A study on path behavior characteristics of IPv6 based reflector attacks
04 Oct 2011-pp 927-933
TL;DR: This work has considered the network bandwidth characterization of a highly critical DDoS attack in the network: the distributed reflector attack through spoofed IPv6 flows, and quantified thereflector attack flow rate in the presence of the scale factor and multiple spoofed flow sources.
Abstract: IPv6 communication protocol vulnerabilities are common security threats in Next Generation Networks. Distributed Denial of Service (DDoS) attacks generated by exploiting these vulnerabilities have performance impact on both victim as well as on other hosts sharing the communication path. Hence in order to protect the computational and bandwidth resources of the shared path, the anomalies caused by these attacks are to be detected and the attack traffic should be filtered out from the network elements. Under the context of flow state maintenance not deployed in the network elements, the bandwidth characterization of the attack traffic is essential to deploy the filtering rules in the equipments. In this work we have considered the network bandwidth characterization of a highly critical DDoS attack in the network: the distributed reflector attack through spoofed IPv6 flows. The generated spoofed IPv6 traffic from the attacker (slaves), the reflector attack traffic caused by the responses from the reflector and the victim, and the end-to-end path bandwidth characteristics of these flows over a 6to4 tunnel are reported in terms of flow rates and per flow packet count. The flow rate pattern of the spoofed flows is modeled at the attacker side using inter departure time and packet size. The impact of network scale factor on the flow rate pattern over the path is studied and reported. We also have quantified the reflector attack flow rate in the presence of the scale factor and multiple spoofed flow sources.
Citations
More filters
29 Jul 2017
TL;DR: The security problems faced by tunnel mechanisms such as injection, address spoofing and reflector attack are analyzed, and corresponding countermeasures are concluded into three directions: filter, deep packet inspection (DPI) and IPsec.
Abstract: Along with the deployment of IPv6 is becoming more and more widely, IPv4 networks will coexist with IPv6 networks for a relatively long time. The tunnel mechanisms are the best choice for a smooth transition to IPv6. With the wild deployment of the tunnel mechanisms, more and more security issues have been noticed. The security problems faced by tunnel mechanisms such as injection, address spoofing and reflector attack are analyzed, and corresponding countermeasures are concluded into three directions: filter, deep packet inspection (DPI) and IPsec. Some questions are pointed out for research in next steps.
4 citations
Cites background from "A study on path behavior characteri..."
...[8] establish a 6to4 experimental network to research the characteristics of reflection attacks leveraging 6to4 tunnels, as shown in Fig....
[...]
References
More filters
01 Jul 2001
TL;DR: This paper argues in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.
Abstract: Attackers can render distributed denial-of-service attacks more difficult to defend against by bouncing their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of Internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim's abilities both to isolate the attack traffic in order to block it, and to use traceback techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE [Be00a], probabilistic packet marking [SWKA00], [SP01], and SPIE [S+01]. We discuss a number of possible defenses against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Our analysis indicates that three types of reflectors pose particularly significant threats: DNS and Gnutella servers, and TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. We argue in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.
447 citations
"A study on path behavior characteri..." refers background or methods in this paper
...In the work [9], Paxon has analyzed the threats posed by three types of reflectors namely DNS and Gnutelle servers, and TCP-based servers (particularly Web servers) running on TCP implementations....
[...]
...In this work we have considered the bandwidth based attacks that are highly distributed and difficult to identify: Distributed Reflector Denial of Service (DRDoS) attack ([3], [9]) using spoofed IPv6 flows....
[...]
...Also most of the defense mechanisms associated with end routers, transit routers and near to the attacker side are proved to be impractical ([9],[12]) due to vast deployment requirement and network administrative issues....
[...]
19 Aug 2002
TL;DR: This paper examines Internet flow rates and the relationship between the rate and other flow characteristics such as size and duration, and attempts to determine the cause of the rates at which flows transmit data by developing a tool, T-RAT, to analyze packet-level TCP dynamics.
Abstract: This paper considers the distribution of the rates at which flows transmit data, and the causes of these rates. First, using packet level traces from several Internet links, and summary flow statistics from an ISP backbone, we examine Internet flow rates and the relationship between the rate and other flow characteristics such as size and duration. We find, as have others, that while the distribution of flow rates is skewed, it is not as highly skewed as the distribution of flow sizes. We also find that for large flows the size and rate are highly correlated. Second, we attempt to determine the cause of the rates at which flows transmit data by developing a tool, T-RAT, to analyze packet-level TCP dynamics. In our traces, the most frequent causes appear to be network congestion and receiver window limits.
361 citations
01 Dec 2004
TL;DR: The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over- IPv4 tunneling to interconnect IPv6 networks, which enables a number of security threats, mainly Denial of Service.
Abstract: The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-
IPv4 tunneling to interconnect IPv6 networks. The architecture
includes 6to4 routers and 6to4 relay routers, which accept and
decapsulate IPv4 protocol-41 ("IPv6-in-IPv4") traffic from any node in
the IPv4 internet. This characteristic enables a number of security
threats, mainly Denial of Service. It also makes it easier for nodes
to spoof IPv6 addresses. This document discusses these issues in more
detail and suggests enhancements to alleviate the problems. This memo
provides information for the Internet community.
51 citations
01 Oct 2008
TL;DR: This document describes ways to prevent the use of default configured recursive nameservers as reflectors in Denial of Service (DoS) attacks.
Abstract: This document describes ways to prevent the use of default configured
recursive nameservers as reflectors in Denial of Service (DoS)
attacks. Recommended configuration as measures to mitigate the attack
are given.
28 citations