Internet Security

We have focused on detecting/countering Denial-of-Service (DoS) attacks. The three main contributions of this research are as follows.

Hop-count Filtering

While an attacker can forge any field in the IP header of a spoofed packet, he cannot falsify the number of hops the packet takes to reach its destination, which is solely determined by the Internet routing infrastructure. The hop-count information is indirectly reflected in the TTL field of the IP header, since each intermediate router decrements the TTL value by one before forwarding a packet to the next hop. Based on this observation, we presented a novel hop-count-based filter to weed out spoofed IP packets. We built an accurate IP-to-hop-count (IP2HC) mapping table, while using a moderate amount of storage, by clustering address prefixes based on hop-count. To capture hop-count changes under dynamic network conditions, we also devised a safe update procedure for the IP2HC mapping table that prevents pollution by HCF-aware attackers. Two running states, alert and action, within HCF use this mapping to inspect the IP header of each IP packet. Under normal condition, HCF stays in alert state, watching for abnormal TTL behaviors without discarding any packet. Upon detection of an attack, HCF switches to action state, in which HCF discards those IP packets with mismatching hop-counts. We implemented HCF in the Linux kernel and evaluated the benefit of HCF with experimental measurements. Our experimental results have shown that HCF is indeed effective in countering IP spoofing by providing significant resource savings.

SYN-dog

TCP SYN flooding is the most common DDoS attack, which dominates in the available attacking tools and the number of DoS attacks known to date. We proposed a simple and robust mechanism, called SYN-dog, to sniff SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end or the victim server itself, SYN-dog is installed at a leaf router that connects a stub network. The simplicity of SYN-dog lies in its statelessness and low computation overhead. SYN-dog utilizes the distinct protocol behavior of TCP connection establishment and teardown, which consists of SYN--FIN pair and SYN--SYN/ACK pair, for SYN flooding detection. Moreover, SYN-dog is insensitive to sites and access patterns: the non-parametric Cumulative Sum (CUSUM) method is applied, making SYN-dog robust, much more generally applicable and its deployment easier. The efficacy of SYN-dog is evaluated and validated by trace-driven simulations. The evaluation results show that the SYN-dog achieves high detection accuracy and short detection time. Furthermore, once the first-mile SYN-dog detects the ongoing flooding traffic, information about the location of flooding sources is also revealed, thus saving most of IP traceback efforts that might otherwise be needed.

tIP Router Architecture

Based on the concept of layer-4 service differentiation and resource isolation, we developed a transport-aware IP router architecture that can be utilized as a built-in mechanism to counter DDoS attacks. The key components of the tIP router architecture are the fine-grained QoS classifier and the adaptive weight-based resource manager. The classifier divides the BAs (Behavior Aggregates) into thinner aggregates. Then, the adaptive resource manager provides fine-grained service differentiation and resource isolation for these thinner aggregates. Our extensive evaluation study has shown that the flooding traffic is significantly throttled and most of flooding packets are dropped in a close proximity to their sources. Moreover, the tIP router guarantees that high-tiered TCP sessions receive better service and hence yield better end-to-end performance than low-tiered TCP sessions.

Publications

Haining Wang, Abhijit Bose, Mohamed El-Gendy, and Kang G. Shin, "IP Easy-pass: Edge Resource Access Control," IEEE INFOCOM'2004, Hong Kong, China, March 2004.

Cheng Jin, Haining Wang, and Kang G. Shin, "Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic," ACM Conference on Computer and Communications Security (CCS)'2003, Washington, DC, October 2003.

Haining Wang and Kang G. Shin, "Transport-aware IP Routers: A Built-in Protection Mechanism to Counter DDoS Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 14, no. 9, September 2003.

Haining Wang, Danlu Zhang, and Kang G. Shin, "Sniffing SYN Flooding Sources," IEEE ICDCS'2002, Vienna, Austria, 2002.

Haining Wang, Danlu Zhang, and Kang G. Shin, "Detecting SYN Flooding Attacks," IEEE INFOCOM'2002, New York City, NY, 2002.

-- Main.katchang - 22 Feb 2007