我的台灣, 看見心靈的故鄉 =2009林磐聳藝術與設計展

In distributed reflective denial-of-service (DRDoS) attacks, adversaries send requests to public servers (e.g., open recursive DNS resolvers) and spoof the IP address of a victim. These servers, in turn, flood the victim with valid responses and – unknowingly – exhaust its bandwidth. Recently, attackers launched DRDoS attacks with hundreds of Gb/s bandwidth of this kind. While the attack technique is well-known for a few protocols such as DNS, it is unclear if further protocols are vulnerable to similar or worse attacks. In this paper, we revisit popular UDP-based protocols of network services, online games, P2P filesharing networks and P2P botnets to assess their security against DRDoS abuse. We find that 14 protocols are susceptible to bandwidth amplification and multiply the traffic up to a factor 4670. In the worst case, attackers thus need only 0.02% of the bandwidth that they want their victim(s) to receive, enabling far more dangerous attacks than what is known today. Worse, we identify millions of public hosts that can be abused as amplifiers. We then analyze more than 130 real-world DRDoS attacks. For this, we announce bait services to monitor their abuse and analyze darknet as well as network traffic from large ISPs. We use traffic analysis to detect both, victims and amplifiers, showing that attackers already started to abuse vulnerable protocols other than DNS. Lastly, we evaluate countermeasures against DRDoS attacks, such as preventing spoofing or hardening protocols and service configurations. We shows that carefully-crafted DRDoS attacks may evade poorly-designed rate limiting solutions. In addition, we show that some attacks evade packet-based filtering techniques, such as port-, contentor length-based filters.

Amplification Hell: Revisiting Network Protocols for DDoS Abuse

Smart grid is an intelligent power generation, distribution, and control system. ZigBee, as a wireless mesh networking scheme low in cost, power, data rate, and complexity, is ideal for smart grid applications, e.g., real-time system monitoring, load control, and building automation. Unfortunately, almost all ZigBee channels overlap with wireless local area network (WLAN) channels, resulting in severe performance degradation due to interference. In this paper, we aim to develop practical ZigBee deployment guideline under the interference of WLAN. We identify the “Safe Distance” and “Safe Offset Frequency” using a comprehensive approach including theoretical analysis, software simulation, and empirical measurement. In addition, we propose a frequency agility-based interference avoidance algorithm. The proposed algorithm can detect interference and adaptively switch nodes to “safe” channel to dynamically avoid WLAN interference with small latency and small energy consumption. Our proposed scheme is implemented with a Meshnetics ZigBit Development Kit and its performance is empirically evaluated in terms of the packet error rate (PER) using a ZigBee and Wi-Fi coexistence test bed. It is shown that the empirical results agree with our analytical results. The measurements demonstrate that our design guideline can efficiently mitigate the effect of WiFi interference and enhance the performance of ZigBee networks.

Developing ZigBee Deployment Guideline Under WiFi Interference for Smart Grid Applications

A method and an apparatus for transmitting broadcast signals thereof are disclosed. The method for transmitting broadcast signals includes encoding DP data according to a code rate, wherein the encoding further includes LDPC encoding the DP data according to the code rate, bit interleaving the LDPC encoded DP data, mapping the bit interleaved DP data onto constellations, MIMO (Multi Input Multi Output) encoding the mapped DP data, and time interleaving the MIMO encoded DP data; building at least one signal frame by arranging the encoded DP data; and modulating data in the built signal frame by OFDM method and transmitting the broadcast signals having the modulated data, wherein the step of modulating includes inserting CPs in the built signal frame based on a CP set which includes information about locations of CPs, wherein the CP set is defined based on FFT size.

Apparatus for transmitting broadcast signals, apparatus for receiving broadcast signals, method for transmitting broadcast signals and method for receiving broadcast signals

Low-power base stations such as femtocells are one of the candidates for high-data-rate provisioning in local areas, such as residences, apartment complexes, business offices, and outdoor hotspot scenarios. Unfortunately, the benefits are not without new challenges in terms of interference management and efficient system operation. Due to the expected large number of user-deployed cells, centralized network planning becomes impractical, and new scalable alternatives must be sought. In this article we propose a fully distributed and scalable solution to the interference management problem in local areas, basing our study case on LTE-Advanced. We present extensive network simulation results to demonstrate that a simple and robust interference management scheme, called autonomous component carrier selection, allows each cell to select the most attractive frequency configuration; improving the experience of all users and not just the few best ones, while overall cell capacity is not compromised.

/pdf/autonomous-component-carrier-selection-interference-3xzjzxzve9.pdf

Autonomous component carrier selection: interference management in local area environments for LTE-advanced

We present the Crossfire attack -- a powerful attack that degrades and often cuts off network connections to a variety of selected server targets (e.g., servers of an enterprise, a city, a state, or a small country) by flooding only a few network links. In Crossfire, a small set of bots directs low intensity flows to a large number of publicly accessible servers. The concentration of these flows on the small set of carefully chosen links floods these links and effectively disconnects selected target servers from the Internet. The sources of the Crossfire attack are undetectable by any targeted servers, since they no longer receive any messages, and by network routers, since they receive only low-intensity, individual flows that are indistinguishable from legitimate flows. The attack persistence can be extended virtually indefinitely by changing the set of bots, publicly accessible servers, and target links while maintaining the same disconnection targets. We demonstrate the attack feasibility using Internet experiments, show its effects on a variety of chosen targets (e.g., servers of universities, US states, East and West Coasts of the US), and explore several countermeasures.

The Crossfire Attack

Large-scale botnet attacks against Internet links using low-rate flows cannot be effectively countered by any of the traditional rate-limiting and flow-filtering mechanisms deployed in individual routers. In this paper, we present a collaborative defense mechanism, called CoDef, which enables routers to distinguish low-rate attack flows from legitimate flows, and protect legitimate traffic during botnet attacks. CoDef enables autonomous domains that are uncontaminated by bots to collaborate during link flooding attacks and reroute their customers' legitimate traffic in response to requests from congested routers. Collaborative defense using multi-path routing favors legitimate traffic while limiting the bandwidth available to attack traffic at a congested link. We present CoDef's design and evaluate its effectiveness by exploring the domain-level path-diversity of the Internet and performing simulations under various traffic conditions.

http://conferences.sigcomm.org/co-next/2013/program/p417.pdf

CoDef: collaborative defense against large-scale link-flooding attacks

In ubiquitous networking environments, we generally need two or more heterogeneous communication systems coexisting in a single place. Especially, wireless local area networks (WLANs) based on IEEE 802.11 specifications and wireless personal area networks (WPANs) based on IEEE 802.15.4b or g specifications need to coexist in the same Industrial, Science and Medial (ISM) band. If the WPAN communication coverage is expanded using a cluster-tree network topology, then the 802.15.4 network is more susceptible to interference from neighboring WLANs. In this paper, we propose an adaptive interference-aware clustering algorithm using multiple channels in a WPAN in the presence of WLAN interference. The algorithm includes interference detection and avoidance schemes to adaptively reconfigure multiple channels in an IEEE 802.15.4 cluster-tree network to avoid interference from WLANs. To evaluate the performance of the proposed algorithm, the frame error rate (FER) is measured in a real network testbed. The measurement result shows that the proposed algorithm is effective in an IEEE 802.15.4 cluster-tree network in the presence of multiple IEEE 802.11 interferers

/pdf/adaptive-interference-aware-multi-channel-clustering-ook3tz34j9.pdf

Adaptive Interference-Aware Multi-Channel Clustering Algorithm in a ZigBee Network in the Presence of WLAN Interference

We have recently witnessed the real life demonstration of link-flooding attacks—DDoS attacks that target the core of the Internet that can cause significant damage while remaining undetected. Because these attacks use traffic patterns that are indistinguishable from legitimate TCP-like flows, they can be persistent and cause long-term traffic disruption. Existing DDoS defenses that rely on detecting flow deviations from normal TCP traffic patterns cannot work in this case. Given the low cost of launching such attacks and their indistinguishability, we argue that any countermeasure must fundamentally tackle the root cause of the problem: either force attackers to increase their costs, or barring that, force attack traffic to become distinguishable from legitimate traffic. Our key insight is that to tackle this root cause it is sufficient to perform a rate change test, where we temporarily increase the effective bandwidth of the bottlenecked core link and observe the response. Attacks by cost-sensitive adversaries who try to fully utilize the bots’ upstream bandwidth will be detected since they will be unable to demonstrably increase throughput after bandwidth expansion. Alternatively, adversaries are forced to increase costs by having to mimic legitimate clients’ traffic patterns to avoid detection. We design a software-defined network (SDN) based system called SPIFFY that addresses key practical challenges in turning this high-level idea into a concrete defense mechanism, and provide a practical solution to force a tradeoff between cost vs. detectability for linkflooding attacks. We develop fast traffic-engineering algorithms to achieve effective bandwidth expansion and suggest scalable monitoring algorithms for tracking the change in traffic-source behaviors. We demonstrate the effectiveness of SPIFFY using a real SDN testbed and large-scale packet-level and flow-level simulations.

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks.

Network adversaries, such as malicious transit autonomous systems (ASes), have been shown to be capable of partitioning the Bitcoin’s peer-to-peer network via routing-level attacks; e.g., a network adversary exploits a BGP vulnerability and performs a prefix hijacking attack (viz. Apostolaki et al. [3]). Due to the nature of BGP operation, such a hijacking is globally observable and thus enables immediate detection of the attack and the identification of the perpetrator. In this paper, we present a stealthier attack, which we call the EREBUS attack, that partitions the Bitcoin network without any routing manipulations, which makes the attack undetectable to control-plane and even to data-plane detectors. The novel aspect of EREBUS is that it makes the adversary AS a natural man-in-the-middle network of all the peer connections of one or more targeted Bitcoin nodes by patiently influencing the targeted nodes’ peering decision. We show that affecting the peering decision of a Bitcoin node, which is believed to be infeasible after a series of bug patches against the earlier Eclipse attack [29], is possible for the network adversary that can use abundant network address resources (e.g., spoofing millions of IP addresses in many other ASes) reliably for an extended period of time at a negligible cost. The EREBUS attack is readily available for large ASes, such as Tier-1 and large Tier-2 ASes, against the vast majority of 10K public Bitcoin nodes with only about 520 bit/s of attack traffic rate per targeted Bitcoin node and a modest (e.g., 5–6 weeks) attack execution period. The EREBUS attack can be mounted by nation-state adversaries who would be willing to execute sophisticated attack strategies patiently to compromise cryptocurrencies (e.g., control the consensus, take down a cryptocurrency, censor transactions). As the attack exploits the topological advantage of being a network adversary but not the specific vulnerabilities of Bitcoin core, no quick patches seem to be available. We discuss that some naive solutions (e.g., whitelisting, rate-limiting) are ineffective and third-party proxy solutions may worsen the Bitcoin’s centralization problem. We provide some suggested modifications to the Bitcoin core and show that they effectively make the EREBUS attack significantly harder; yet, their non-trivial changes to the Bitcoin’s network operation (e.g., peering dynamics, propagation delays) should be examined thoroughly before their wide deployment.

/pdf/a-stealthier-partitioning-attack-against-bitcoin-peer-to-xqy69kfnh7.pdf

Min Suk Kang

Papers

The Crossfire Attack

CoDef: collaborative defense against large-scale link-flooding attacks

Adaptive Interference-Aware Multi-Channel Clustering Algorithm in a ZigBee Network in the Presence of WLAN Interference

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks.

A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer Network