计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (11): 340-347.doi: 10.11896/jsjkx.221000091

• 信息安全 • 上一篇    下一篇

基于拟态防御的VPN流量劫持防御技术

高振, 陈福才, 王亚文, 何威振   

  1. 解放军战略支援部队信息工程大学 郑州 450001
  • 收稿日期:2022-10-12 修回日期:2023-02-08 出版日期:2023-11-15 发布日期:2023-11-06
  • 通讯作者: 陈福才(cfc@ndsc.com.cn)
  • 作者简介:(15048601214@163.com)
  • 基金资助:
    国家重点研发计划(2021YFB1006200,2021YFB1006201);国家自然科学基金(62072467,62002383)

VPN Traffic Hijacking Defense Technology Based on Mimic Defense

GAO Zhen, CHEN Fucai, WANG Yawen, HE Weizhen   

  1. People's Liberation Army Strategic Support Force Information Engineering University,Zhengzhou 450001,China
  • Received:2022-10-12 Revised:2023-02-08 Online:2023-11-15 Published:2023-11-06
  • About author:GAO Zhen,born in 1997,postgraduate.His main research interests include network security and mimic defense.CHEN Fucai,born in 1974,professor.His main research interests include network security and so on.
  • Supported by:
    National Key Research and Development Program of China(2021YFB1006200,2021YFB1006201) and National Natural Science Foundation of China(62072467,62002383).

PDF (PC)

1412

摘要: VPN技术能够有效保障通信流量的保密性和完整性,但是近年来出现的名为blind in/on-path的流量劫持攻击利用VPN协议规则,通过将伪造报文注入加密隧道的方式来实施攻击,严重威胁了VPN技术的安全性。针对此类威胁,提出了基于拟态防御的VPN流量劫持防御技术,并设计了拟态VPN架构(Mimic VPN,M-VPN)。该架构由选调器和包含多个异构的VPN加解密节点的节点池组成。首先选调器根据节点的可信度动态地选取若干加解密节点,来并行处理加密流量;然后对各加解密节点的处理结果进行综合裁决;最后将裁决结果作为响应报文以及更新可信度的依据。通过对来自不同节点的同一响应进行裁决,有效阻止了攻击者注入伪造报文。实验仿真结果表明,相比传统的VPN架构,M-VPN可以降低blind in/on-path攻击成功率约12个数量级。

关键词: VPN, 流量劫持攻击, blind in/on-path攻击, 拟态防御, M-VPN

Abstract: VPN technology can effectively guarantee the confidentiality and integrity of communication traffic.However,the traffic hijacking attack named blind in/on-path emerged in recent years,uses VPN protocol rules to implement attacks by injecting forged messages into encrypted tunnels,which seriously threatens the security of VPN technology.Aiming at such threats,this paper proposes a VPN traffic hijacking prevention technology based on pseudo defense,and designs a pseudo VPN architecture(Mimic VPN,M-VPN).The architecture consists of a tuner and a node pool containing multiple heterogeneous VPN encryption and decryption nodes.Firstly,the tuner dynamically selects several encryption and decryption nodes to process the encryption traffic in parallel according to the node's credibility.Then the processing results of each encryption and decryption node are comprehensively judged.The decision result will be used as the basis for the response message and the updated credibility.By judging the same response from different nodes,the attacker is effectively prevented from injecting forged packets.TExperimental simulation shows that compared with the traditional VPN architecture,M-VPN can reduce the success rate of blind in/on-path attacks by about 12 orders of magnitude.

Key words: VPN, Traffic hijacking attack, blind in/on-path attack, Mimic Defense, M-VPN

中图分类号: 

  • TP309.5
[1]HOUSER R,HAO S,LI Z,et al.A Comprehensive Measure-ment-based Investigation of DNS Hijacking[C]//2021 40th International Symposium on Reliable Distributed Systems(SRDS).IEEE,2021:210-221.
[2]TOLLEY W J,KUJATH B,KHAN M T,et al.Blind In/On-Path Attacks and Applications to VPNs[C]//30th USENIX Security Symposium(USENIX Security 21).2021:3129-3146.
[3]ALEXANDER G,ESPINOZA A M,CRANDALL J R.Detecting TCP/IP Connections via IPID Hash Collisions[J].Proc.Priv.Enhancing Technol.,2019,2019(4):311-328.
[4]KNOCKEL J,CRANDALL J R.Counting packets sent between arbitrary internet hosts[C]//4th USENIX Workshop on Free and Open Communications on the Internet(FOCI 14).2014.
[5]FENG X,FU C,LI Q,et al.Off-path TCP exploits of the mixed IPID assignment[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.2020:1323-1335.
[6]CAO Y,QIAN Z,WANG Z,et al.Off-Path TCP Exploits:Glo-bal Rate Limit Considered Dangerous[C]//25th USENIX Security Sympo-sium(USENIX Security 16).2016:209-225.
[7]KOTZIAS P,RAZAGHPANAH A,AMANN J,et al.Coming of age:A lon-gitudinal study of tls deployment[C]//Proceedings of the Internet Measurement Conference 2018.2018:415-428.
[8]EGEVANG K,FRANCIS P.The IP network address translator(NAT)[R].1994.
[9]BUSHART J,ROSSOW C.Padding ain't enough:Assessing the privacy guarantees of encrypted DNS[C]//10th USENIX Workshop on Free and Open Communications on the Internet(FOCI 20).2020.
[10]SIBY S,JUAREZ M,DIAZ C,et al.Encrypted DNS-> Privacy? A traffic analysis perspective[J].arXiv:1906.09682,2019.
[11]RANJAN A K,KUMAR V,HUSSAIN M.Security analysis of TLS authentication[C]//International Conference on Contemporary Computing and Informatics(IC3I 2014).IEEE,2014:1356-1360.
[12]CHENG K,GAO M,GUO R.Analysis and research on HTTPS hi-jacking attacks[C]//2010 Second International Conference on Net-works Security,Wireless Communications and Trusted Computing.IEEE,2010,2:223-226.
[13]WU J X.Meaning and vision of mimic computing and mimic security defense[J].Telecommunications Science,2014,30(7):2-7.
[14]WU J X.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.
[15]IACOVAZZI A,SARDA S,FRASSINELLI D,et al.DropWat:An invisible network flow watermark for data exfiltration traceback[J].IEEE Transactions on Information Forensics and Security,2017,13(5):1139-1154.
[16]IACOVAZZI A,SARDA S,ELOVICI Y.Inflow:Inverse net-work flow watermarking for detecting hidden servers[C]//IEEE INFOCOM 2018-IEEE Conference on Computer Communications.IEEE,2018:747-755.
[17]EGEVANG K,FRANCIS P.The IP network address translator(NAT)[R].1994.
[18]ZHENPENG W,HONGCHAO H,GUOZHEN C.A DNS Architecture Based on Mimic Security Defense[J].Acta Electronica Sinica,2017,45(11):2705-2714.
[19]KONG Z,JIANG X Z.DNS spoofing principle and its defense scheme[J].Computer Engineering,2010,36(3):125-127.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发