Abstract
We present LOT, a lightweight plug and play secure tunneling protocol deployed at network gateways. Two communicating gateways, A and B, running LOT would automatically detect each other and establish an efficient tunnel, securing communication between them. LOT tunnels allow A to discard spoofed packets that specify source addresses in B’s network and vice versa. This helps to mitigate many attacks, including DNS poisoning, network scans, and most notably (Distributed) Denial of Service (DoS).
LOT tunnels provide several additional defenses against DoS attacks. Specifically, since packets received from LOT-protected networks cannot be spoofed, LOT gateways implement quotas, identifying and blocking packet floods from specific networks. Furthermore, a receiving LOT gateway (e.g., B) can send the quota assigned to each tunnel to the peer gateway (A), which can then enforce near-source quotas, reducing waste and congestion by filtering excessive traffic before it leaves the source network. Similarly, LOT tunnels facilitate near-source filtering, where the sending gateway discards packets based on filtering rules defined by the destination gateway. LOT gateways also implement an intergateway congestion detection mechanism, allowing sending gateways to detect when their packets get dropped before reaching the destination gateway and to perform appropriate near-source filtering to block the congesting traffic; this helps against DoS attacks on the backbone connecting the two gateways.
LOT is practical: it is easy to manage (plug and play, requires no coordination between gateways), deployed incrementally at edge gateways (not at hosts and core routers), and has negligible overhead in terms of bandwidth and processing, as we validate experimentally. LOT storage requirements are also modest.
- Advanced Network Architecture Group. 2011. ANA Spoofer Project. http://spoofer.csail.mit.edu/index.php.Google Scholar
- Aharoni, M. and Hidalgo, W. M. 2005. Cisco SNMP configuration attack with a GRE tunnel. In Security Focus. http://www.securityfocus.com/infocus/1847.Google Scholar
- Aiello, Ioannidis, and McDaniel. 2003. Origin authentication in interdomain routing. In Proceedings of the 10th ACM Conference on Computer and Communications Security (SIGSAC). 165--178. Google Scholar
Digital Library
- Anderson, T. E., Roscoe, T., and Wetherall, D. 2004. Preventing Internet denial-of-service with capabilities. Comput. Comm. Rev. 34, 1, 39--44. Google Scholar
Digital Library
- Argyraki, K. and Cheriton, D. 2005a. Active Internet traffic filtering: Real-time response to denial-of-service attacks. In Proceedings of the USENIX Annual Technical Conference, General Track. 135--148. Google Scholar
Digital Library
- Argyraki, K. and Cheriton, D. 2005b. Network capabilities: The good, the bad and the ugly. In Proceedings of the 4th Workshop on Hot Topics in Networks.Google Scholar
- Badishi, G., Herzberg, A., and Keidar, I. 2007. Keeping Denial-of-Service Attackers in the Dark. IEEE Trans. Depend. Secur. Comput. 4, 3, 191--204. Google Scholar
Digital Library
- Badishi, G., Herzberg, A., Keidar, I., Romanov, O., and Yachin, A. 2008. An empirical study of denial of service mitigation techniques. In Proceedings of the IEEE Symposium on Reliable Distributed Systems (SRDS). 115--124. Google Scholar
Digital Library
- Baker, F. and Savola, P. 2004. Ingress filtering for multihomed networks. RFC 3704 (Best Current Practice). The Internet Society. Google Scholar
Digital Library
- Bellovin, S. 2003. ICMP traceback messages. http://tools.ietf.org/html/draft-ietf-itrace-04.Google Scholar
- Bernstein, D. 1996. TCP SYN cookies. http://cr.yp.to/syncookies.html.Google Scholar
- Beverly, R. and Bauer, S. 2005. The Spoofer Project: Inferring the extent of source address filtering on the Internet. In Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). Google Scholar
Digital Library
- Bremler-Barr, A. and Levy, H. 2005. Spoofing Prevention Method. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 536--547.Google Scholar
- Chang, R. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Comm. Mag. 40, 42--51. Google Scholar
Digital Library
- Cisco Systems. 2007. Pre-Fragmentation for IPsec VPNs. http://www.ciscosystems.cd/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pre_frag_vpns.pdf.Google Scholar
- Daemen, J. and Rijmen, V. 2002. The Design of Rijndael: AES--the Advanced Encryption Standard. Springer Verlag. Google Scholar
Digital Library
- Dean, D., Franklin, M., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inform. Syst. Secur. 5, 2, 119--137. Google Scholar
Digital Library
- Dommety, G. 2000. Key and sequence number extensions to GRE. RFC 2890 (Proposed Standard). The Internet Society. Google Scholar
Digital Library
- Eddy, W. 2007. TCP SYN flooding attacks and common mitigations. RFC 4987 (Informational). The Internet Society.Google Scholar
- Ehrenkranz, T., Li, J., and McDaniel, P. 2010. Realizing a source authentic Internet. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks (SecureComm). 217--234.Google Scholar
Cross Ref
- Farinacci, D., Li, T., Hanks, S., Meyer, D., and Traina, P. 2000. Generic routing encapsulation (GRE). RFC 2784 (Proposed Standard). Updated by RFC 2890. The Internet Society. Google Scholar
Digital Library
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice 38). Updated by RFC 3704. The Internet Society. Google Scholar
Digital Library
- Gilad, Y. and Herzberg, A. 2009. Lightweight opportunistic tunneling (LOT). In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 104--119. Google Scholar
Digital Library
- Gilad, Y. and Herzberg, A. 2011a. Considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the USENIX Workshop on Offensive Technologies. Google Scholar
Digital Library
- Gilad, Y. and Herzberg, A. 2011b. Lightweight opportunistic tunneling. Tech. rep. http://u.cs.biu.ac.il/~herzbea/security/TR/11_02.pdf.Google Scholar
- Gilmore, J. 2003. FreeS/WAN Project. www.freeswan.org.Google Scholar
- Goldreich, O. 2001. Foundations of Cryptography. Vol. 1: Basic Tools. Cambridge University Press. Google Scholar
Digital Library
- Harris, B. and Hunt, R. 1999. TCP/IP security threats and attack methods. Comput. Comm. 22, 885--897. Google Scholar
Digital Library
- Heffernan, A. 1998. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385 (Proposed Standard). The Internet Society. Google Scholar
Digital Library
- Heffner, J., Mathis, M., and Chandler, B. 2007. IPv4 reassembly errors at high data rates. RFC 4963 (Informational). The Internet Society.Google Scholar
- Hoffman, P. 2005. Cryptographic suites for IPsec. RFC 4308 (Proposed Standard). The Internet Society.Google Scholar
- Huici, F. and Handley, M. 2007. An edge-to-edge filtering architecture against DoS. Comput. Comm. Rev. 37, 2, 39--50. Google Scholar
Digital Library
- IANA. 2002. Special-use IPv4 addresses. RFC 3330 (Informational). The Internet Society. Google Scholar
Digital Library
- Ioannidis, J. and Bellovin, S. M. 2002. Implementing Pushback: Router-based defense against DDoS attacks. In NDSS. The Internet Society.Google Scholar
- Jiang, G. 2002. Multiple vulnerabilities in SNMP. Comput. 35, 4, 2--4. Google Scholar
Digital Library
- Kaminsky, D. 2008. It’s the end of the cache as we know it. In Proceedings of the Black Hat Conference. http://www.doxpara.com/DMK_BO2K8.ppt.Google Scholar
- Karlin, J., Forrest, S., and Rexford, J. 2006. Pretty good BGP: Improving BGP by cautiously adopting routes. In Proceedings of the IEEE International Conference on Network Protocols (ICNP). IEEE Computer Society, 290--299. Google Scholar
Digital Library
- Kaufman, C. 2005. Internet key exchange (IKEv2) protocol. RFC 4306 (Proposed Standard). Updated by RFC 5282. The Internet Society.Google Scholar
- Kaufman, C., Perlman, R. J., and Sommerfeld, B. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). 2--7. Google Scholar
Digital Library
- Kent, C. A. and Mogul, J. C. 1987. Fragmentation Considered Harmful. Res. rep. 87/3, Western Research Laboratory.Google Scholar
- Kent, S. and Seo, K. 2005. Security architecture for the Internet protocol. RFC 4301 (Proposed Standard). The Internet Society.Google Scholar
- Kent, S., Lynn, C., and Seo, K. 2000. Secure border gateway protocol (S-BGP). IEEE J. Sel. Areas Comm. 18, 4, 582--592. Google Scholar
Digital Library
- Killalea, T. 2000. Recommended Internet service provider security services and procedures. RFC 3013 (Best Current Practice). The Internet Society. Google Scholar
Digital Library
- Klein, A. 2007. BIND 9 DNS cache poisoning. Tech. rep., Trusteer, Ltd.Google Scholar
- Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. 2006. PHAS: A prefix hijack alert system. In Proceedings of the 15th Conference on USENIX Security Symposium. Google Scholar
Digital Library
- Lakshminarayanan, K., Adkins, D., Perrig, A., and Stoica, I. 2004. Taming IP packet flooding attacks. Comput. Comm. Rev. 34, 1, 45--50. Google Scholar
Digital Library
- Lemon, J. 2002. Resisting SYN flood DoS attacks with a SYN cache. In Proceedings of BSDCo., S. J. Leffler, Ed., USENIX, 89--97. Google Scholar
Digital Library
- Li, J., Mirkovic, J., Ehrenkranz, T., Wang, M., Reiher, P., and Zhang, L. 2008. Learning the valid incoming direction of IP packets. Comput. Netw. 52, 2, 399--417. Google Scholar
Digital Library
- Mogul, J. and Deering, S. 1990. Path MTU discovery. RFC 1191 (Draft Standard). The Internet Society. Google Scholar
Digital Library
- Moore, D., Voelker, G., and Savage, S. 2001. Inferring internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium. Google Scholar
Digital Library
- Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L. 2004. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. 27--40. Google Scholar
Digital Library
- Park, K. and Lee, H. 2001. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 15--26. Google Scholar
Digital Library
- Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Comm. Rev. 31, 3, 38--47. Google Scholar
Digital Library
- Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1, 1--42. Google Scholar
Digital Library
- Postel, J. 1981a. Internet control message protocol. RFC 792 (Standard). Updated by RFCs 950, 4884. The Internet Society. Google Scholar
Digital Library
- Postel, J. 1981b. Internet protocol. RFC 791 (Standard). Updated by RFC 1349. The Internet Society.Google Scholar
- Richardson, M. 2005. A method for storing IPsec keying material in DNS. RFC 4025 (Proposed Standard). The Internet Society.Google Scholar
- Richardson, M. and Redelmeier, D. 2005. Opportunistic encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational). The Internet Society.Google Scholar
- Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. 2000. Practical network support for IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 295--306. Google Scholar
Digital Library
- Sherwood, R., Bhattacharjee, B., and Braud, R. 2005. Misbehaving TCP receivers can cause Internet-wide congestion collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). 383--392. Google Scholar
Digital Library
- Snoeren, A. C. 2001. Hash-based IP traceback. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 3--14. Google Scholar
Digital Library
- Song, D. X. and Perrig, A. 2001. Advanced and authenticated marking schemes for IP traceback. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). 878--886.Google Scholar
- Srisuresh, P. and Egevang, K. 2001. Traditional IP Network Address Translator (Traditional NAT). RFC 3022 (Informational). The Internet Society. Google Scholar
Digital Library
- Studer, A. and Perrig, A. 2009. The coremelt attack. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). 37--52. Google Scholar
Digital Library
- Touch, J., Black, D., and Wang, Y. 2008. Problem and applicability statement for Better-Than-Nothing Security (BTNS). RFC 5387 (Informational). The Internet Society.Google Scholar
- Wang, H., Jin, C., and Shin, K. G. 2007a. Defense against spoofed ip traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 1, 40--53. Google Scholar
Digital Library
- Wang, L., Wu, Q., and Luong, D. 2007b. Engaging edge networks in preventing and mitigating undesirable network traffic. In Proceedings of the 3rd IEEE Workshop on Secure Network Protocols (NPSec). 1--6. Google Scholar
Digital Library
- White, R. 2003. Securing BGP through secure origin BGP. Internet Protocol J. 6, 15--22.Google Scholar
- Williams, N. and Richardson, M. 2008. Better-Than-Nothing security: An unauthenticated mode of IPsec. RFC 5386 (Proposed Standard). The Internet Society.Google Scholar
- Yaar, A., Perrig, A., and Song, D. X. 2004. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy. 130--143.Google Scholar
- Yang, X., Wetherall, D., and Anderson, T. E. 2008. TVA: A DoS-limiting network architecture. IEEE/ACM Trans. Netw. 16, 6, 1267--1280. Google Scholar
Digital Library
Index Terms
LOT: A Defense Against IP Spoofing and Flooding Attacks
Recommendations
Defense against spoofed IP traffic using hop-count filtering
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...
An Effective Defense against Distributed Denial of Service in Grid
ICIIC '10: Proceedings of the 2010 First International Conference on Integrated Intelligent ComputingIP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to conceal flooding sources and localities in flooding traffic, and prevent legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ...
Survey of network-based defense mechanisms countering the DoS and DDoS problems
This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service ...






Comments