A Reliable Lightweight Communication Method via Chain Verification

摘要

Compared with TCP, UDP is a lightweight transport layer protocol, providing concise and efficient services for the upper applications, e.g., DNS, DHCP, and SNMP. However, UDP is unreliable, Considerable exploits against UDP-based applications have been discovered in recent years, e.g., DNS cache poisoning, and traffic interception. The essence of these exploits is to inject a malicious UDP segment into the benign data stream, thus poisoning the upper application. After analyzing the typical threats to UDP protocol, we propose a reliable lightweight communication method in this paper, which can verify all segments in a UDP session and mitigate the injection of forged segments from a malicious attacker. The method strengthens the checksum mechanism in UDP protocol and introduces only a few modifications to the UDP specification of end-hosts, without any modification to network devices, i.e., routers or switches. The method preserves the strength of lightweight while improving the reliability of UDP. We implemented the method in Linux 4.14, and the experimental results show that it can mitigate the typical threat to UDP-based applications effectively, meanwhile compared with native UDP, performance loss introduced by our method is less than 2% on average.