'

Researchers devise way to deny denial-of-service attacks

Researchers say they have devised a way to filter out denial of service attacks on computer networks, including cloud computing systems, improving security on government, commercial, and educational systems.

Researchers say they have devised a way to filter out denial of service attacks on computer networks, including cloud computing systems, improving security on government, commercial, and educational systems.

Methods do exist for configuring a network to filter out known denial of service (DoS) and distributed denial of service (DDoS) attack software and to recognize some of the traffic patterns associated with a mounting DoS attack.

But current filters usually rely on the computer being attacked to check the legitimacy of incoming information requests, consuming resources and, in the case of a massive DDoS, compounding the problem.

Computer engineers John Wu, Tong Liu, Andy Huang and David Irwin of Auburn University have developed a filter to protect systems against DoS attacks that they say circumvents this problem.

How? With the use of a new passive protocol that must be in place at each end of the connection, user and resource.

Their protocol, called "Identity-Based Privacy-Protected Access Control Filter," or IPACF, is said to block threats to the gatekeeping Authentication Servers, allowing legitimate users with valid passwords to access private resources.

Here's how it works:

The user's computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

There is a drawback. The added layer of information transfer required for checking user requests could take up more resources needed by the server.

The researchers say they have tested how well the protocol manages a massive DDoS attack, simulating one on a network consisting of 1000 nodes with 10 Gbps bandwidth. The result? Little server degradation, negligible latency and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets.

The protocol takes 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack, the researchers said.

Their results will be published in a forthcoming issue of international journal Information and Computer Security.

The protocol was first introduced at a conference in 2007.