Lightweight Opportunistic Tunneling (LOT)

We present LOT, a lightweight 'plug and play' tunneling protocol installed (only) at edge gateways. Two communicating gateways A and B running LOT would automatically and securely establish efficient tunnel, encapsulating packets sent between them. This allows B to discard packets which use A's network addresses but were not sent via A (i.e. are spoofed) and vice verse. LOT is practical: it is easy to manage 'plug and play', no coordination between gateways), deployed incrementally and only at edge gateways (no change to core routers or hosts), and has negligible overhead in terms of bandwidth and processing, as we validate by experiments on a prototype implementation. LOT storage requirements are also modest. LOT can be used alone, providing protection against blind (spoofing) attackers, or to opportunistically setup IPsec tunnels, providing protection against Man In The Middle (MITM) attackers.

[1]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[2]  P. Wouters,et al.  Building And Integrating Virtual Private Networks With Openswan , 2006 .

[3]  Recommended Internet Service Provider Security Services and Procedures , 2000, RFC.

[4]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[5]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[6]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[7]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[8]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[9]  G. Jiang Multiple vulnerabilities in SNMP , 2002 .

[10]  Jim Kurose,et al.  Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement 2004, Taormina, Sicily, Italy, October 25-27, 2004 , 2004 .

[11]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[12]  Idit Keidar,et al.  An Empirical Study of Denial of Service Mitigation Techniques , 2008, 2008 Symposium on Reliable Distributed Systems.

[13]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[14]  Michael C. Richardson,et al.  Opportunistic Encryption using the Internet Key Exchange (IKE) , 2005, RFC.

[15]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[16]  R. Hunt,et al.  TCP/IP security threats and attack methods , 1999, Comput. Commun..

[17]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[18]  Gopal Dommety,et al.  Key and Sequence Number Extensions to GRE , 2000, RFC.

[19]  Idit Keidar,et al.  Keeping Denial-of-Service Attackers in the Dark , 2007, IEEE Trans. Dependable Secur. Comput..

[20]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[21]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[22]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[23]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.