Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (11): 340-347.doi: 10.11896/jsjkx.221000091

• Information Security • Previous Articles     Next Articles

VPN Traffic Hijacking Defense Technology Based on Mimic Defense

GAO Zhen, CHEN Fucai, WANG Yawen, HE Weizhen   

  1. People's Liberation Army Strategic Support Force Information Engineering University,Zhengzhou 450001,China
  • Received:2022-10-12 Revised:2023-02-08 Online:2023-11-15 Published:2023-11-06
  • About author:GAO Zhen,born in 1997,postgraduate.His main research interests include network security and mimic defense.CHEN Fucai,born in 1974,professor.His main research interests include network security and so on.
  • Supported by:
    National Key Research and Development Program of China(2021YFB1006200,2021YFB1006201) and National Natural Science Foundation of China(62072467,62002383).

PDF (PC)

1103

Abstract: VPN technology can effectively guarantee the confidentiality and integrity of communication traffic.However,the traffic hijacking attack named blind in/on-path emerged in recent years,uses VPN protocol rules to implement attacks by injecting forged messages into encrypted tunnels,which seriously threatens the security of VPN technology.Aiming at such threats,this paper proposes a VPN traffic hijacking prevention technology based on pseudo defense,and designs a pseudo VPN architecture(Mimic VPN,M-VPN).The architecture consists of a tuner and a node pool containing multiple heterogeneous VPN encryption and decryption nodes.Firstly,the tuner dynamically selects several encryption and decryption nodes to process the encryption traffic in parallel according to the node's credibility.Then the processing results of each encryption and decryption node are comprehensively judged.The decision result will be used as the basis for the response message and the updated credibility.By judging the same response from different nodes,the attacker is effectively prevented from injecting forged packets.TExperimental simulation shows that compared with the traditional VPN architecture,M-VPN can reduce the success rate of blind in/on-path attacks by about 12 orders of magnitude.

Key words: VPN, Traffic hijacking attack, blind in/on-path attack, Mimic Defense, M-VPN

CLC Number: 

  • TP309.5
[1]HOUSER R,HAO S,LI Z,et al.A Comprehensive Measure-ment-based Investigation of DNS Hijacking[C]//2021 40th International Symposium on Reliable Distributed Systems(SRDS).IEEE,2021:210-221.
[2]TOLLEY W J,KUJATH B,KHAN M T,et al.Blind In/On-Path Attacks and Applications to VPNs[C]//30th USENIX Security Symposium(USENIX Security 21).2021:3129-3146.
[3]ALEXANDER G,ESPINOZA A M,CRANDALL J R.Detecting TCP/IP Connections via IPID Hash Collisions[J].Proc.Priv.Enhancing Technol.,2019,2019(4):311-328.
[4]KNOCKEL J,CRANDALL J R.Counting packets sent between arbitrary internet hosts[C]//4th USENIX Workshop on Free and Open Communications on the Internet(FOCI 14).2014.
[5]FENG X,FU C,LI Q,et al.Off-path TCP exploits of the mixed IPID assignment[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.2020:1323-1335.
[6]CAO Y,QIAN Z,WANG Z,et al.Off-Path TCP Exploits:Glo-bal Rate Limit Considered Dangerous[C]//25th USENIX Security Sympo-sium(USENIX Security 16).2016:209-225.
[7]KOTZIAS P,RAZAGHPANAH A,AMANN J,et al.Coming of age:A lon-gitudinal study of tls deployment[C]//Proceedings of the Internet Measurement Conference 2018.2018:415-428.
[8]EGEVANG K,FRANCIS P.The IP network address translator(NAT)[R].1994.
[9]BUSHART J,ROSSOW C.Padding ain't enough:Assessing the privacy guarantees of encrypted DNS[C]//10th USENIX Workshop on Free and Open Communications on the Internet(FOCI 20).2020.
[10]SIBY S,JUAREZ M,DIAZ C,et al.Encrypted DNS-> Privacy? A traffic analysis perspective[J].arXiv:1906.09682,2019.
[11]RANJAN A K,KUMAR V,HUSSAIN M.Security analysis of TLS authentication[C]//International Conference on Contemporary Computing and Informatics(IC3I 2014).IEEE,2014:1356-1360.
[12]CHENG K,GAO M,GUO R.Analysis and research on HTTPS hi-jacking attacks[C]//2010 Second International Conference on Net-works Security,Wireless Communications and Trusted Computing.IEEE,2010,2:223-226.
[13]WU J X.Meaning and vision of mimic computing and mimic security defense[J].Telecommunications Science,2014,30(7):2-7.
[14]WU J X.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.
[15]IACOVAZZI A,SARDA S,FRASSINELLI D,et al.DropWat:An invisible network flow watermark for data exfiltration traceback[J].IEEE Transactions on Information Forensics and Security,2017,13(5):1139-1154.
[16]IACOVAZZI A,SARDA S,ELOVICI Y.Inflow:Inverse net-work flow watermarking for detecting hidden servers[C]//IEEE INFOCOM 2018-IEEE Conference on Computer Communications.IEEE,2018:747-755.
[17]EGEVANG K,FRANCIS P.The IP network address translator(NAT)[R].1994.
[18]ZHENPENG W,HONGCHAO H,GUOZHEN C.A DNS Architecture Based on Mimic Security Defense[J].Acta Electronica Sinica,2017,45(11):2705-2714.
[19]KONG Z,JIANG X Z.DNS spoofing principle and its defense scheme[J].Computer Engineering,2010,36(3):125-127.
[1] YANG Xin, LI Hui, QUE Jianming, MA Zhentai, LI Gengxin, YAO Yao, WANG Bin, JIANG Fuli. Efficiently Secure Architecture for Future Network [J]. Computer Science, 2023, 50(3): 360-370.
[2] SUN Yunxiao, LI Jun, WANG Bailing. IPSec VPN Closure Detection Method Based on Side-channel Features [J]. Computer Science, 2023, 50(10): 308-314.
[3] LIU Wen-he, JIA Hong-yong, PAN Yun-fei. Mimic Firewall Executor Scheduling Algorithm Based on Executor Defense Ability [J]. Computer Science, 2022, 49(11A): 211200296-6.
[4] YANG Lin, WANG Yong-jie, ZHANG Jun. FAWA:A Negative Feedback Dynamic Scheduling Algorithm for Heterogeneous Executor [J]. Computer Science, 2021, 48(8): 284-290.
[5] ZHOU Yi-min, LIU Fang-zheng , WANG Yong. IPSec VPN Encrypted Traffic Identification Based on Hybrid Method [J]. Computer Science, 2021, 48(4): 295-302.
[6] CHANG Xiao-lin, FAN Yong-wen, ZHU Wei-jun, LIU Yang. Management Information System Based on Mimic Defense [J]. Computer Science, 2019, 46(11A): 438-441.
[7] ZHANG Jie-xin, PANG Jian-min, ZHANG Zheng, TAI Ming, LIU Hao. QoS Quantification Method for Web Server with Mimic Construction [J]. Computer Science, 2019, 46(11): 109-118.
[8] WANG Wei, YANG Ben-chao, LI Guang-song, SI Xue-ming. Security Analysis of Heterogeneous Redundant Systems [J]. Computer Science, 2018, 45(9): 183-186.
[9] CHEN Jia-yi. Applied Study on End-to-End QoS Solutions for MPLS VPN [J]. Computer Science, 2011, 38(Z10): 389-391.
[10] CHEN Nan, YU Ding-guo, TAN Cheng-xiang. Key Exchange Solution of Mobile VPN Based on Improved IKE [J]. Computer Science, 2011, 38(7): 93-.
[11] YU Ding-guo,SHU Ming-lei,TAN Cheng-xiang. Research and Implementation of Mobile SSL VPN System Based on Socks5 Proxy [J]. Computer Science, 2011, 38(1): 119-121.
[12] QIU Gang,WANG Yu-lei,ZHOU Li-hua. Novel VPN Authentication Scheme Based on Trusted Computing [J]. Computer Science, 2009, 36(7): 76-78.
[13] . [J]. Computer Science, 2008, 35(7): 70-74.
[14] LIU Yan-hua CHEN Guo-long GUO Wen-zhong (College of Mathematics and Computer Science,Fuzhou University, Fuzhou 350002,China). [J]. Computer Science, 2008, 35(12): 106-108.
[15] . [J]. Computer Science, 2007, 34(2): 43-47.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.