Results 21 - 30
of
355
Use of spectral analysis in defense against DoS attacks
- In Proceedings of the IEEE GLOBECOM
, 2002
"... Abstract-- We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slow ..."
Abstract
-
Cited by 58 (0 self)
- Add to MetaCart
(Show Context)
Abstract-- We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic. I.
Steps Towards a DoS-resistant Internet Architecture
, 2004
"... Defending against DoS attacks is extremely difficult; effective solutions probably require significant changes to the Internet architecture. We present a series of architectural changes aimed at preventing most flooding DoS attacks, and making the remaining attacks easier to defend against. The goal ..."
Abstract
-
Cited by 54 (1 self)
- Add to MetaCart
Defending against DoS attacks is extremely difficult; effective solutions probably require significant changes to the Internet architecture. We present a series of architectural changes aimed at preventing most flooding DoS attacks, and making the remaining attacks easier to defend against. The goal is to stimulate a debate on tradeoffs between the flexibility needed for future Internet evolution and the need to be robust to attack.
Mitigating attacks on open functionality in sms-capable cellular networks
- In ACM MobiCom ’06
, 2006
"... The transformation of telecommunications networks from homogeneous closed systems providing only voice services to Internetconnected open networks that provide voice and data services presents significant security challenges. For example, recent research illustrated that a carefully crafted DoS atta ..."
Abstract
-
Cited by 52 (10 self)
- Add to MetaCart
(Show Context)
The transformation of telecommunications networks from homogeneous closed systems providing only voice services to Internetconnected open networks that provide voice and data services presents significant security challenges. For example, recent research illustrated that a carefully crafted DoS attack via text messaging could incapacitate all voice communications in a metropolitan area with little more than a cable modem. This attack highlights a growing threat to these systems; namely, cellular networks are increasingly exposed to adversaries both in and outside the network. In this paper, we use a combination of modeling and simulation to demonstrate the feasibility of targeted text messaging attacks. Under realistic network conditions, we show that adversaries can achieve blocking rates of more than 70 % with only limited resources. We then develop and characterize five techniques from within two broad classes of countermeasures- queue management and resource provisioning. Our analysis demonstrates that these techniques can eliminate or extensively mitigate even the most intense targeted text messaging attacks. We conclude by considering the tradeoffs inherent to the application of these techniques in current and next generation telecommunications networks.
Defense Against Spoofed IP Traffic Using Hop-Count Filtering
"... IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and dilute localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed I ..."
Abstract
-
Cited by 49 (2 self)
- Add to MetaCart
(Show Context)
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and dilute localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)—which builds an accurate IP-to-hop-count (IP2HC) mapping table—to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90 % of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.
Oorschot. Pretty secure BGP (psBGP
- In The 12th Annual Network and Distributed System Security Symposium (NDSS’05
, 2005
"... The Border Gateway Protocol (BGP) is an IETF standard inter-domain routing protocol on the Internet. However, it is well known that BGP is vulnerable to a variety of attacks, and that a single misconfigured or malicious BGP speaker could result in large scale service disruption. We first summarize a ..."
Abstract
-
Cited by 48 (4 self)
- Add to MetaCart
The Border Gateway Protocol (BGP) is an IETF standard inter-domain routing protocol on the Internet. However, it is well known that BGP is vulnerable to a variety of attacks, and that a single misconfigured or malicious BGP speaker could result in large scale service disruption. We first summarize a set of security goals for BGP, and then propose Pretty Secure BGP (ps-BGP) as a new security protocol achieving these goals. psBGP makes use of a centralized trust model for authenticating Autonomous System (AS) numbers, and a decentralized trust model for verifying the propriety of IP prefix origination. We compare psBGP with S-BGP and soBGP, the two leading security proposals for BGP. We believe psBGP trades off the strong security guarantees of S-BGP for presumed-simpler operations, while requiring a different endorsement model: each AS must select a small number (e.g., one or two) of its peers from which to obtain endorsement of its prefix ownership assertions. This work contributes to the ongoing exploration of tradeoffs and balance between security guarantee, operational simplicity, and policies acceptable to the operator community. 1.
A Secure PLAN
- In International Working Conference on Active Networks (IWAN
, 1999
"... Active Networks promise greater #exibility than current networks, but threaten safety and securityby virtue of their programmability. ..."
Abstract
-
Cited by 44 (15 self)
- Add to MetaCart
(Show Context)
Active Networks promise greater #exibility than current networks, but threaten safety and securityby virtue of their programmability.
StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense
"... Today’s Internet hosts are threatened by large ..."
Mitigating Bandwidth-Exhaustion Attacks Using Congestion Puzzles
- In ACM CCS
, 2004
"... We present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP attempts to force attackers to invest vast resources in order to effectively perform denialof-service attacks. Unlike previous puzzle-based approaches, however, o ..."
Abstract
-
Cited by 42 (2 self)
- Add to MetaCart
(Show Context)
We present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP attempts to force attackers to invest vast resources in order to effectively perform denialof-service attacks. Unlike previous puzzle-based approaches, however, ours is the first designed for the bandwidth-exhaustion attacks that are common at the network (IP) layer. At the core of CP is an elegant distributed puzzle mechanism that permits routers to cooperatively impose and check puzzles. We demonstrate through analysis and simulation that CP can effectively defend networks from flooding attacks without relying on the formulation of attack signatures to filter traffic. Moreover, as many such attacks are conducted by “zombie ” computers that have been silently commandeered without the knowledge of their owners, the overheads that CP imposes on heavily engaged zombies can increase the likelihood that the computer’s owner detects the compromise and takes action to remedy it.
Spoofing prevention method
- In Proc. IEEE INFOCOM
, 2005
"... Abstract — A new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM), is proposed. The method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering whi ..."
Abstract
-
Cited by 42 (0 self)
- Add to MetaCart
(Show Context)
Abstract — A new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM), is proposed. The method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering which is effective mostly at routers next to the source and is ineffective otherwise. In the proposed method a unique temporal key is associated with each ordered pair of source destination networks (AS’s, autonomous systems). Each packet leaving a source network S is tagged with the key K(S, D), associated with (S, D), where D is the destination network. Upon arrival at the destination network the key is verified and removed. Thus the method verifies the authenticity of packets carrying the address s which belongs to network S. An efficient implementation of the method, ensuring not to overload the routers, is presented. The major benefits of the method are the strong incentive it provides to network operators to implement it, and the fact that the method lends itself to stepwise deployment, since it benefits networks deploying the method even if it is implemented only on parts of the Internet. These two properties, not shared by alternative approaches, make it an attractive and viable solution to the packet spoofing problem.
HTTP as the NarrowWaist of the Future Internet
, 2010
"... Over the past decade a variety of network architectures have been proposed to address IP’s limitations in terms of flexible forwarding, security, and data distribution. Meanwhile, fueled by the explosive growth of video traffic and HTTP infrastructure (e.g., CDNs, web caches), HTTP has became the de ..."
Abstract
-
Cited by 40 (3 self)
- Add to MetaCart
(Show Context)
Over the past decade a variety of network architectures have been proposed to address IP’s limitations in terms of flexible forwarding, security, and data distribution. Meanwhile, fueled by the explosive growth of video traffic and HTTP infrastructure (e.g., CDNs, web caches), HTTP has became the de-facto protocol for deploying new services and applications. Given these developments, we argue that these architectures should be evaluated not only with respect to IP, but also with respect to HTTP, and that HTTP could be a fertile ground (more so than IP) for deploying the newly proposed functionalities. In this paper, we take a step in this direction, and find that HTTP already provides many of the desired properties for new Internet architectures. HTTP is a content centric protocol, provides middlebox support in the form of reverse and forward proxies, and leverages DNS to decouple names from addresses. We then investigate HTTP’s limitations, and propose an extension, called S-GET that provides support for low-latency applications, such as VoIP and chat. 1.
