Denial of service denial: New filtering system could protect networks from zombies

September 30, 2009

A way to filter out denial of service attacks on computer networks, including cloud computing systems, could significantly improve security on government, commercial, and educational systems. Such a filter is reported in the Int. J. Information and Computer Security by researchers from Auburn University in Alabama.

Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve an attempt to make a computer resource unavailable to its intended users. This may simply be for malicious purposes as is often the case when big commercial or famous web sites undergo a DDoS attack. However, it is also possible to exploit the system's response to such an attack to break system firewalls, access virtual private networks, and to access other private resources. A DoS attack can also be used to affect a complete network or even a whole section of the Internet.

Commonly, attack involves simply saturating the target machine with external internet requests. In the case of a DDoS attack the perpetrator recruits other unwitting computers into a network and uses a multitude of machines to mount the attack. The result is that the resource, whether it is a website, an email server, or a database, cannot respond to in a timely manner and so essentially becomes unavailable to users.

Methods for configuring a network to filter out known DoS attack software and to recognize some of the traffic patterns associated with a mounting DoS attack are available. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.

Now, computer engineers John Wu, Tong Liu, Andy Huang, and David Irwin of Auburn University have devised a filter to protect systems against DoS attacks that circumvents this problem by developing a new passive protocol that must be in place at each end of the connection: user and resource.

Their protocol - Identity-Based Privacy-Protected Access Control Filter (IPACF) - blocks threats to the gatekeeping computers, the Authentication Servers (AS), and so allows legitimate users with valid passwords to access private resources.

The user's computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server. However, the researchers have tested how well IPACF copes in the face of a massive DDoS attacks simulated on a network consisting of 1000 nodes with 10 gigabits per second bandwidth. They found that the server suffers little degradation, negligible added information transfer delay (latency) and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack.

More information: "Modelling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPACF) capability to resist massive attacks" in Int. J. Information and Computer Security, 2009, 3, 195-223

Source: Inderscience Publishers (news : web)


print this article email this article download pdf blog this article bookmark this article     Stumble it Digg this share on Facebook retweet share on Reddit add to delicious
Rate this story - 5 /5 (4 votes)

Rank Filter

Move the slider to adjust rank threshold, so that you can hide some of the comments.


Display comments: newest first

  • danman5000 - Sep 30, 2009
    • Rank: 5 / 5 (1)
    Sounds pretty fancy and very effective for the negligible amount of resources it consumes. I want!
    New filtering system could protect networks from zombies

    Also being researched is the most effective method of zombie protection: virtual shotguns.
  • Arikin - Oct 01, 2009
    • Rank: not rated yet
    Wonder how long it will take the makers of dedicated firewall devices to implement this?

    Heard of something like this before for online voting systems. Sounds like a simplified disposable DSA key (SSH) but, much faster.
  • el_gramador - Oct 01, 2009
    • Rank: not rated yet
    This actually sounds clever. The speed seems interesting too. Wonder how it filters so accurately?

September 30, 2009 all stories

Comments: 3

5 /5 (4 votes)
  • Stumble this up

  • Digg this

  • share this

  • hide

  • Related Stories

  • DOS Extortion Fading
    created May 01, 2007 | popularity not rated yet | comments 0
  • Report: DDoS attacks big Net threat
    created Oct 12, 2005 | popularity not rated yet | comments 0
  • Court Judgement is no Carte-Blanche for DoSsers
    created Nov 11, 2005 | popularity not rated yet | comments 0
  • Tech 101: How a denial-of-service attack works
    created Jul 08, 2009 | popularity not rated yet | comments 0
  • How a denial-of-service attack works
    created Aug 06, 2009 | popularity not rated yet | comments 0



  • hide

  • Relevant PhysicsForums posts

  • Help with a camera choice
    created Nov 18, 2009
  • casio calculator that's similar to TI-89
    created Nov 08, 2009
  • Advice on what cell phone to get
    created Nov 08, 2009
  • Changing the language options on your phone.
    created Nov 03, 2009
  • More from Physics Forums - Computing & Technology

Other News

Intel logo A

Intel wants a chip implant in your brain

Technology / Hi Tech

created 1hour ago | popularity 4.3 / 5 (3) | comments 5

(PhysOrg.com) -- Computer chip maker Intel wants to implant a brain-sensing chip directly into the brains of its customers to allow them to operate computers and other devices without moving a muscle.


Workers at the Statkraft Osmotic power plant prototype in Tofte

Harnessing the power of salt, Norway tries osmotic power

Technology / Energy

created 2 hours ago | popularity not rated yet | comments 2

After wind, sun, currents and tides, a company is preparing to make clean electricity by harnessing another natural phenomenon, the energy-unleashing encounter of freshwater and seawater.


Microsoft has held talks with Rupert Murdoch's News Corp over removing its news websites from Google, a report said

News Corp, Microsoft hold talks on Google: report

Technology / Internet

created 2 hours ago | popularity 5 / 5 (1) | comments 1

Microsoft has held talks with Rupert Murdoch's News Corp over a possible plan for the software giant to pay the media company to remove its news websites from Google, a report said Monday.


The Symbian platform is used on almost 50% of mobiles worldwide

Spotify launches application for Nokia phones

Technology / Software

created 1hour ago | popularity not rated yet | comments 0

Swedish streaming software Spotify announced on Monday the launch of a music application for the Symbian platform, used by the world's biggest mobile phone maker Nokia and other smartphones.


A woman uses her mobile phone near a share prices board in Tokyo

Mobile multimedia revenues tipped to dethrone text

Technology / Telecom

created 2 hours ago | popularity not rated yet | comments 0

Multimedia services will surpass text messaging this year as the main source of mobile operators' non-voice revenue in the Asia-Pacific region, industry analyst IDC said Monday.




PhysOrg Account
advanced search
  • follow with twitter
  • follow on facebook
  • read with kindle
  • customize RSS
  • physorg mobile
  • newsletter