The case for in-network replay suppression

Taeho Lee, Christos Pappas, Adrian Perrig, Virgil Gligor, Yih Chun Hu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.

Original languageEnglish (US)
Title of host publicationASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages862-873
Number of pages12
ISBN (Electronic)9781450349444
DOIs
StatePublished - Apr 2 2017
Event2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017 - Abu Dhabi, United Arab Emirates
Duration: Apr 2 2017Apr 6 2017

Publication series

NameASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security

Other

Other2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017
CountryUnited Arab Emirates
CityAbu Dhabi
Period4/2/174/6/17

Fingerprint

Routers
Network layers
Authentication
Program processors
Synchronization
Internet
Network protocols
Processing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Software

Cite this

Lee, T., Pappas, C., Perrig, A., Gligor, V., & Hu, Y. C. (2017). The case for in-network replay suppression. In ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (pp. 862-873). (ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3052973.3052988

The case for in-network replay suppression. / Lee, Taeho; Pappas, Christos; Perrig, Adrian; Gligor, Virgil; Hu, Yih Chun.

ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2017. p. 862-873 (ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lee, T, Pappas, C, Perrig, A, Gligor, V & Hu, YC 2017, The case for in-network replay suppression. in ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 862-873, 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017, Abu Dhabi, United Arab Emirates, 4/2/17. https://doi.org/10.1145/3052973.3052988
Lee T, Pappas C, Perrig A, Gligor V, Hu YC. The case for in-network replay suppression. In ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2017. p. 862-873. (ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security). https://doi.org/10.1145/3052973.3052988
Lee, Taeho ; Pappas, Christos ; Perrig, Adrian ; Gligor, Virgil ; Hu, Yih Chun. / The case for in-network replay suppression. ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2017. pp. 862-873 (ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security).
@inproceedings{d5f917dff0584159bf0b6887d411af2a,
title = "The case for in-network replay suppression",
abstract = "We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.",
author = "Taeho Lee and Christos Pappas and Adrian Perrig and Virgil Gligor and Hu, {Yih Chun}",
year = "2017",
month = "4",
day = "2",
doi = "10.1145/3052973.3052988",
language = "English (US)",
series = "ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery, Inc",
pages = "862--873",
booktitle = "ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security",

}

TY - GEN

T1 - The case for in-network replay suppression

AU - Lee, Taeho

AU - Pappas, Christos

AU - Perrig, Adrian

AU - Gligor, Virgil

AU - Hu, Yih Chun

PY - 2017/4/2

Y1 - 2017/4/2

N2 - We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.

AB - We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive-candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our softwarerouter prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.

UR - http://www.scopus.com/inward/record.url?scp=85021862962&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85021862962&partnerID=8YFLogxK

U2 - 10.1145/3052973.3052988

DO - 10.1145/3052973.3052988

M3 - Conference contribution

AN - SCOPUS:85021862962

T3 - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security

SP - 862

EP - 873

BT - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

ER -