ie8 fix

Between the Lines

Larry Dignan, Andrew Nusca and Rachel King
Home / News & Blogs / Between the Lines

Researchers devise way to deny denial-of-service attacks

By | September 30, 2009, 1:10pm PDT

Summary: Researchers say they have devised a way to filter out denial of service attacks on computer networks, including cloud computing systems, improving security on government, commercial, and educational systems.

Researchers say they have devised a way to filter out denial of service attacks on computer networks, including cloud computing systems, improving security on government, commercial, and educational systems.

Methods do exist for configuring a network to filter out known denial of service (DoS) and distributed denial of service (DDoS) attack software and to recognize some of the traffic patterns associated with a mounting DoS attack.

But current filters usually rely on the computer being attacked to check the legitimacy of incoming information requests, consuming resources and, in the case of a massive DDoS, compounding the problem.

Computer engineers John Wu, Tong Liu, Andy Huang and David Irwin of Auburn University have developed a filter to protect systems against DoS attacks that they say circumvents this problem.

How? With the use of a new passive protocol that must be in place at each end of the connection, user and resource.

Their protocol, called “Identity-Based Privacy-Protected Access Control Filter,” or IPACF, is said to block threats to the gatekeeping Authentication Servers, allowing legitimate users with valid passwords to access private resources.

Here’s how it works:

The user’s computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

There is a drawback. The added layer of information transfer required for checking user requests could take up more resources needed by the server.

The researchers say they have tested how well the protocol manages a massive DDoS attack, simulating one on a network consisting of 1000 nodes with 10 Gbps bandwidth. The result? Little server degradation, negligible latency and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets.

The protocol takes 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack, the researchers said.

Their results will be published in a forthcoming issue of international journal Information and Computer Security.

The protocol was first introduced at a conference in 2007.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Between the Lines”

Topics

Denial Of Service, Researcher, Server, Distributed Denial Of Service, Computer, Filter Value, Security, Andrew Nusca

Andrew J. Nusca is associate editor of ZDNet and editor of SmartPlanet.

Disclosure

Andrew Nusca

Andrew J. Nusca does not hold any investments in the technology companies he covers.

Biography

Andrew Nusca

Editor

Andrew J. Nusca is an associate editor at ZDNet and editor of SmartPlanet. As a journalist based in New York City, he has written for Popular Mechanics and Men's Vogue and his byline has appeared in New York magazine, The Huffington Post, New York Daily News, Editor & Publisher, New York Press and many others. He also writes The Editorialiste, a media criticism blog.

He is a New York University graduate and former news editor and columnist of the Washington Square News. He is a graduate of the Columbia University Graduate School of Journalism. He has been named "Howard Kurtz, Jr." by film critic John Lichman despite having no relation to him. He lives in his native Philadelphia with his wife, cat and Boston Terrier.

Follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
7
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Researchers devise way to deny denial-of-service attacks
dfwekrwe79-24353640703329069994666366076869 5th Nov
zkajvj,good post!
View in thread
0 Votes
+ -
How about a real-world test?
Eriamjh 1st Oct 2009
They could set up a test site to the public and see if the hackers can take it down. Let the hackers do their best!
0 Votes
+ -
Why the server?
kd5auq 1st Oct 2009
Why not move the process to the incoming router?
0 Votes
+ -
Exactly.
Dr.C 1st Oct 2009
And even further upstream. Any router concentrating requests to a single IP address in excess of its known capacity (boolean) could inform upstream traffic sources of that fact, and drop a higher percentage of packets from the most prolific source streams before the target does.
Recursively.
The (real rather than boolean) known capacity only has to be known at one point - which could be the target server itself.

Any solution that leaves the attacking clients in place has to end up denying client services, but whilst the server chugs on with a load it can manage, this system preferentially denies service to the most prolific clients.
The negative feedback algorithm and its hysteresis would need careful design. Anybody fancy drafting the RFC?
0 Votes
+ -
Great Idea, good Start
T Mike 1st Oct 2009
....and who else is making
progress like this..?
0 Votes
+ -
Wont work...
Ceridan Updated - 1st Oct 2009
...On public server(IE no authentification needed to get resources). Unless they reinvent TCP/IP. And even then, the attackers can just flood the infrastructure around the server(routers).
0 Votes
+ -
RE: Researchers devise way to deny denial-of-service attacks
Barc777 1st Oct 2009
ZDNET Tech Update Today:
"Defense devised for DOS attacks"

"What do you think?" Me? I think that whoever writes the headlines for the ZDNet Tech Update Today needs to learn the difference between DOS (Disk Operating System) and DoS (Denial of Service). That's what I think.
0 Votes
+ -
RE: Researchers devise way to deny denial-of-service attacks
dfwekrwe79-24353640703329069994666366076869 5th Nov
zkajvj,good post!

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix