TY - GEN
T1 - The case for in-network replay suppression
AU - Lee, Taeho
AU - Pappas, Christos
AU - Perrig, Adrian
AU - Gligor, Virgil
AU - Hu, Yih Chun
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/4/2
Y1 - 2017/4/2
N2 - We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.
AB - We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.
UR - http://www.scopus.com/inward/record.url?scp=85021862962&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85021862962&partnerID=8YFLogxK
U2 - 10.1145/3052973.3052988
DO - 10.1145/3052973.3052988
M3 - Conference contribution
AN - SCOPUS:85021862962
T3 - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
SP - 862
EP - 873
BT - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017
Y2 - 2 April 2017 through 6 April 2017
ER -