Modelling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPACF) capability to resist massive denial of service attacks

Denial of Service (DoS)/Distributed DoS (DDoS) attack is an eminent threat to an Authentication Server (AS), which is used to guard access to firewalls, virtual private networks and resources connected by wired/wireless networks. In this paper, a new protocol called Identity-Based Privacy-Protected Access Control Filter (IPACF) is proposed to counter DoS/DDoS attacks. The IPACF is stateless for both user and AS since a user and responder must authenticate each other. The value and identity for authentication are changed in every frame. Thus, the privacy of both user and server is protected. The performance of the implementation is reported in this paper. In order to counter more DoS/DDoS attacks that issue fake requests, parallel processing technique is used to implement the AS. The performance comparison of dual server and single server is also reported. To study the capability of IPACF when facing massive DDoS attacks, simulations using OPNET for a network consisting of 1000 nodes with 10 Gbps pipe to the AS are carried out. The simulations show that the performance of AS has very little degradation in terms of packet latency and CPU utilisation for users. Queueing models are used to compare simulations and agreement between models and simulations is acceptable.

[1]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[2]  Moti Yung,et al.  Scalability and flexibility in authentication services: the KryptoKnight approach , 1997, Proceedings of INFOCOM '97.

[3]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[4]  Ari Juels,et al.  $evwu Dfw , 1998 .

[5]  Jelena Mirkovic,et al.  Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise , 2008, IEEE Transactions on Computers.

[6]  Michael T. Goodrich,et al.  Leap-frog packet linking and diverse key distributions for improved integrity in network broadcasts , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  K. Mani Chandy,et al.  Open, Closed, and Mixed Networks of Queues with Different Classes of Customers , 1975, JACM.

[8]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[9]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[10]  Wade Trappe,et al.  Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security , 2006, IEEE Transactions on Information Forensics and Security.

[11]  Rolf Oppliger,et al.  Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks , 1999, Communications and Multimedia Security.

[12]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[13]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[14]  Robert H. Deng,et al.  DoS-resistant access control protocol with identity confidentiality for wireless networks , 2005, IEEE Wireless Communications and Networking Conference, 2005.

[15]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[16]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[17]  T.-C. Wu,et al.  Security of the Jan-Tseng integrated schemes for user authentication and access control , 2000 .

[18]  Shoichi Hirose,et al.  Enhancing the Resistence of a Provably Secure Key Agreement Protocol to a Denial-of-Service Attack , 1999, ICICS.

[19]  Yuh-Min Tseng,et al.  Two integrated schemes of user authentication and access control in a distributed computer network , 1998 .

[20]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[21]  J. David Irwin,et al.  Using an identity-based dynamic access control filter (IDF) to defend against DoS attacks , 2004, 2004 IEEE Wireless Communications and Networking Conference (IEEE Cat. No.04TH8733).

[22]  Anees Shaikh,et al.  Protecting content distribution networks from denial of service attacks , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[23]  Raif O. Onvural,et al.  Survey of closed queueing networks with blocking , 1990, CSUR.

[24]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[25]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[26]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[27]  Evgenia Smirni,et al.  Bound analysis of closed queueing networks with workload burstiness , 2008, SIGMETRICS '08.

[28]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[29]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[30]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[31]  Philippe Owezarski On the impact of DoS attacks on Internet traffic characteristics and QoS , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[32]  Huseyin Selcuk Ozturk,et al.  Evaluation of Secure 802.1X Port-Based Network Access Authentication Over 802.11 Wireless Local Area Networks , 2003 .

[33]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[34]  Wanlei Zhou,et al.  Information theory based detection against network behavior mimicking DDoS attacks , 2008, IEEE Communications Letters.

[35]  William Simpson IKE/ISAKMP considered harmful , 1999 .

[36]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[37]  Kanta Matsuura,et al.  Resolution of ISAKMP/Oakley key-agreement protocol resistant against denial-of-service attack , 1999, 1999 Internet Workshop. IWS99. (Cat. No.99EX385).

[38]  Radia J. Perlman,et al.  Key Exchange in IPSec: Analysis of IKE , 2000, IEEE Internet Comput..

[39]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[40]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[41]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[42]  Ben Soh,et al.  Distributed Denial of Service Attacks and Anonymous Group Authentication on the Internet , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[43]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[44]  Hideki Imai,et al.  Modified Aggressive Mode of Internet Key Exchange Resistant against Denial-of-Service Attacks , 2000 .