A study on path behavior characteristics of IPv6 based reflector attacks
04 Oct 2011-pp 927-933
TL;DR: This work has considered the network bandwidth characterization of a highly critical DDoS attack in the network: the distributed reflector attack through spoofed IPv6 flows, and quantified thereflector attack flow rate in the presence of the scale factor and multiple spoofed flow sources.
Abstract: IPv6 communication protocol vulnerabilities are common security threats in Next Generation Networks. Distributed Denial of Service (DDoS) attacks generated by exploiting these vulnerabilities have performance impact on both victim as well as on other hosts sharing the communication path. Hence in order to protect the computational and bandwidth resources of the shared path, the anomalies caused by these attacks are to be detected and the attack traffic should be filtered out from the network elements. Under the context of flow state maintenance not deployed in the network elements, the bandwidth characterization of the attack traffic is essential to deploy the filtering rules in the equipments. In this work we have considered the network bandwidth characterization of a highly critical DDoS attack in the network: the distributed reflector attack through spoofed IPv6 flows. The generated spoofed IPv6 traffic from the attacker (slaves), the reflector attack traffic caused by the responses from the reflector and the victim, and the end-to-end path bandwidth characteristics of these flows over a 6to4 tunnel are reported in terms of flow rates and per flow packet count. The flow rate pattern of the spoofed flows is modeled at the attacker side using inter departure time and packet size. The impact of network scale factor on the flow rate pattern over the path is studied and reported. We also have quantified the reflector attack flow rate in the presence of the scale factor and multiple spoofed flow sources.
Citations
More filters
29 Jul 2017
TL;DR: The security problems faced by tunnel mechanisms such as injection, address spoofing and reflector attack are analyzed, and corresponding countermeasures are concluded into three directions: filter, deep packet inspection (DPI) and IPsec.
Abstract: Along with the deployment of IPv6 is becoming more and more widely, IPv4 networks will coexist with IPv6 networks for a relatively long time. The tunnel mechanisms are the best choice for a smooth transition to IPv6. With the wild deployment of the tunnel mechanisms, more and more security issues have been noticed. The security problems faced by tunnel mechanisms such as injection, address spoofing and reflector attack are analyzed, and corresponding countermeasures are concluded into three directions: filter, deep packet inspection (DPI) and IPsec. Some questions are pointed out for research in next steps.
4 citations
Cites background from "A study on path behavior characteri..."
...[8] establish a 6to4 experimental network to research the characteristics of reflection attacks leveraging 6to4 tunnels, as shown in Fig....
[...]
References
More filters
28 Aug 2000
TL;DR: A general purpose traceback mechanism based on probabilistic packet marking in the network that allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs).
Abstract: This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.
1,251 citations
01 Oct 2004
TL;DR: This document specifies the data export format for version 9 of Cisco Systems' NetFlow services, for use by implementations on the network elements and/or matching collector programs.
Abstract: This document specifies the data export format for version 9 of Cisco
Systems' NetFlow services, for use by implementations on the
network elements and/or matching collector programs. The version 9
export format uses templates to provide access to observations of IP
packet flows in a flexible and extensible manner. A template defines a
collection of fields, with corresponding descriptions of structure and
semantics. This memo provides information for the Internet community.
933 citations
22 Apr 2001
TL;DR: Two new schemes are presented, the advanced marking scheme and the authenticated marking scheme, which allow the victim to trace-back the approximate origin of spoofed IP packets and provide efficient authentication of routers' markings such that even a compromised router cannot forge or tamper markings from other uncompromised routers.
Abstract: Defending against distributed denial-of-service attacks is one of the hardest security problems on the Internet today. One difficulty to thwart these attacks is to trace the source of the attacks because they often use incorrect, or spoofed IP source addresses to disguise the true origin. In this paper, we present two new schemes, the advanced marking scheme and the authenticated marking scheme, which allow the victim to trace-back the approximate origin of spoofed IP packets. Our techniques feature low network and router overhead, and support incremental deployment. In contrast to previous work, our techniques have significantly higher precision (lower false positive rate) and fewer computation overhead for the victim to reconstruct the attack paths under large scale distributed denial-of-service attacks. Furthermore the authenticated marking scheme provides efficient authentication of routers' markings such that even a compromised router cannot forge or tamper markings from other uncompromised routers.
871 citations
Additional excerpts
...In order to make the attacker accountable, traceback mechanisms that are used to identify the sources of the attack, such as ITRACE [11], probabilistic packet marking [8] and SPIE [10] are discussed....
[...]
27 Aug 2001
TL;DR: This work presents a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past and is implementable in current or next-generation routing hardware.
Abstract: The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, wide-spread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion.We present a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, space-efficient (requiring approximately 0.5% of the link capacity per unit time in storage), and implementable in current or next-generation routing hardware. We present both analytic and simulation results showing the system's effectiveness.
797 citations
TL;DR: This survey analyzes the design decisions in the Internet that have created the potential for denial of service attacks and the methods that have been proposed for defense against these attacks, and discusses potential countermeasures against each defense mechanism.
Abstract: This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.
735 citations
"A study on path behavior characteri..." refers methods in this paper
...In this work we have considered the bandwidth based attacks that are highly distributed and difficult to identify: Distributed Reflector Denial of Service (DRDoS) attack ([3], [9]) using spoofed IPv6 flows....
[...]