Denial of service denial: New filtering system could protect networks from zombies
September 30, 2009A way to filter out denial of service attacks on computer networks, including cloud computing systems, could significantly improve security on government, commercial, and educational systems. Such a filter is reported in the Int. J. Information and Computer Security by researchers from Auburn University in Alabama.
Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve an attempt to make a computer resource unavailable to its intended users. This may simply be for malicious purposes as is often the case when big commercial or famous web sites undergo a DDoS attack. However, it is also possible to exploit the system's response to such an attack to break system firewalls, access virtual private networks, and to access other private resources. A DoS attack can also be used to affect a complete network or even a whole section of the Internet.
Commonly, attack involves simply saturating the target machine with external internet requests. In the case of a DDoS attack the perpetrator recruits other unwitting computers into a network and uses a multitude of machines to mount the attack. The result is that the resource, whether it is a website, an email server, or a database, cannot respond to legitimate traffic in a timely manner and so essentially becomes unavailable to users.
Methods for configuring a network to filter out known DoS attack software and to recognize some of the traffic patterns associated with a mounting DoS attack are available. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.
Now, computer engineers John Wu, Tong Liu, Andy Huang, and David Irwin of Auburn University have devised a filter to protect systems against DoS attacks that circumvents this problem by developing a new passive protocol that must be in place at each end of the connection: user and resource.
Their protocol - Identity-Based Privacy-Protected Access Control Filter (IPACF) - blocks threats to the gatekeeping computers, the Authentication Servers (AS), and so allows legitimate users with valid passwords to access private resources.
The user's computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.
One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server. However, the researchers have tested how well IPACF copes in the face of a massive DDoS attacks simulated on a network consisting of 1000 nodes with 10 gigabits per second bandwidth. They found that the server suffers little degradation, negligible added information transfer delay (latency) and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack.
More information: "Modelling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPACF) capability to resist massive denial of service attacks" in Int. J. Information and Computer Security, 2009, 3, 195-223
-
DOS Extortion Fading
May 01, 2007 |
not rated yet |
0
-
Report: DDoS attacks big Net threat
Oct 12, 2005 |
not rated yet |
0
-
Court Judgement is no Carte-Blanche for DoSsers
Nov 11, 2005 |
not rated yet |
0
-
Tech 101: How a denial-of-service attack works
Jul 08, 2009 |
not rated yet |
0
-
How a denial-of-service attack works
Aug 06, 2009 |
not rated yet |
0
-
Engineers build first sub-10-nm carbon nanotube transistor
Feb 01, 2012 |
4.9 / 5 (31) |
30
-
Something old, something new: Evolution and the structural divergence of duplicate genes
Jan 31, 2012 |
4.6 / 5 (7) |
1
-
The hidden nanoworld of ice crystals: Revealing the dynamic behavior of quasi-liquid layers
Jan 30, 2012 |
5 / 5 (3) |
1
-
Stock market network reveals investor clustering
Jan 27, 2012 |
3.9 / 5 (23) |
8
-
Of microchemistry and molecules: Electronic microfluidic device synthesizes biocompatible probes
Jan 26, 2012 |
5 / 5 (1) |
0
-
Synergistic relations between computer science and technology.
Feb 06, 2012
-
how do iphone gloves work?
Feb 05, 2012
-
iPhone battery over time
Jan 30, 2012
-
Best alternate Tablet to an iPad for writing math or physics equations?
Jan 26, 2012
-
Sending SMS to a website
Jan 20, 2012
-
Need help with my technical fest!
Jan 19, 2012
- More from Physics Forums - Computing & Technology
More news stories
CIA website offline, Anonymous takes credit
The website of the Central Intelligence Agency was unresponsive on Friday after the hacker group Anonymous claimed to have knocked it offline.
26 minutes ago |
5 / 5 (1) |
2
New error-correcting codes guarantee the fastest possible rate of data transmission
Error-correcting codes are one of the triumphs of the digital age. Theyre a way of encoding information so that it can be transmitted across a communication channel such as an optical fiber o ...
Technology / Computer Sciences
8 hours ago |
5 / 5 (3) |
4
|
Small modular reactor design could be a 'SUPERSTAR'
(PhysOrg.com) -- Though most of today's nuclear reactors are cooled by water, we've long known that there are alternatives; in fact, the world's first nuclear-powered electricity in 1951 came from a reactor ...
Technology / Energy & Green Tech
8 hours ago |
4.2 / 5 (10) |
17
|
New power source discovered
(PhysOrg.com) -- Researchers at the Massachusetts Institute of Technology (MIT) and RMIT University have made a breakthrough in energy storage and power generation.
Technology / Energy & Green Tech
7 hours ago |
5 / 5 (8) |
3
|
Advanced power-grid model finds low-cost, low-carbon future in West
(PhysOrg.com) -- The least expensive way for the Western U.S. to reduce greenhouse gas emissions enough to help prevent the worst consequences of global warming is to replace coal with renewable and other ...
Technology / Energy & Green Tech
8 hours ago |
5 / 5 (2) |
7
|
Complex wiring of the nervous system may rely on a just a handful of genes and proteins
Researchers at the Salk Institute have discovered a startling feature of early brain development that helps to explain how complex neuron wiring patterns are programmed using just a handful of critical genes. ...
Q&A: Obama and the birth control controversy
(AP) -- What birth control debate? A half-century after the introduction of the pill, acceptance of birth control by American women is virtually universal.
The power of estrogen -- male snakes attract other males
A new study has shown that boosting the estrogen levels of male garter snakes causes them to secrete the same pheromones that females use to attract suitors, and turned the males into just about the sexiest ...
Human cognitive performance suffers following natural disasters, researchers find
Not surprisingly, victims of a natural disaster can experience stress and anxiety, but a new study indicates that it might also cause them to make more errors - some serious - in their daily lives. In their upcoming Human Fa ...
Humans may have helped the decline of African rainforests 3000 years ago
(PhysOrg.com) -- Large areas of rainforests in Central Africa mysteriously disappeared over three thousand years ago, to be replaced by savannas. The prevailing theory has been that the cause was a change ...
Both maternal and paternal age linked to autism
Older maternal and paternal age are jointly associated with having a child with autism, according to a recently published study led by researchers at The University of Texas Health Science Center at Houston (UTHealth).
Sep 30, 2009
Rank: 5 / 5 (1)
Also being researched is the most effective method of zombie protection: virtual shotguns.
Oct 01, 2009
Rank: not rated yet
Heard of something like this before for online voting systems. Sounds like a simplified disposable DSA key (SSH) but, much faster.
Oct 01, 2009
Rank: not rated yet