Researchers' protocol denies DoS attacks
Researchers have devised a way to filter out denial-of service attacks on computer networks, including cloud computing systems, to improve security on government, commercial and educational systems.
Methods exist for configuring a network to filter out known denial-of-service (DoS) and distributed denial-of-service (DDoS) attack software, and for recognising some of the traffic patterns associated with a mounting DoS attack. But current filters usually rely on the computer being attacked to check the legitimacy of incoming information requests, which consumes resources and, in the case of a massive DDoS, compounds the problem.
Computer engineers John Wu, Tong Liu, Andy Huang and David Irwin of Auburn University in Alabama have developed a filter to protect systems against DoS attacks that they say circumvents this problem. How? With the use of a new passive protocol that must be in place at each end of the connection, user and resource.
Their protocol — called Identity-Based Privacy-Protected Access Control Filter, or IPACF — is said to block threats to the gatekeeping authentication servers, allowing legitimate users with valid passwords to access private resources.
It works by allowing a user's computer to present a filter value for the server to do a quick check. The filter value is a one-time secret that must be presented with the pseudo ID, which is also one-time use. Attackers cannot forge either of these values correctly, so attack packets are filtered out.
There is a drawback, however. The added layer of information transfer required for checking user requests could take up more resources needed by the server.
The researchers said they have tested how well the protocol manages a massive DDoS attack, simulating one on a network consisting of 1,000 nodes with 10Gbps bandwidth. The result? Little server degradation, negligible latency and minimal extra processor usage — even when the 10Gbps pipe to the authentication server is filled with DoS packets.
The protocol takes six nanoseconds to reject a non-legitimate information packet associated with the DoS attack, according to the researchers said. Their results will be published in a forthcoming issue of the International Journal of Information and Computer Security. The protocol was first introduced at a conference in 2007.