Computer Science ›› 2017, Vol. 44 ›› Issue (9): 148-155.doi: 10.11896/j.issn.1002-137X.2017.09.029

Previous Articles     Next Articles

AS Security Alliance Mechanism for Inter-domain Routing System Based on Mimicry Protection

MIAO Fu, WANG Zhen-xing, GUO Yi and ZHANG Lian-cheng   

  • Online:2018-11-13 Published:2018-11-13

Abstract: Large-scale low rate denial of service attack against BGP sessions can cause paralysis of the inter-domain routing system as a whole.However,existing detection methods and protection measures are difficult to effectively detect and defense against such attacks.Detecting the topology of the inter-domain routing system and obtaining the key link parameters are fundamental steps to the BGP-LDoS attack.Network’s mimic transformation can provide continuous dynamic transformation to puzzle the attacker,increase cost and complexity of the attacker’s detection and analysis,reduce attack’s success probability.From the view of mimic security defense,this paper presented an inter domain routing system security alliance mechanism.The method uses neighboring autonomous systems form as an ally,and makes equi-valent topology transformation in the alliance.The realization of the specific process was given.The resilience of the BGP-LDoS attack after the mimicry transformation was checked and analyzed.Experimental results demonstrate that the method can effectively reduce the attacker’s network topology analysis accuracy,and interference attacker’s target link selection process.It can provide reliable protection for inter-domain system to against BGP-LDoS attack.

Key words: Mimic transformation,AS alliance,Network security,Inter domain routing

[1] LI S,ZHUGE J W,LI X.Study on BGP security[J].Chinese Journal of Software,2013,24(1):121-138.(in Chinese) 黎松,诸葛建伟,李星.BGP安全研究[J].软件学报,2013,24(1):121-138.
[2] LI Q,ZHANG X,ZHANG X,et al.Invalidating idealized BGP security proposals and counter measures[J].IEEE Transactions on Dependable and Secure Computing,2015,12(3):298-311.
[3] SCHUCHARD M,MOHAISEN A,FOO K D,et al.Losing control of the internet:using the data plane to attack the control plane[C]∥Proceedings of the 17th ACM Conference on Computer and Communications Security.ACM,2010:726-728.
[4] LI H S,ZHU J H,QIU H,et al.The new threat to internet:DNP attack with the attacking flows strategizing technology[J].International Journal of Communication Systems,2015,28(6):1126-1139.
[5] ZHANG Y,MAO Z M,WANG J.Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing[C]∥Proc of the Network and Distributed System Security Symposium (NDSS).2007.
[6] KENT S,LYNN C,SEO K.Secure border gateway protocol (S-BGP)[J].IEEE Journal on Selected Areas in Communications,2000,18(4):582-592.
[7] WHITE R.Securing BGP through secure origin BGP[J].Internet Protocol Journal,2003,6(3):15-22.
[8] OORSCHOT P C,WAN T,KRANAKIS E.On interdomainrouting security and pretty secure BGP (psBGP)[J].ACM Transactions on Information and System Security (TISSEC),2007,10(3):11-25.
[9] SUBRAMANIAN L,ROTH V, STOICA I,et al.Listen andWhisper:Security Mechanisms for BGP[C]∥Proceedings of 1th Symposium on Networked Systems Design and Implementation(NSDI’04).2004:127-140.
[10] LDA M,MASSEY D,PEI D,et al.PHAS:a prefix hijack alert system[C]∥Proceedings of the 15th USENIX Security Sympo-sium.Vancouver,Canada,2006:108-119.
[11] GOODELL G,AIELLO W,GRIFFIN T,et al.Working aroundBGP:An incremental approach to improving security and accuracy of inter-domain routing[C]∥Proceedings of the ISOC NDSS.San Diego,US,2003:75-85.
[12] XU J,GUO,P,ZHAO M,et al.Comparing different moving target defense techniques[C]∥Proceedings of the First ACM Workshop on Moving Target Defense.ACM,2014:97-107.
[13] CAI G L,WANG B S,WANG T Z,et al.Research and Development of Moving Target Defence Technology[J].Journal of Computer Research and Development,2016,53(5):968-987.(in Chinese) 蔡桂林,王宝生,王天佐,等.移动目标防御技术研究进展[J].计算机研究与发展,2016,53(5):968-987.
[14] WU J X.Meaning and Vision of Mimic Computing and Mimic Security Defence[J].Telecommunication Science,2014,30(7):2-7.(in Chinese) 邬江兴.拟态计算与拟态安全防御的原意和愿景[J].电信科学,2014,30(7):2-7.
[15] MCCANEY K.Morphinator[EB/OL].[2015-09-04].http://gcn.com/articles/2012/08/03/army-mrohpinator-cyber-maneuver network defence.aspx.
[16] CHIRICESCU S,DEHON A,DEMANGE D,et al.SAFE:Aclean-slate architecture for secure systems[C]∥2013 IEEE International Conference on Technologies for Homeland Security (HST).IEEE,2013:570-576.
[17] MUSLINER D J,RYE J M,THOMSEN D,et al.Fuzzbuster:Towards adaptive immunity from cyber threats[C]∥2011 Fifth IEEE Conference on Self-Adaptive and Self-Organizing Systems Workshops (SASOW).IEEE,2011:137-140.
[18] DARPA.Active cyber defense [EB/OL].[2015-9-04].http://www.darpa.mil/Our_work/I2O/programs/Active-Cyber-Defence(ACD).aspx.
[19] ANTONATOS S,AKRITIDIS P,MARKATOS E P,et al.Defending against hitlist worms using network address space randomization[J].Computer Networks,2007,51(12):3471-3490.
[20] ZHAO X,TANG H B,WANG W B,et al.Moving target defense approach of HSS[J].Computer Application Research,2017,34(1):1-7.(in Chinese) 赵星,汤红波,王文博,等.一种HSS移动目标防御方法[J].计算机应用研究.2017,34(1):1-7.
[21] DUNLOP M,GROAT S,URBANSKI W,et al.Mt6d:A moving target ipv6 defense[C]∥Military Communications Conference(MILCOM 2011).IEEE,2011:1321-1326.
[22] MANADHATA P K,WING J M.A formal model for a system’sattack surface[M].Moving Target Defense.Springer New York,2011:1-28.
[23] ZHU Q,BASAR T.Game-theoretic approach to feedback-dri-ven multi-stage moving target defense[C]∥International Confe-rence on Decision and Game Theory for Security.Springer International Publishing,2013:246-263.
[24] SINCLAIR G,NUNNERY C,KANG B B H.The waledac protocol:The how and why[C]∥2009 4th International Conference on Malicious and Unwanted Software (MALWARE).IEEE,2009:69-77.
[25] CAIDA.The IPv4 Routed /24 AS Links Dataset[EB/OL].[2015-9-04].http://www.caida.org/data/active/ipv4_routed_topology_aslinks_dataset.xml.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!