A Method for Enhancing Network Security of the Transport Layer by Leveraging the Lightweight Chain Verification

Abstract

The transport layer is a key component in network protocol stack, which is responsible for providing end-to-end services for applications between different end hosts on the Internet. Existing transport layer protocols such as TCP provide users with some basic protections, e.g., error controls and acknowledgements, which ensures the consistency of user datagram to a certain extent. However, these basic protections are not adequate to defend various attacks on the Internet. For example, the sequence number of TCP segments is easy to be guessed and inferred, and the calculation of the datagram’s checksum depends on the vulnerable one’s complement sum. As a result, the existing transport layer security mechanisms cannot guarantee the integrity and security of the datagram transferred on the Internet, which allows a remote attacker to craft a fake datagram and inject it into the target network stream, thus poisoning the target network stream. The attack against the transport layer occurs at the basic layers of the network protocol stack, which can bypass the security mechanisms enforced at the upper application layer (e.g., user name and password) and thus cause serious damages to the network infrastructure. In this paper, after investigating various prior attacks over network protocols and the related security vulnerabilities, we propose a security mechanism LightCTL based on the lightweight chain verification, which can be deployed at the transport layer to guarantee the integrity of the datagram transferred on the Internet. Based on the hash verification, LightCTL enables both peers of a TCP connection to create a verifiable consensus on transport layer datagrams, so as to prevent attackers from stealing and forging sensitive information. As a result, LightCTL can successfully foil various attacks against network protocol stack, including TCP connection reset attacks based on sequence number inferring, TCP hijacking attacks, SYN flooding attacks, Man-in-The-Middle attacks, replay attacks. Besides, LightCTL does not need to modify the protocol stack of intermediate network devices such as routers. It only needs to modify the checksum and the related parts of the end hosts’ protocol stack. Therefore, LightCTL is easy to be deployed in the real world and significantly improves the security of networks.