An Anti-DoS Attacks Protocol for Satellite Networks
——Take COMPASS for Instance
1
HAO Xuan-wen
2MA Jian-feng
1, First AuthorXidian University,China, [email protected]
2
Xidian University, China, [email protected]
Abstract
As a new and wireless mobile network, satellite network is often exposed to different kinds of attacks. The forms of DoS attacks in COMPASS satellite network are described. It is pointed out that the technology used to prevent DoS attacks in terrestrial network is not suitable for COMPASS satellite network. We also analyzed the necessity of preventing DoS attacks in COMPASS satellite network, and proposed a security protocol named ADAPC which can prevent DoS attacks and is suitable for COMPASS satellite network. Then the details of ADAPC’s principles have been introduced. Besides, ADAPC protocol has been evaluated through simulation experiment and the security of it is analyzed. The result shows that ADAPC protocol can prevent DoS attacks efficiently in COMPASS satellite network.
Keywords
: Satellite Networks, DoS, Attack, Protocol, COMPASS.1. Introduction
With the fast development and application of space technology, more and more satellites have been set in space. Therefore, communication area has been greatly enlarged. Modern satellite system has developed from a single satellite to satellite network with satellites distributed according to certain constellation rules. As a new and wireless mobile network, satellite network is often exposed to different kinds of attacks. For example, it may suffer from being wiretapped. Some messages may be forged, and it also may suffer from denial of service[1-4].
China has been building the double-satellite navigation system “Beidou the First” since 1994. “Beidou the First”, with its double-satellite positioning system, was an experimental system at the very beginning, but it could not meet the flight demands in civil aviation terminals, especially the precision approach requirement. Then, China began to build the satellite navigation system COMPASS in 2006. The process of building COMPASS consists of two phases. The first phase involves building regional satellite navigation system, which comprises five GEO satellites, four IGSO satellites and three MEO satellites. The system will cover China and its surrounding areas and provide regional navigation positioning service. In the second phase, a global navigation satellite system will be built which involves five GEO satellites and thirty MEO satellites. The system aims to cover the whole globe and provide navigation positioning and communication service[5].
COMPASS, independently researched and developed by China, will cover the whole globe in 2020 and will provide high-quality service for its users for free and offer an important platform for the development of Chinese economy. As a basic construction project in China, the system will be used in military and civilian navigation, mapping, communication, water conservancy, disaster reduction, maritime affairs, transportation, exploration, forest fire prevention and other areas. When users are proved with positioning, navigation and time service, the service can not break down, just as the water and electricity service. The system is closely related to people’s lives when it is used in aviation; when it is used in electricity, communication and finance areas, it is tightly connected to economy and public security. Besides, when it is used by the public, it plays a significant role in public security. Therefore, a satellite navigation system which promises reliable service must adopt many measures to ensure its proper operation. If a satellite network is not reliable enough, the maintenance costs will be high, which may become an unbearable burden for economic powers. So, much more attention must be paid to the service quality of the system.
The possible DoS attacks in COMPASS are described. Then, based on the analysis of the traditional anti-DoS technique in terrestrial network, it can be concluded that the traditional technique can not be
used in COMPASS. Then, an anti-DoS attacks protocol suitable for COMPASS is proposed. In the end, this paper focuses on the performance simulation and the security analysis of the protocol.
2. DoS Attack and COMPASS
2.1 DoS Attack
DoS stands for Denial of Service. The action that causes DoS attack is named DoS attack. DoS attack aims at preventing computers and networks from providing normal service. Computer network bandwidth attack and connectivity attack are the main types of attack in DoS attack. DoS attack intends to prevent legitimate users from using authorized service. Computer Emergency Response Team (CERT) [6]has divided DoS attacks into three types. The first type of attack consumes those rare, limited and non-renewable resources. The second type destroys or alters configuration information. The third type can cause physical damage to the network or alter network elements.
2.2 COMPASS
COMPASS(figure 1) consists of communications satellites, network control center (NCC) and satellite terminal(ST).
Communications satellites include five GEO (Geosynchronous Earth Orbit) satellites and thirty Non-GEO satellites. Non-GEO satellites mainly include MEO (Medium Earth Orbit) satellites.
NCC in COMPASS consists of master control station, orbit measurement station, altimeter station, uplink earth station and computing center. It is mainly used to measure and correct navigation positioning parameters so as to adjust satellites’ orbits and posture and to prepare ephemeris.
Clients comprise COMPASS’ user terminals and other terminals compatible with GNSS. Clients are the equipment directly used by users and they are mainly used to receive distance signals transmitted by satellites from NCC. Different from the American GPS satellite navigation system, COMPASS has a feature that user machines can communicate through short messages via satellites.
Figure 1. COMPASS Satellite Network
2.3 DoS Attacks in COMPASS Satellite Network
This paper will only focus on the first type of DoS attacks raised by CERT, in COMPASS satellite network. The following attacking situations will be concerned.
When COMPASS is in operation, NCC needs to send interrogation signals to satellites, and the satellites will transmit the signals to users. Then users need to respond to the interrogation signals. When communicating through short messages, user machines need to send the short messages to other users through satellite transponder. Malicious users can submit many fake requests so as to use the valuable resources on satellites and NCC resources (figure 2). The simple solution to malicious use of
the resources on satellites and NCC resources is to use the strong authentication program inserted in satellites’ access-control system to control visits. But this solution still can not prevent users from submitting a large number of fake request messages to carry out DoS attack. Since every request needs to be authenticated, the central processing unit (CPU) of the satellites or the central processing unit of NCC will perform lots of encryption and decryption operation. Besides, the state information of storage protocol will occupy part of the space of the memory device, and the large number of fake requests will cause high occupancy rate in CPU of satellites and occupy large storage space of satellites. Therefore, legitimate user requests may be delayed or abandoned.
Figure 2. Example for DoS Attack in COMPASS Satellite Network
3. The Security Requirements of Anti-DoS Attack of COMPASS Satellite
Network
3.1 The Solution to DoS Attack in Terrestrial Network
At present, many anti-DoS attack protocols in authentication protocol designed for terrestrial network Mesh are based on anti-congestion technique. The anti-congestion technique employs weak authentication, which is prior to real authentication with the aim to find out the original address of fake application from attackers. In the weak authentication phase, the server will send messages to the original address provided by each application and the messages will be used in the real authentication phase. But attackers can not receive the messages from the server due to their fake addresses. Therefore, the solution can prevent those attackers from consuming the resources on the server in the real authentication phase.
Internet Protocol Security (IPSec)[7], which defines the framework of key exchange and SA (Security Association), is named Internet Security Association and Key Management Protocol, or ISAKMP. ISAKMP adopts the mechanism of selecting from all the peer entities and SA to resist DoS attacks. The protocol, based on anti-congestion technique, initializes any resources to strengthen verification and exchanges weak authentication message cookie before the connection of C/S[8]. Cookie is produced by every communication entity with some specific characteristics to achieve fast and valid exchange. The exchange will verify the authenticity of the IP address of clients. Clients send cookie to server. After the server receives the cookie, the server will send another cookie which will not verify the address of the clients to the IP address provided by the clients. The server will reply to all the cookies including the one from the server and send message to the address of the clients. Then, the fake address provided by attackers can not receive cookies from the server.
If an application contains fake address, the server will not receive any message including the cookies from the client and the server from the third party. Therefore, the malicious attack with fake address will fail. Only the applications from legitimate users can reach the server. Besides, the
calculation through cookie from the server is based on Hash function, and the rate of utilization of CPU is low. CPU will not carry out intensive computing to perform strong authentication before the exchange of cookies. And no key will be produced and resource reservation will not occur before the exchange of cookies. Every ISAKMP message, containing cookies in pairs, is produced by initiators and responders based on anti-congestion technique.
3.2 The Shortcoming of the Above-mentioned Anti-DoS Technique in Satellite Network
In COMPASS, the control and management of network is conducted by NCC. NCC is in charge of data plane and some management functions such as the management of satellite system address. Satellite terminals (ST) send control message similar to link request to satellite or NCC. Then this kind of messages can be transmitted through data transmission protocol like unidirectional link routing (UDLR) via satellite.The anti-DoS attack technique used in terrestrial network is not suitable for COMPASS satellite network because the weak authentication mechanism used to select fake application is invalid in satellite network due to the broadcast segmentation capability of satellite network[9]. Because of broadcast medium, attackers can receive all the satellite broadcast messages including the replying message sent to fake address in the weak authentication phase. Then, the anti-congestion technique used in terrestrial network can not be used in COMPASS network.
3.3 The Security Requirement of Preventing DoS Attack in COMPASS Satellite
Network
The anti-congestion technique is not suitable for COMPASS network due to two reasons. The first one is the broadcast feature of satellite communication. Due to the broadcast feature of satellite communication, every terminal can receive all the messages from the server. The anti-congestion technique based on cookie exchange is invalid because attackers can receive the cookies from the server and the source simulation of the attackers and then the attackers can fake different sources to reply to the expected weak authentication messages. The method of sifting out fake address is perfect in Mesh network, but it is invalid in satellite network with broadcast medium. In addition, the time from one terminal to another is the second reason. The long delay in satellite network also prevents the use of anti-congestion technique. The delay from one GEO satellite to another is about 300ms. The delay from one MEO satellite to another is about 110ms to 130ms. Extra delay may be caused by the three additional messages in satellite protocol in the anti-congestion phrase, which is the biggest obstacle in the application of the technique.
4. Anti-DoS Attacks Protocol for COMPASS (ADAPC)
4.1 Certificate Application
In ADAPC, there is one and only one identification for each terminal of different COMPASS satellites, such as the MAC address or the IP address of each terminal. Every COMPASS satellite terminal STi needs NCC identification authentication before it joins COMPASS satellite network. Only when it passes authentication can it receive a certificate.
The form of the certificate STi gets from NCC is as follows. CertSTi = [ IPSTi , KSTi, Time, KNCCSTi, Pov] K
NCC-IPSTi stands for the IP address of terminal STi; KSTi+ stands for the public key of terminal STi. Time is the founding time of the certificate. KNCCSTi is the key shared by STi and NCC, and the key will be synchronized to the corresponding terminal coverage satellite by NCC. Pov indicates the validity period of the certificate. KNCC-, the private key of NCC, is used to sign all the messages. All the exchanging messages between satellite terminals STi will be authenticated by the above-mentioned certificate.
4.2 Sending Message
At the initial state, every terminal and NCC share a key pre-calculated by NCC. In COMPASS satellite network, when BeiDou Time (BDT) traces to coordinated universal time (UTC), the time deviation between BDT and UTC is less than 100 ns. NCC needs to demarcate revised interval Tj, and refer to BDT and use the present time of broadcast Nj to carry out replay detection[10,11].
The message structure sent by STi at time Tj is shown in figure 3.
Figure 3. Message Structure
IPSTi stands for the IP address of COMPASS satellite terminal STi, and it is the only address of every ST.
Seq indicates the sequence number of sending message by ST, and its initial value equals to the present time Nj of the present interval Tj.
h indicates hash function, such as the hash function of MD5 or SHA1. MAC stands for hash key like HMAC.
KNCCSTi indicates the key shared by STi and NCC. Then, there is KNCCSTi=MAC(KNCC,IPSTi). KNCC stands for the key known only by NCC.
M indicates the effective load of the message sent by ST.
4.3 Message Detection
The process of message detection is shown as follow. Req={IPSTi, Seq,h(M),MAC(KNCCSTi,Seq|h(M),M} If Req.IPSTi Not In IPTable
If Req.Seq <> Nj Reject Else
Compute KNCCSTi=MAC(KNCCSTi, IPSTi) Compute MAC(KNCCSTi, Seq|h(M))
If MAC(KNCCSTi, Seq|h(M)) <> Req. MAC(KNCCSTi, IPSTi) Reject
Else Compute h(M) If h(M) <> Req.h(M) Reject
Else
Add{IPSTi, KNCCSTi,Seq} to IPTable Accept
If Req.IPSTi In IPTable If T<= Request.Seq Reject
Else
Compute MAC(KSTi,Seq|h(M))
If MAC(KSTi,Seq|h(M)) <> Req.MAC(KSTi,Seq|h(M)) Reject
Else
Compute h(M)
If h(M)<>Req.h(M) Reject
Else
Replace Seqi=Req.Seq Accept
If the terminal coverage satellite in COMPASS network receives a request sent by satellite terminal STi within interval Tj, the terminal coverage satellite will check if the Seq equals to the real present
time Nj. Then the coverage satellite will use the sign IPSTi from the request message set to calculate shared key KNCCSTi. To test the authenticity of the request, the terminal coverage satellite will use h(M) from message header to calculate MAC(KNCCSTi,Seq|h(M)) . If the calculation value matches the value from message header, the terminal coverage satellite will check the integrity of the message through further evaluating the useful load of the hash value and comparing the hash value and the corresponding value from the message.
At the beginning of interval detection, let the present time be Nj. When terminal coverage satellite receives or succeeds in checking up the first request sent by legitimate ST, it will keep some information of the request in certification form and reset the message at the initial phrase of every interval. The certification form of every Beidou satellite terminal within interval Tj include IPSTi, the identification of ST, KNCCSTi, the key of ST, and Nj, the initial sequence number of the message which equals to present time.
When the terminal coverage satellite receives a request from a terminal added to the ST serial number “seq” list before, it will check up if the sequence number sent by ST is bigger than the sequence number on the list. If the message is authenticated, a new sequence number will replace the old one. Because attackers can not submit valid request, when the request is under eavesdropping, replay attack can not be conducted within the same interval, since the sequence number of every message keeps changing.
If the value of the shared key KNCCSTi is already on the list, it is unnecessary for the terminal coverage satellite to calculate the value of the shared key. Then the use of the satellite CPU will be optimized. If the shared key is already on the list, the terminal coverage satellite can distribute necessary resources to every dynamic list which is initialized at the beginning of every interval. And searching for dynamic list will take less time than recalculating through MAC algorithm.
During the above-mentioned two procedures, those control messages that contain something obviously contradictory are allowed to be abandoned. Once the request sent by ST passes the two testing procedures, the terminal coverage satellite will deal with the request and distribute necessary communication resources to it.
4.4 Certificate Revocation
When one terminal has suffered from malicious attacks, or has a breakdown or is captured, its certificate needs to be revoked. Then NCC will send broadcast message and the certificate revocation message to other terminals registered with NCC through terminal coverage satellite[12,13].
Assuming that CertSTi is the revoked certificate, the revocation broadcast message is NCC→ Broadcast: [Revoke,CertSTi] KNCC-.
Any terminal that receives this revocation message will save it until it is overdue.
5. The Simulation and Security Analysis of ADAPC Protocol
5.1 The Simulation Analysis of ADAPC Protocol
(1) Simulation Configuration
To test the efficiency of ADAPC protocol, we set up the configuration of the first group of space chip as table 1, and the serial number is 1. The configuration of the second group of space chip is as table 1, and the serial number is 2.
Table 1. Number of verified packets
Serial Number Space Chip
1 CPU:P4 2.8GHz, RAM:1GB 2 CPU:Core 2.93GHz, RAM:2GB
The first group of space chip as follows. The CPU is Pentium Ⅳ 2.8GHz. RAM is 1GB. The second group is as follows. The CPU is Core Duo 2.93GHz, and RAM is 2GB. OpenSSL software is
used. The size of message is 500 bites. MAC calculation involves HMAC engine. Hash function adopts MD5 algorithm. The size of message is 500 bites. MAC calculation involves HMAC engine. Hash function adopts MD5 algorithm.
(2) The Simulation Result
The simulation result is shown in figure 4 and figure 5.
Figure 4 shows the corresponding number of datagram verified in the two different verification operation conducted by the ADPC protocol, which is the anti-DoS protocol suitable for COMPASS, within one second with two different types of configuration of space chip. It is clear that with the first group of space chip, the average number of the datagram verified within one second in the MAC(M) operation is about 263000 while the average number tested in the MAC(h(M)) operation is about 385000. With the second group of space chip, the number tested in the MAC(M) operation is about 526000 while the number grows into 890000 in the MAC(h(M)) operation. Therefore, it can be concluded that the higher the configuration of the space chip is, the more datagram will be verified within one second.
Figure 5 shows, with the ADPC protocol, the utility rate of the CPU in the verification of DoS attacks with two different types of configuration of space chip, which is the anti-DoS protocol suitable for COMPASS. It can be seen that with the first group of space chip, the utility rate of the CPU under DoS attacks is about 1.12% in the MAC(M) operation while the utility rate is about 0.78% in the MAC(h(M)) operation. With the second group of space chip, the utility rate of the CPU under DoS attack is about 0.64% in the MAC(M) operation while the utility rate is about 0.37% in the MAC(h(M)) operation. With the advance of the configuration of the space chip, the utility of the CPU conducting the verification operation has greatly decreased.
Through the verification of the performance simulation, it can be seen that the ADPC protocol proposed by ours is very suitable for the to-be-finished COMPASS satellite network.
Figure 5. CPU Usage of Compute MAC(M) and MAC(h(M)) in DoS Attack
5.2 The Security Analysis of ADAPC Protocol
In COMPAS satellite network, because of the key KNCCSTi shared by STi, terminal coverage satellite and NCC, attackers can not send valid requests.
For replay attack, legitimate replay request within certain interval should be taken into consideration. Since there are differences between the value of present time and the value of the time for replay request, this kind of replay attacks can be easily discovered by terminal coverage satellites. Meanwhile, the attacks which intend to replace or falsify the useful load of legitimate request will not succeed, because it will be detected in the second phase of detection.
For COMPASS satellite network, it is almost not feasible to intercept message from uplink. Therefore, attackers can only intercept the request from legitimate terminal from downlink. For example, in GEO satellite network, the delay from one terminal to another is about 300ms. In MEO satellite network, the delay from one terminal to another is about 110-130ms. Then, if the interval is set shorter than the delay from one terminal to another, and different time is used in every interval, attackers can not perform replay attack successfully.
6. Conclusion
For COMPASS satellite navigation network, DoS attack must be taken into consideration. The anti-DoS attack technique adopted in Mesh network uses the anti-congestion technique which is based on the exchange of cookies. In order to sift out the requests with fade address, satellites must send replies containing cookies to the address provided by all the requests. But this method is invalid in satellite network to resist DoS attacks due to the broadcast features of satellite network. Attackers can continue to use correct cookies to send fade messages. The ADAPC protocol proposed by ours can be used in COMPASS satellite network to resist DoS attacks. The protocol adopts revised interval, present time and the key shared by STi, satellites and NCC, so attackers can not send valid requests, nor can they perform valid replay attacks. Even if attackers manage to control a big part of the bandwidth of COMPASS satellite links, they can only use a small amount of resources of NCC or terminal coverage satellites.
Acknowledgement
This paper was supported by the Chinese National Natural Science Foundation (61100239, 61179190,60872041), the Fundamental Research Funds for the Central Universities (JY10000970009).
REFERENCES
[1] N. Ahmed, S. S. Kanhere, and S. Jha. Intrusion Detection techniques for mobile wireless networks, mobile computing and communications Review, IEEE Press : 2005 ,9(2). 418.
[2] Khusvinder Gill and Shuang-Hua Yang. A Scheme for Preventing Denial of Service Attacks on Wireless Sensor Networks[A]. Industrial Electronics,2009[C]. IEEE Press :2009.2603-2609. [3] LIU Wen-tao. Research on DoS Attack and Detection Programming[A]. Intelligent Information
Technology Application, 2009[C]. IEEE Press :2009(1). 207-210.
[4] Okada, Y.; Nishikawa and Y.; Sato, N. DoS attack countermeasures in NGN using private security policy[A]. Information and Telecommunication Technologies (APSITT)[C]. IEEE Press :2010.1- 6.
[5] TAN Shu-sen. Development and Thought of Compass Navigation Satellite System [J]. Journal of Astronautics,2008,29(2): 391-396.
[6] CERT Coordination Center.Denial of Service attacks[EB/OL]. February
1999,http://www.cert.org/tech tips/denial of service.html.
[7] R.Atkinson. Security Architecture for the Internet Protocol[EB/OL]. RFC1825, August 1995, http://www.hjp.at/doc/rfc/rfc2401.html.
[8] R.Molva. Internet Security Architecture[J].Computer Networks:The International Journal of Computer and Tele communications Networking, 1999,(31)9.787–804.
[9] CHENG Xi-jun,CAO Ke-jin,Xu Jiangning er al. Analysis on the Feasibility of Denial of Service of GPS Receivers Based on HiddenMessages[A] 2009 Fourth International Conference on Computer Sciences and Convergence Information Technology[C], IEEE Press :2009.363-368. [10] Hao Xuan-wen,Ma Jian-feng,Liu Xiao-yue.A novel efficient broadcast algorithm for space
information network. Journal of JDCTA.2012,3(6):98-107..
[11] Hao Xuan-wen,Ma Jian-feng,Liu Xiao-yue. An Anti-Damage Secure Routing Protocol in Space Information Network[J]. Journal of Wuhan University(Natural Science Edition), 2011,05(10):413-418.
[12] LIU Xiao-yue,MA Jian-feng,HAO Xuan-wen. “A Self-adapting Traffic Class Routing in LEO/MEO Satellite Networks”, Journal of JCIT,vol.6,no.10, pp.155-163,2011.
[13] LIU Xiao-yue, TIAN You-liang, MA Jian-feng, XIAO Zhu. “Special Publicly Verifiable Secret Sharing Scheme for LEO Satellite Networks”, Journal of JDCTA,vol.5, no.11, pp.378-384,2011.
