RAD: Reflector attack defense using message authentication codes

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 269-278

  Kline, Erik ^a   Beaumont Gay, Matt ^a   Mirkovic, Jelena ^b   Reiher, Peter ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF SOUTHERN CALIFORNIA   (United States)

Author keywords

DoS; IP spoofing; MAC; RAD; Reflector attack

Indexed keywords

DENIAL OF SERVICE ATTACKS; IP SPOOFING; MAC; MESSAGE AUTHENTICATION CODES; NETWORK CAPACITY; REFLECTOR ATTACKS; SERVICE REQUESTS; TARGET MACHINES;

AUTHENTICATION; COMPUTER CRIME; NETWORK SECURITY; REFLECTION; TARGETS; VIDEO STREAMING;

GATEWAYS (COMPUTER NETWORKS);

EID: 77950819080     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.32     Document Type: Conference Paper

References (36)

1. J. Aikat, J. Kaur, F.D. Smith, and K. Jeffay. Variability in TCP Round-trip Times. In Internet Measurement Conference, 2003.
2. D. Basheer and G. Manimaran. Victim-assisted Mitigation Technique for TCP-Based Refelector DDoS Attacks. In 4th IFIP-TC6, Networking, pages 191-204, 2005.
3. S. Bellovin. A Technique for Counting NATted Hosts. In IMW '02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, 2002.
4. D.J. Bernstein. SYN Cookies, 1997.
5. A. Bremler-Barr and H. Levy. Spoofing Prevention Method. In INFOCOM, 2005.
6. C. De Cannière and C. Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In ASIACRYPT, 2006.
7. Z. Duan, X. Yuan, and J. Chandrashekar. Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates. In INFOCOM, 2006.
8. P. Eckerlsey, F. von Lohmann, and S. Schoen. Packet Forgery By ISPs: A Report On The Comcast Affair. Electronic Frontier Foundation, November 2007.
9. P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2267.
10. Y. Hu, M. Jakobsson, and A. Perrig. Efficient Constructions for One-Way Hash Chains. In Applied Cryptography and Network Security, 2005.
11. H. Jiang and C. Dovrolis. Passive Estimation of TCP Round-Trip Times. ACM SIGCOMM Computer Communications Review, 32(3):75-88, 2002.
12. C. Jin, H.Wang, and K.G. Shin. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic. In 10th ACM conference on Computer and Communications Security, 2003.
13. E. Kohler, R. Morris, B. Chen, J. Jannotti, and M.F. Kasshoek. The Click Modular Router. In ACM Transactions on Computer Systems (TOCS), 2000.
14. H. Lee, M. Kwon, G. Hasker, and A. Perrig. BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention. In ASIAN ACM Symposium on Information, Computer and Communications Security, 2007.
15. J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. SAVE: Source Address Validity Enforcement Protocol. In INFOCOM, 2002.
16. R. Lien, T. Grembowksi, and K. Gaj. A 1 Gbit/s Partially Unrolled Architecture of Hash Functions SHA-1 and SHA-512. In RSA Cryptographers' Track, 2004.
17. X. Liu, X. Yang, and Y. Lu. To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets. In ACM SIGCOMM, 2008.
18. X. Liu, X. Yang, D. Wetherall, and T. Anderson. Efficient and Secure Source Authentication with Packet Passports. In SRUTI, 2006.
19. J. Mirkovic and E. Kissel. Comparative Evaluation of Spoofing Defenses. Technical Report ISI-TR-655, Information Sciences Institute, 2009.
20. D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems (TOCS), 24(2), May 2006.
21. K. Park and H. Lee. On the Effectiveness of Route-Based Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In ACM SIGCOMM, 2001.
22. V. Paxson. An Analysis of Using Reflectors for Distributed Denialof- Service Attacks. In ACM SIGCOMM Computer Communications Review, 2001.
23. T. Peng, C Leckie, and R. Kotagiri. Detecting Refletor Attacks by Sharing Beliefs. In IEEE Global Communications Conference, 2003.
24. A. Perrig, D. Song, and A. Yaar. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. IEEE Journal on Selected Areas in Communications, 24(10):1853-1863, October 2006.
25. J. Postel. Transmission Control Protocol. RFC 793.
26. S. Schwab, B. Wilson, C. Ko, and A. Hussain. Seer: A Security Experimentation EnviRonment for DETER. In DETER Community Workshop on Cyber Security Experimentation and Test, 2007.
27. S. Shin, K. Kim, and J. Jang. Analysis of TCP SYN Traffic: An Empirical Study. In International Conference on Advanced Communication Technology, 2005.
28. C. A. Shue, M. Gupta, and M. P. Davy. Packet Forwarding with Source Verification. Computer Networks, 52(8):1567-1582, 2008.
29. N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP Topologies with Rocketfuel. In ACM SIGCOMM, 2002.
30. K. Vishwanath and A. Vahdat. Realistic and Responsive Network Traffic Generation. In ACM SIGCOMM: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, 2006.
31. X. Yang, D. Wetherall, and T. Anderson. A DoS-limiting Network Architecture. In ACM SIGCOMM, 2005.
32. Advanced Network Architecture Group. ANA Spoofer Project. http://spoofer.csail.mit.edu.
33. CAIDA CoralReef. http://www.caida.org/tools/measurement/.
34. DETER testbed. http://www.isi.edu/deter.
35. MAWI Working Group Traffic Archive. http://mawi.wide.ad.jp.
36. Tcpdump. http://www.tcpdump.org/.