Hierarchical Defense Structure for Mitigating DoS Attacks

This paper provides the contribution of mitigating a Denial-of-Service (DoS) attack via a developed hierarchical defense structure with proactive functionality. An important aspect is the tradeoff between performance and security. This novel hierarchical architecture is presented with lightweight authentication protocols acting as a classifier to deny access to harmful traffic. An empirical test of the proposed structure has been performed and results are reported which display the capability of the structure to filter and separate the attack traffic before reaching the target of an IPSec gateway. Thus, the filtering of traffic is performed without being the target itself for new resource exhaustion attacks. The considered IPSec environment is based on IPSec gateways for the low-end market, i.e., for small businesses or private networks.

[1]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[2]  Henric Johnson,et al.  Toward Adjustable Lightweight Authentication for Network Access Control , 2005 .

[3]  He Huang,et al.  SOLA: a one-bit identity authentication protocol for access control in IEEE 802.11 , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[4]  Fan Zhao,et al.  RBWA: an efficient random-bit window-based authentication protocol , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[5]  Ari Juels,et al.  $evwu Dfw , 1998 .

[6]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[9]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[10]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[11]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[12]  Tzi-cker Chiueh,et al.  Sequence Number-Based MAC Address Spoof Detection , 2005, RAID.

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[15]  Arne A. Nilsson,et al.  SOLA: lightweight security for access control in IEEE 802.11 , 2004, IT Professional.

[16]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[17]  Tatu Ylonen,et al.  The SSH (Secure Shell) Remote Login Protocol , 1995 .