Abstract
We present LOT, a lightweight ’plug and play’ tunneling protocol installed (only) at edge gateways. Two communicating gateways A and B running LOT would automatically and securely establish efficient tunnel, encapsulating packets sent between them. This allows B to discard packets which use A’s network addresses but were not sent via A (i.e. are spoofed) and vice verse.
LOT is practical: it is easy to manage (‘plug and play’, no coordination between gateways), deployed incrementally and only at edge gateways (no change to core routers or hosts), and has negligible overhead in terms of bandwidth and processing, as we validate by experiments on a prototype implementation. LOT storage requirements are also modest. LOT can be used alone, providing protection against blind (spoofing) attackers, or to opportunistically setup IPsec tunnels, providing protection against Man In The Middle (MITM) attackers.
Chapter PDF
Similar content being viewed by others
Keywords
- Transport Layer Security
- Address Block
- Datagram Transport Layer Security
- Handshake Protocol
- Network Block
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aharoni, M., Hidalgo, W.M.: Cisco SNMP configuration attack with a GRE tunnel (2005), http://www.securityfocus.com/infocus/1847
Badishi, G., Herzberg, A., Keidar, I.: Keeping denial-of-service attackers in the dark. IEEE Trans. Dependable Sec. Comput. 4(3), 191–204 (2007)
Badishi, G., Herzberg, A., Keidar, I., Romanov, O., Yachin, A.: An empirical study of denial of service mitigation techniques. In: IEEE Symposium on Reliable Distributed Systems, pp. 115–124 (2008), http://doi.ieeecomputersociety.org/10.1109/SRDS.2008.27 ISSN 1060-9857
Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice) (March 2004), http://www.ietf.org/rfc/rfc3704.txt
Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19(2), 32–48 (1989)
Bernstein, D.J.: TCP SYN cookies (1996), http://cr.yp.to/syncookies.html
Beverly, R., Bauer, S.: The spoofer project: Inferring the extent of source address filtering on the Internet. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop table of contents, p. 8. USENIX Association, Berkeley (2005)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August. 2008), http://www.ietf.org/rfc/rfc5246.txt
Dommety, G.: Key and Sequence Number Extensions to GRE. RFC 2890 (Proposed Standard) (September 2000), http://www.ietf.org/rfc/rfc2890.txt
Eddy, W.: TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational) (August 2007), http://www.ietf.org/rfc/rfc4987.txt
Farinacci, D., Li, T., Hanks, S., Meyer, D., Traina, P.: Generic Routing Encapsulation (GRE). RFC 2784 (Proposed Standard) (March 2000), http://www.ietf.org/rfc/rfc2784.txt (Updated by RFC 2890)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice) (May 2000), http://www.ietf.org/rfc/rfc2827.txt (Updated by RFC 3704)
Harris, B., Hunt, R.: TCP/IP security threats and attack methods. Computer Communications 22, 885–897 (1999)
IANA. Special-Use IPv4 Addresses. RFC 3330 (Informational) (September 2002), http://www.ietf.org/rfc/rfc3330.txt
Jiang, G.: Multiple vulnerabilities in SNMP. Computer 35(4), 2–4 (2002)
Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard) (December 2005), http://www.ietf.org/rfc/rfc4306.txt (Updated by RFC 5282)
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005), http://www.ietf.org/rfc/rfc4301.txt
Killalea, T.: Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice) (November 2000), http://www.ietf.org/rfc/rfc3013.txt
Lemon, J.: Resisting SYN flood doS attacks with a SYN cache. In: Leffler, S.J. (ed.) BSDCon, pp. 89–97. USENIX (2002), http://www.usenix.org/publications/library/proceedings/bsdcon02/lemon.html ISBN 1-880446-02-2
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pp. 27–40. ACM, New York (2004)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the doS and DDoS problems. ACM Comput. Surv. 39(1) (2007), http://doi.acm.org/10.1145/1216370.1216373
Rescorla, E., Modadugu, N.: Datagram Transport Layer Security. RFC 4347 (Proposed Standard) (April 2006), http://www.ietf.org/rfc/rfc4347.txt
Richardson, M., Redelmeier, D.H.: Opportunistic Encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational) (December 2005), http://www.ietf.org/rfc/rfc4322.txt
Wouters, P., Bantoft, K.: Building and Integrating Virtual Private Networks with Openswan. Packt Publishing (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gilad, Y., Herzberg, A. (2009). Lightweight Opportunistic Tunneling (LOT). In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-04444-1_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)