Mitigating Denial-of-Service Flooding Attacks with Source Authentication

Liu, Xin

January 2012

<p>Denial-of-Service (DoS) flooding attacks have become a serious threat to the reliability of the Internet. For instance, a report published by Arbor Networks reveals that the largest DoS flooding attack observed in 2010 reaches 100Gbps in attack traffic volume. The defense against DoS flooding attacks is significantly complicated by the fact that the Internet lacks accountability at the network layer: it is very difficult, if not impossible, for the receiver of an IP packet to associate the packet with its real sender, as the sender is free to craft any part of the packet.</p><p>This dissertation proposes to mitigate DoS flooding attacks with a two-step process: first to establish accountability at the network layer, and second to utilize the accountability to efficiently and scalably mitigate the attacks. It proposes Passport, a source authentication system that enables any router forwarding a packet to cryptographically verify the source Autonomous System (AS) of the packet. Passport uses symmetric key cryptography to enable high-speed verification and piggy-backs its key exchange into the inter-domain routing system for efficiency and independence from non-routing infrastructures.</p><p>On top of Passport, this dissertation proposes NetFence, a DoS flooding attack mitigation system that provides two levels of protection against the attacks: if a victim can receive and identify the attack traffic, it can throttle the attack traffic close to the attack sources; otherwise, the attack traffic cannot be eliminated, but it would not be able to consume more than the attack sources' fair shares of the capacity of any bottleneck link. NetFence achieves its goals by putting unforgeable congestion policing feedback into each packet. The feedback allows bottleneck routers to convey congestion information back to the access routers that police the traffic accordingly. A destination host can throttle unwanted traffic by not returning the feedback to the source host.</p><p>We have implemented prototypes of Passport and NetFence in both ns-2 simulator and Linux. We have also implement a prototype of Passport on a NetFPGA board. Our evaluation of the prototypes as well as our security and theoretical analysis demonstrate that both Passport and NetFence are practical for high-speed router implementation and could mitigate a wider range of attacks in a more scalable way compared to previous work.</p> / Dissertation

Computer science

Denial-of-Service

Source Authentication

Design And Implementation Of An Unauthorized Internet Access Blocking System Validating The Source Information In Internet Access Logs

Uzunay, Yusuf

01 September 2006

Internet Access logs in a local area network are the most prominent records when the source of an Internet event is traced back. Especially in a case where an illegal activity having originated from your local area network is of concern, it is highly desirable to provide healthy records to the court including the source user and machine identity of the log record in question. To establish the validity of user and machine identity in the log records is known as source authentication. In our study, after the problem of source authentication in each layer is discussed in detail, we argue that the only way to establish a secure source authentication is to implement a system model that unifies low level and upper level defense mechanisms. Hence, in this thesis we propose an Unauthorized Internet Access Blocking System validating the Source Information in Internet Access Logs. The first version of our proposed system, UNIDES, is a proxy based system incorporating advanced switches and mostly deals with the low level source authentication problems. In the second version, we extend our system with SIACS which is an Internet access control system that deals with the user level source authentication problems. By supplementing the classical username-password authentication mechanism with SSL client authentication, SIACS integrates a robust user level authentication scheme into the proposed solution.

TA Systems Engineering 168

Securing wireless sensor and vehicular networks / Sécurité des réseaux de capteurs et des communications véhiculaires

Ben Jaballah, Wafa

08 January 2014

Les Réseaux de Capteurs Sans Fils (RCSFs) et les réseaux véhiculaires sont de plus en plus répandus, et déployés dans des domaines d’applications variés tels que la santé, la surveillance environnementale, les applications d’alerte d’accident, et les applications militaires. Cependant, ces réseaux peuvent être sujets à des attaques, ce qui empêche leur utilisation à grande échelle. Cette thèse étudie la sécurité des communications pour les réseaux de capteurs sans fils, et les communications inter-véhiculaires. Dans ce but, nous abordons quatre aspects importants. La première étude porte sur l’authentification des messages diffusés dans les réseaux de capteurs. Nous nous concentrons sur les principaux schémas à base de divulgation de clés d’authentification. Nous démontrons que le délai de divulgation de clé induit un délai d’authentification, ce qui pourrait conduire à une attaque de mémoire de déni de service. Nous proposons ensuite deux protocoles d’authentification de la source dans les RCSFs, pour surmonter la vulnérabilité des solutions existantes. Les schémas proposés garantissent la gestion efficace de la mémoire tampon du récepteur, en utilisant un mécanisme d’authentification par niveau, et une structure de Filtre de Bloom afin de réduire le coût de communication. Ensuite, nous validons nos protocoles en utilisant l’outil de vérification AVISPA, et nous les évaluons avec des expérimentations dans l’environment TinyOS. Nous confirmons que ces protocoles fournissent un service d’authentification de la source tout en respectant les contraintes de RCSFs. La seconde étude porte sur le problème de stockage au niveau des capteurs. Nous considérons en particulier l’attaque d’authentification différée “Delayed Authentication Compromise” (DAC) dans les RCSFs, qui permet à un attaquant d’utiliser une clé déjà divulguée pour signer d’autres messages. Nous montrons d’abord que les systèmes récemment proposés qui sont résistants également à l’attaque DAC sont vulnérables aussi à deux types d’attaques: attaque de permutation de commandes (où un adversaire prétend “permuter” deux messages au fil du temps), et l’attaque de rejet de commandes (où un adversaire semble “cacher” un message envoyé par la station de base). Nous proposons ensuite une nouvelle solution d’authentification. Notre analyse montre que notre solution est efficace pour détecter à la fois l’attaque de permutation de commandes et l’attaque de rejet de commandes, — et en même temps — est plus efficace (en termes de communication et de calcul) que les solutions existantes. xxiDans la troisième étude, nous considérons le problème de la sécurité de la gestion des clés dans les réseaux de capteurs. Nous présentons de nouveaux schémas d’authentification à base de clés symétriques qui présentent un faible coût d’authentification et de communication. Nos systèmes sont construits en intégrant un mécanisme de réputation, un filtre de Bloom, et un arbre binaire de clés pour la distribution et la mise à jour des clés d’authentification. Nos schémas d’authentification sont efficaces en matière de communication et de consommation de l’énergie. La quatrième étude porte sur la sécurité des communications véhiculaires. Nous nous concentrons sur les applications d’alerte d’accident. Nous analysons les menaces pour un ensemble d’algorithmes. Nous démontrons que ces systèmes sont vulnérables à l’attaque d’injection d’une fausse position, à l’attaque de rejeu de message d’alerte, et à l’attaque d’interruption de message d’alerte. Ensuite, nous proposons des contre-mesures à ces menaces. Nous avons donc proposé une solution qui est à la fois rapide et sécurisée pour les applications d’alerte d’accident : Un algorithme rapide et sécurisé pour la diffusion des messages en multi-saut (FS-MBA). Enfin, nous confirmons l’efficacité et la faisabilité des différents protocoles en effectuant un ensemble de simulations sous le simulateur NS-2. / Wireless sensor and vehicular networks play an important role in critical military and civil applications, and pervade our daily life. However, security concerns constitute a potential stumbling block to the impeding wide deployment of sensor networks and vehicular communications. This dissertation studies communication security for Wireless Sensor Networks (WSNs), and vehicular communication. To this aim, we address four important aspects. The first study addresses broadcast authentication in WSNs. We focus on key disclosure based schemes. We demonstrate that key disclosure delay induces an authentication delay, which could lead to a memory DoS attack. We then propose two broadcastauthentication protocols for WSNs, which overcome the security vulnerability of existingsolutions. The proposed schemes guarantee the efficient management of receiver’s buffer, by employing a staggered authentication mechanism, and a Bloom filter data structure to reduce the communication overhead. We also validate our protocols under the AVISPA model checking tool, and we evaluate them with experiments under TinyOS. Our findings are that these protocols provide source authentication service while respecting the WSN constraints.The second study addresses the storage issue in WSNs, in particular the Delayed AuthenticationCompromise attack (DAC). We first demonstrate that recently proposed schemes, which also address the DAC issue are vulnerable to two kinds of attacks: switch command attack (where an adversary pretends to “switch” two messages over time), and drop command attack (where an adversary just pretends to “hide” a message sent from the broadcaster). As a countermeasure against these attacks, we propose a new solution for broadcast authentication. Our analysis shows that our solution is effective in detecting both switch command and drop command attack, and—at the same time—is more efficient (in terms of both communication and computation) than the state of the art solutions.In the third study, we address key management security in WSNs. We present novel symmetric-key-based authentication schemes which exhibit low computation and communication authentication overhead. Our schemes are built upon the integration of a reputation mechanism, a Bloom filter, and a key binary tree for the distribution and updating of the auxviii thentication keys. Our schemes are lightweight and efficient with respect to communication and energy overhead. The fourth study addresses security in vehicular communications. We focus on fast multi hop broadcast applications. We analyze the security threats of state of the art vehicular based safety applications. We demonstrate that these schemes are vulnerable to the position cheating attack, the replay broadcast message attack, and the interrupting forwarding attack. Then, we propose countermeasures for these threats. We hence propose a complete solution which is both fast and secure in broadcasting safety related messages: Fast and Secure Multi-hop Broadcast Algorithm (FS-MBA). Finally, we confirm the efficiency and feasibility of our proposals using an extensive set of simulations under NS-2 Simulator.

Sécurité

Gestion des clés

Attaques

Source Authentication in WSNs

Security

Secure Vehicular Communications

Key management

Attacks

Chemnitzer Linux-Tage 2014: Tagungsband - 15. und 16. März 2014

Courtenay, Mark, Kölbel, Cornelius, Lang, Jens, Luithardt, Wolfram, Zscheile, Falk, Kramer, Frederik, Schneider, Markus, Pfeifle, Kurt, Berger, Uwe, Wachtler, Axel, Findeisen, Ralf, Schöner, Axel, Lohr, Christina, Herms, Robert, Schütz, Georg, Luther, Tobias

23 April 2014

Der vorliegende Tagungsband beinhaltet 13 Beiträge von Referenten der Chemnitzer Linux-Tage 2014 sowie Zusammenfassungen von weiteren 78 Vorträgen und 14 Workshops. Die Beiträge umfassen das breite Spektrum der Veranstaltung, darunter Probleme von eingebetteten Systemen und vertrauliche Kommunikation.

info:eu-repo/classification/ddc/004

ddc:004