Pi: a path identification mechanism to defend against DDoS attacks
11 May 2003-pp 93-107
TL;DR: Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing.
Abstract: Distributed denial of service (DDoS) attacks continue to plague the Internet Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet's true origin We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing Pi features many unique properties It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers' identifiers on a per packet basis The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking Pi marking and filtering are both extremely lightweight and require negligible state We use traceroute maps of real Internet topologies (eg CAIDA's Skitter (2000) and Burch and Cheswick's Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design
Citations
More filters
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
1,153 citations
TL;DR: This paper focuses on reviewing and discussing security requirements, network vulnerabilities, attack countermeasures, secure communication protocols and architectures in the Smart Grid, and aims to provide a deep understanding of security vulnerabilities and solutions in the smart grid.
854 citations
Cites background from "Pi: a path identification mechanism..."
...performance, such as distributed traffic flooding and worm propagation attacks on the Internet [47–49]....
[...]
TL;DR: The cyber security requirements and the possible vulnerabilities in smart grid communications are summarized and the current solutions on cyber security for smartgrid communications are surveyed.
Abstract: A smart grid is a new form of electricity network with high fidelity power-flow control, self-healing, and energy reliability and energy security using digital communications and control technology. To upgrade an existing power grid into a smart grid, it requires significant dependence on intelligent and secure communication infrastructures. It requires security frameworks for distributed communications, pervasive computing and sensing technologies in smart grid. However, as many of the communication technologies currently recommended to use by a smart grid is vulnerable in cyber security, it could lead to unreliable system operations, causing unnecessary expenditure, even consequential disaster to both utilities and consumers. In this paper, we summarize the cyber security requirements and the possible vulnerabilities in smart grid communications and survey the current solutions on cyber security for smart grid communications.
619 citations
27 Oct 2003
TL;DR: Hop-Count Filtering (HCF) can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage, and is implemented and evaluated in the Linux kernel, demonstrating its benefits using experimental measurements.
Abstract: IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Base on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. Through analysis using network measurement data, we show that Hop-Count Filtering (HCF) can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its benefits using experimental measurements.
522 citations
Cites background from "Pi: a path identification mechanism..."
...Based on IP traceback marking, Path Identifier (Pi) [45] embeds a path fingerprint in each packet so that a victim can identify all packets traversing the same path across the Internet, even for those with spoofed IP addresses....
[...]
...As a proactive solution to DDoS attacks, these filtering schemes [15, 25, 31, 45], which must execute on IP routers or rely on routers’ markings, have been proposed to prevent spoofed IP packets from reaching intended victims....
[...]
TL;DR: This paper extensively review the literature on MITM to analyse and categorize the scope of MITM attacks, considering both a reference model, such as the open systems interconnection (OSI) model, as well as two specific widely used network technologies, i.e., GSM and UMTS.
Abstract: The Man-In-The-Middle (MITM) attack is one of the most well known attacks in computer security, representing one of the biggest concerns for security professionals. MITM targets the actual data that flows between endpoints, and the confidentiality and integrity of the data itself. In this paper, we extensively review the literature on MITM to analyse and categorize the scope of MITM attacks, considering both a reference model, such as the open systems interconnection (OSI) model, as well as two specific widely used network technologies, i.e., GSM and UMTS. In particular, we classify MITM attacks based on several parameters, like location of an attacker in the network, nature of a communication channel, and impersonation techniques. Based on an impersonation techniques classification, we then provide execution steps for each MITM class. We survey existing countermeasures and discuss the comparison among them. Finally, based on our analysis, we propose a categorisation of MITM prevention mechanisms, and we identify some possible directions for future research.
409 citations
Cites background from "Pi: a path identification mechanism..."
...3) Host and Router Based Solutions: Stack Path identifier (Pi) [130] is a reactive scheme, where each router uses IP identification field for marking....
[...]
References
More filters
Proceedings Article•
01 Apr 1992
TL;DR: This document describes the MD5 message-digest algorithm, which takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
Abstract: This document describes the MD5 message-digest algorithm. The
algorithm takes as input a message of arbitrary length and produces as
output a 128-bit "fingerprint" or "message digest" of the input. This
memo provides information for the Internet community. It does not
specify an Internet standard.
3,514 citations
"Pi: a path identification mechanism..." refers methods in this paper
...A Fan-In Topology. the n least significant bits of the MD5 hash and ‘||’ represents concatenation....
[...]
...By modifying the markingbits function to return the MD5 [26] cryptographic hash of the IP address, we achieve a nearlyuniform distribution of the last bits of the hash....
[...]
...In an actual router implementation of Pi, the router computes the MD5 hash only once and not on a per-packet basis....
[...]
01 Jan 1998
TL;DR: A simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point is discussed.
Abstract: Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
1,596 citations
"Pi: a path identification mechanism..." refers background in this paper
...Ferguson and Senie propose to deploy network ingress filtering to limit spoofing of the source IP address [13]....
[...]
Proceedings Article•
13 Aug 2001TL;DR: This article presents a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity, and believes it is the first to provide quantitative estimates of Internet-wide denial- of- service activity.
Abstract: In this paper, we seek to answer a simple question: "How prevalent are denial-of-service attacks in the Internet today?". Our motivation is to understand quantitatively the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called "backscatter analysis", that provides an estimate of worldwide denial-of-service activity. We use this approach on three week-long datasets to assess the number, duration and focus of attacks, and to characterize their behavior. During this period, we observe more than 12,000 attacks against more than 5,000 distinct targets, ranging from well known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe that our work is the only publically available data quantifying denial-of-service activity in the Internet.
1,444 citations
IBM1
TL;DR: A computational technique for combatting junk mail in particular and controlling access to a shared resource in general is presented, which requires a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use.
Abstract: We present a computational technique for combatting junk mail in particular and controlling access to a shared resource in general. The main idea is to require a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use. To this end we suggest several pricing Junctions, based on, respectively, extracting square roots modulo a prime, the Fiat-Shamir signature scheme, and the Ong-Schnorr-Shamir (cracked) signature scheme.
1,416 citations
"Pi: a path identification mechanism..." refers background in this paper
...Researchers often propose computational solutions for this class of attacks [10, 12, 17]....
[...]