denial of service (DoS) attacks, including distributed (DDoS) attacks; it is geared toward supporting emergency services, or similar types of communication. The architecture uses a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by: 1) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic and 2) introducing randomness and anonymity into the forwarding architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels. Our performance measurements using a prototype implementation indicate an increase in end-to-end latency by a factor of two for the general case, and an average heal time of less than 10 s.     

Robust data authentication for unattended wireless sensor networks

This paper presents a robust data authentication scheme for protecting data integrity and availability in unattended wireless sensor networks. Such networks are vulnerable to several types of attacks. In particular, attackers can compromise a subset of nodes and use these nodes to transmit modified data or to prevent genuine data from being verified. The presented scheme combines security against data modification and denial of service attacks with traffic and storage efficiency. This is achieved by involving all sensor nodes in the network in the authentication process, implementing cooperative authentication with multiple authenticators, and using dual storage. Detailed analysis and extensive simulation tests show that our scheme achieves better performance compared to related schemes published in the literature in terms of traffic, storage, security against DoS attacks, and security against data replacement attacks.     

Low-rate TCP-targeted denial of service attacks and counter strategies

Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission timeout mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized timeout mechanisms to thwart such low-rate DoS attacks.     

Analysis of area-congestion-based DDoS attacks in ad hoc networks

Increased instances of distributed denial of service (DDoS) attacks on the Internet have raised questions on whether and how ad hoc networks are vulnerable to such attacks. This paper studies the special properties of such attacks in ad hoc networks. We examine two types of area-congestion-based DDoS attacks – remote and local attacks – and present in-depth analysis on various factors and attack constraints that an attacker may use and face. We find that (1) there are two types of congestion – self congestion and cross congestion – that need to be carefully monitored; (2) the normal traffic itself causes significant packet loss in addition to the attack impacts in both remote and local attacks; (3) the number of flooding nodes has major impacts on remote attacks while, the load of normal traffic and the position of flooding nodes are critical to local attacks; and (4) given the same number of flooding nodes and attack loads, a remote DDoS attack can cause more damage to the network than a local DDoS attack.     

Detecting compromised routers via packet forwarding behavior

While it is widely understood that criminal miscreants are subverting large numbers of Internet-connected computers (e.g., for bots, spyware, SPAM forwarding), it is less well appreciated that Internet routers are also being actively targeted and compromised. Indeed, due to its central role in end-to-end communication, a compromised router can be leveraged to empower a wide range of direct attacks including eavesdropping, man-in-the-middle subterfuge, and denial of service. In response, a range or specialized anomaly detection protocols has been proposed to detect misbehaving packet forwarding between routers. This article provides a general framework for understanding the design space of this work and reviews the capabilities of various detection protocols.     

Securing QoS signaling in IP-based military Ad Hoc networks

QoS qualifiers in the IP header are prone to attacks. Malicious modifications may lead to theft of service as well as denial of service. Standard IPsec does not cover these header fields, leaving them prone to attacks. The article proposes a variant of the IPsec authentication header that includes protection of these fields. The solution is designed for single-domain networks with planned origin, such as military ad hoc networks.     

Cross‐layer technique for boosting base‐station anonymity in wireless sensor networks

A wireless sensor network (WSN) principally is composed of many sensor nodes and a single in situ base station (BS), which are randomly distributed in a given area of interest. These sensor nodes transmit their measurements to the BS over multihop wireless paths. In addition to collecting and processing the sensed data, the BS performs network management operations. Because of the importance of the BS to the WSN, it is the most attractive target of attacks for an adversary. Basically, the adversary opts to locate the BS and target it with denial‐of‐service attack to temporarily or indefinitely disrupt the WSN operation. The adversary can intercept the data packet transmissions and use traffic analysis techniques such as evidence theory to uncover the routing topology. To counter such an attack, this paper presents a novel technique for boosting the BS anonymity by grouping nodes into clusters and creating multiple mesh‐based routing topologies among the cluster heads (CHs). By applying the closed space‐filling curves such as the Moore curve, for forming a mesh, the CHs are offered a number of choices for disseminating aggregated data to the BS through inter‐CH paths. Then, the BS forwards the aggregated data as well so that it appears as one of the CHs. The simulation results confirm the effectiveness of the proposed technique in boosting the anonymity of the BS.     

Jamming sensor networks: attack and defense strategies

Wireless sensor networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming, attacks that effectively cause a denial of service of either transmission or reception functionalities. These attacks can easily be accomplished by an adversary by either bypassing MAC-layer protocols or emitting a radio signal targeted at jamming a particular channel. In this article we survey different jamming attacks that may be employed against a sensor network. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. We highlight the challenges associated with detecting jamming. To cope with jamming, we propose two different but complementary approaches. One approach is to simply retreat from the interferer which may be accomplished by either spectral evasion (channel surfing) or spatial evasion (spatial retreats). The second approach aims to compete more actively with the interferer by adjusting resources, such as power levels and communication coding, to achieve communication in the presence of the jammer.     

A Transparent Failover Mechanism for a Mobile Network with Multiple Mobile Routers

In a mobile network that is multihomed by multiple mobile routers, a mobile router that loses link connectivity can be replaced by the other mobile routers. We propose a transparent failover mechanism (TFM) to provide seamless Internet services to nodes in the mobile network, which is validated by implementing a real test-bed. Compared to the network mobility basic support protocol, TFM does not require the nodes attached to the failed mobile router to change their addresses, and hence has two advantages: (a) IP connectivity is maintained transparently, and (b) failover is quickly accomplished by avoiding the address re-configuration process in each node.     

On the efficiency of multicast

The average number of joint hops in a shortest-path multicast tree from a root to m arbitrary chosen group member nodes is studied. A general theory for all graphs, hence including the graph representation of the Internet, is presented which quantifies the multicast reduction in network links compared to m times unicast. For two special types of graphs, the random graph G_p(N) and the k-ary tree, exact and asymptotic results are derived. Comparing these explicit results with previously published Internet measurements indicates that the number of routers in the Internet that can be reached from a root grows exponentially in the number of hops with an effective degree of approximately 3.2     

LEDS: Providing Location-Aware End-to-End Data Security in Wireless Sensor Networks

Providing desirable data security, that is, confidentiality, authenticity, and availability, in wireless sensor networks (WSNs) is challenging, as a WSN usually consists of a large number of resource constraint sensor nodes that are generally deployed in unattended/hostile environments and, hence, are exposed to many types of severe insider attacks due to node compromise. Existing security designs mostly provide a hop-by-hop security paradigm and thus are vulnerable to such attacks. Furthermore, existing security designs are also vulnerable to many types of denial of service (DoS) attacks, such as report disruption attacks and selective forwarding attacks and thus put data availability at stake. In this paper, we seek to overcome these vulnerabilities for large-scale static WSNs. We come up with a location-aware end-to-end security framework in which secret keys are bound to geographic locations and each node stores a few keys based on its own location. This location-aware property effectively limits the impact of compromised nodes only to their vicinity without affecting end-to-end data security. The proposed multifunctional key management framework assures both node-to-sink and node-to-node authentication along the report forwarding routes. Moreover, the proposed data delivery approach guarantees efficient en-route bogus data filtering and is highly robust against DoS attacks. The evaluation demonstrates that the proposed design is highly resilient against an increasing number of compromised nodes and effective in energy savings.     

分布式拒绝服务攻击研究新进展综述

 分布式拒绝服务攻击一直是网络安全领域的研究难点.本文在进一步分析分布式拒绝服务攻击的危害及其原因的基础上,重点综述了2005年以后对该问题的研究和解决方案,主要包括:基于网络服务提供商的网络过滤、基于校验工作、基于重叠网络和基于网络功能.通过分析它们的优缺点,总结出可部署的解决方案的特点,并对今后的研究进行了展望.     

Modeling denial‐of‐service against pending interest table in named data networking

Named data networking (NDN) has attracted much attention on the design for next generation Internet architecture. Although it embeds some security primitives in its original architecture, it may suffer from denial‐of‐service (DoS) attacks. In this paper, we model one representative type of NDN‐specific DoS attacks named DoS against pending interest table (PIT), or DoS‐PIT, which floods malicious Interests that request nonexistent content to bypass cached content at routers and to exhaust the memory resource for PIT, bringing in severe service degradation. In our proposed analytical model, the closed‐form expressions for the DoS probability for users suffering DoS‐PIT are derived, while considering several important factors of NDN networks such as PIT size, time‐to‐live of each PIT entry, popularity of content, and cache size. Moreover, extensive simulation experiments demonstrate the accuracy of the proposed model on evaluating the damage effect of DoS‐PIT. In addition, the proposed model can be chosen to guide designing effective countermeasures for DoS‐PIT (or attacks with similar way to harm NDN) by properly setting the values of some parameters (e.g., cache size) of each NDN router. Copyright © 2013 John Wiley & Sons, Ltd.     

Topology-assisted deterministic packet marking for IP traceback

A novel deterministic packet marking (DPM) for IP traceback against denial of service (DoS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.     

Mitigation of Control Channel Jamming under Node Capture Attacks

Availability of service in many wireless networks depends on the ability for network users to establish and maintain communication channels using control messages from base stations and other users. An adversary with knowledge of the underlying communication protocol can mount an efficient denial of service attack by jamming the communication channels used to exchange control messages. The use of spread spectrum techniques can deter an external adversary from such control channel jamming attacks. However, malicious colluding insiders or an adversary who captures or compromises system users is not deterred by spread spectrum, as they know the required spreading sequences. For the case of internal adversaries, we propose a framework for control channel access schemes using the random assignment of cryptographic keys to hide the location of control channels. We propose and evaluate metrics to quantify the probabilistic availability of service under control channel jamming by malicious or compromised users and show that the availability of service degrades gracefully as the number of colluding insiders or compromised users increases. We propose an algorithm called GUIDE for the identification of compromised users in the system based on the set of control channels that are jammed. We evaluate the estimation error using the GUIDE algorithm in terms of the false alarm and miss rates in the identification problem. We discuss various design trade-offs between robustness to control channel jamming and resource expenditure.     

Internetworking based on cell switch router-architecture andprotocol overview

This paper describes an internetworking architecture and related protocol overview based on routers that have asynchronous transfer mode (ATM) cell switching capability in addition to conventional Internet protocol (IP) packet forwarding. The proposed architecture can provide high-throughput and low-latency switched paths for individual application flows or a group of application flows while retaining current router-based internetworking architecture. The proposed router is able to establish the switched path based on the characteristics of flows, e.g., arrival of a data packet with specific upper layer protocols or arrival of more than a certain amount of data packets in a predetermined period, as well as by the reception of an IP-layer resource reservation request, such as resource reservation protocol (RSVP). One important feature that is provided by the proposed router is interoperability with the emerging ATM network platform specified by the ATM Forum and the telecommunications sector of the International Telecommunications Union (ITU-T). The proposed routers can be interconnected with each other over the point-to-point synchronous optical network link as well as over the ATM network platform, which provides permanent virtual channel, virtual path, or switched virtual channel (SVC) services. That enables network carriers to provide Internet/intranet services as well as others, such as telephony, ATM/time division multiplexing leased line, or native ATM SVC services     

Securing wireless sensor networks against aggregator compromises [security in mobile ad hoc]

A common approach to overcome the limited nature of sensor networks is to aggregate data at intermediate nodes. A challenging issue in this context is to guarantee end-to-end security mainly because sensor networks are extremely vulnerable to node compromises. We propose three schemes to secure data aggregation that rely on multipath routing. The first guarantees data confidentiality through secret sharing, while the second and third provide data availability through information dispersal. Based on qualitative analysis and implementation, we show that by applying these schemes, a sensor network can achieve data confidentiality, authenticity, and protection against denial of service attacks even in the presence of multiple compromised nodes.     

Sparse power equalization placement for limiting jamming attack propagation in transparent optical networks

The latest advances in Wavelength Division Multiplexing (WDM) technology are making it possible to build all-optical transparent WDM networks, which are expected to be able to satisfy the rapid growth of today’s capacity demand. However, the transparency of such networks makes them highly vulnerable to deliberate attacks, specifically targeting the physical layer. Physical-layer attacks, such as high-power jamming, can cause severe service disruption or even service denial, enhanced by their capability to propagate through a transparent optical network. Several attack-aware routing and wavelength assignment algorithms have been proposed to reduce the possible disruption caused by high-power jamming attacks. However, even with network planning approaches which take network security, specifically physical-layer attacks, into account, resilience to deliberate attacks in such scenarios remains an issue.In this paper, we propose the use of wavelength-selective attenuators as power equalizers inside network nodes to limit the propagation of high-power jamming attacks. Due to the increased cost of optical switching nodes associated with the addition of power equalizers, we aim at minimizing their number through sparse power equalization placement. We developed a set of greedy algorithms to solve what we call the Power Equalization Placement (PEP) problem with the objective of minimizing the number of power equalizers needed to reduce, to a desired level, the propagation of high-power jamming attacks for a given routing scheme. We further improved upon these results by proposing a GRASP (Greedy Randomized Adaptive Search Procedure) heuristic with a somewhat longer execution time, but with significantly superior results. The performance evaluation results indicate that the proposed GRASP heuristic can achieve the same attack propagation reduction as can be obtained by equipping all nodes with power equalizers by placing them at less than 50% of the nodes on average, potentially yielding significant cost savings.     

Hierarchical Binary Search Tree for Packet Classification

In order to provide value-added services such as policy-based routing and the quality of services in next generation network, the Internet routers need to classify packets into flows for different treatments. Since packet classification should be performed in wire-speed for every packet incoming in several hundred gigabits per second, it becomes a major challenge in the Internet routers. In this letter, we propose a new packet classification scheme based on hierarchical binary search tree. The proposed scheme hierarchically connects binary search trees without empty internal nodes, and hence the proposed architecture significantly improves the search performance as well as greatly reduces the memory requirement compared with trie-based schemes.     

A reconfigurable ethernet/SONET circuit-based metro network architecture

We propose a service concept in which high-speed Ethernet interfaces from end hosts are dynamically cross-connected to equivalent-rate Ethernet-over-SONET (EoS) optical circuits for transport across metro-area networks and/or wide-area networks. We call our service concept reconfigurable Ethernet/SONET circuits to end users (RESCUE). We describe how RESCUE can be used for two applications: dial-up service to Internet service provider routers and file transfers. We propose to deploy RESCUE service as an "add-on" to current Internet access for many reasons. Primary among these is that it allows a metro optical circuit-switched network to be operated at a high utilization, which is important to achieve a cost-effective bandwidth-efficient network. Given that end hosts with access to RESCUE service will have a choice of two paths, the primary Internet path and a secondary RESCUE option, end-host applications will need to make a routing decision. We carry out a quantitative analysis to provide a basis for this routing decision for both dial-up service and file transfers. For example, with the file-transfer application, if call-blocking probability on the optical circuit-switched network is 30% and the packet-loss rate on the transmission control protocol/Internet protocol path is 1%, a circuit setup should be attempted for files 180 KB or larger in low-propagation delay environments.