Network Security Lab

National Taiwan University

Research on Network Security

Currently our research about network security focus on protecting integrity and availability in networks, which involves in the issue of distributed denail of service (DDoS) and securing data-plane in networks. Below are the brief introduction and achievement of our projects on network security:

RainCheck Filter

A Practical System for Guaranteed Access in the Presence of DDoS Attacks and Flash Crowds

We propose RainCheck Filter (RCF), a lightweight primitive that guarantees bounded waiting time for clients despite server flooding without keeping per-client state on the server. RCF achieves strong waiting time guarantees by prioritizing clients based on how long the clients have waited—as if the server maintained a queue in which the clien lined up waiting for service. To avoid keeping state for every incoming client request, the server sends to the client a raincheck, a timestamped cryptographic token that not only informs the client to retry later but also serves as a proof of the client’s priority level withi the virtual queue. We prove that every client complying with RCF can access the server in bounded time, even under a flash crowd incident or a DDoS attack. Our large-scale simulations confirm that RCF provides a small and predictable maximum waiting time while existing schemes cannot. To demonstrate its deployability, we implement RCF as a Python module such that web developers can protect a critical server resource by adding only three lines of code.

Overview of RainCheck.

The result shows that low waiting time variance and legitimate clients will be served within a guaranted wait.


Congesting the Internet with Coordinated And Decentralized Pulsating Attacks

This study stems from the premise that we need to break away from the “reactive” cycle of developing defenses against new DDoS attacks (e.g., amplification) by proactively investigating the potential for new types of DDoS attacks. Our specific focus is on pulsating attacks, a particularly debilitating type that has been hypothesized in the literature. In a pulsating attack, bots coordinate to generate intermittent pulses at target links to significantly reduce the throughput of TCP connections traversing the target. With pulsating attacks, attackers can cause significantly greater damage to legitimate users than traditional link flooding attacks. To date, however, pulsating attacks have been either deemed ineffective or easily defendable for two reasons: (1) they require a central coordinator and can thus be tracked; and (2) they require tight synchronization of pulses, which is difficult even in normal non-congestion scenarios.
Our project argues that, in fact, the perceived drawbacks of pulsating attacks are in fact not fundamental. We develop a practical pulsating attack called CICADAS using two key ideas: using both (1) congestion as an implicit signal for decentralized implementation, and (2) a Kalman-filter-based approach to achieve tight synchronization. We validate CICADAS using simulations and wide-area experiments. We also discuss possible countermeasures against this attack.

CICADAS attack.

Overview of CICADAS.


Securing SDN Data Plane with Active Probing

Efficiently and correctly localizing malicious SDN switches whose behavior deviates from the controller’s intent is a daunting challenge, and existing network troubleshooting tools can easily misdetect the mismatch between the actual behavior of malicious switches and the operator’s intent. In this paper, we propose SDNProbe, a lightweight SDN application that sends minimized number of probe packets to pinpoint misbehaving or malfunctioning switches. Similar to existing tools, the controller sends test packets to validate whether flow entries are correctly executed. To achieve low network overhead and fast detection, we propose an algorithm to provably minimize the number of test packets required to cover every flow entry in the network. To prevent circumvention from strong adversaries (e.g., know the detection algorithm or collude), we further extend the algorithm to randomize the test paths. Based on realistic topologies and flow rules, our evaluation results confirm that SDNProbe can rapidly localize malicious switches by sending a minimal number of test packets. SDNProbe reduces the number of test packets required to localize all existing malicious switches by 30% compared to the state of the art technology. Hence, in addition to SDN’s support to a systematic and automatic network troubleshooting workflow, our work can further secure the workflow against in-network adversaries with significantly reduced overhead.

Overview of SDNProbe.

The results show that SDNProbe can send minimized number of probe packets to pinpoint misbehaving or malfunctioning switches rapidly.

Cloud-based DDoS Traffic Scrubbing

There are three ways to defend against DDoS attack nowadays - purchasing an on-premise DDoS mitigation appliances, purchasing a DDoS mitigation service from your Internet Service Provider (ISP), or purchasing a DDoS mitigation service from cloud mitiation providr. However, these DDoS protection services have some disadvantages or need the higher cost to deploy. Hence, we propose an architecture of cloud-based DDoS traffic scrubbing to defend against DDoS with a considerable advantage compared with other protextion services. The propoerities of our architecture list below:

  • The cost is lower than existing ISP-based and cloud-based protection.
  • Keep privacy for users.
  • Defend the exposure of origin's IP.
  • Verifiable filter.
  • Filter is on-demand.

Overview of cloud-based DDoS traffic scrubbing.