An Empirical Study of Denial of Service Mitigation Techniques

We present an empirical study of the resistance of several protocols to denial of service (DoS) attacks on client-server communication. We show that protocols that use authentication alone, e.g., IPSec, provide protection to some extent, but are still susceptible to DoS attacks, even when the network is not congested. In contrast, a protocol that uses a changing filtering identifier (FI) is usually immune to DoS attacks, as long as the network itself is not congested. This approach is called FI hopping. We build and experiment with two prototype implementations of FI hopping. One implementation is a modification of IPSec in a Linux kernel, and a second implementation comes as an NDIS hook driver on a Windows machine. We present results of experiments in which client-server communication is subject to a DoS-attack. Our measurements illustrate that FI hopping withstands severe DoS attacks without hampering the client-server communication. Moreover, our implementations show that FI hopping is simple, practical, and easy to deploy.

[1]  Ninghui Li,et al.  Denial of service attacks and defenses in decentralized trust management , 2006, 2006 Securecomm and Workshops.

[2]  George Varghese,et al.  Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[3]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[4]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[5]  Ness B. Shroff,et al.  Emulation versus simulation: a case study of TCP-targeted denial of service attacks , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[6]  Ju Wang,et al.  Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network , 2005, USENIX Security Symposium.

[7]  Bernard Aboba,et al.  IPsec-Network Address Translation (NAT) Compatibility Requirements , 2004, RFC.

[8]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[9]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[10]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[11]  Idit Keidar,et al.  Keeping Denial-of-Service Attackers in the Dark , 2007, IEEE Trans. Dependable Secur. Comput..

[12]  H.C.J. Lee,et al.  Port hopping for resilient networks , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.

[13]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[14]  Danny Dolev,et al.  On a NIC's Operating System, Schedulers and High-Performance Networking Applications , 2006, HPCC.

[15]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[16]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[17]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[18]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[19]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[20]  IPsec-Network Address Translation (NAT) Compatibility Requirements", RFC 3715 , 2004 .