Simulation for intrusion-resilient, DDoS-resistant authentication system (IDAS)

SSL (Secure Sockets Layer) protocol and IPSec (Internet Protocol Security) are widely used for identity authentication and communication protection. However, both protocols suffer from intrusion and single-point of compromising as well as DDoS (distributed denial of service) attacks. An innovative Intrusion-Resilient, DDoS-Resistant Authentication System (IDAS) System is proposed to achieve the following goals: (1) An intrusion-resilient authentication protocol will be able to protect credential information by distributing shared secret to multiple computers and thus eliminates the single point of compromising. (2) This protocol can readily detect the use of partial credential as a user/computer and indicate which part of secret is exposed; consequently, the compromised computer can be recovered. (3) Even when an insider compromised all related servers, the credential is only valid for a short period of time and will be self healed in next period. (4) A DDoS resistant protocol must be stateless and efficient as well as stop botnet attacks and "low and slow" attacks. (5) This authentication protocol only takes a single round trip time, which is faster than any other authentication protocols and is important to the performance of critical applications in a multi-continent network. It is difficult to prove the capabilities of IDAS by actually implementing a full scale botnet due to financial constraint. Instead, simulation results are reported in this paper to show that this IDAS protocol can resist DDoS attacks even when thousands of attackers, which is about the same size as the current botnet, are bombarding it. A user will not even sense the extra delay due to the DDoS attacks; thus, the collateral damage is eliminated.

[1]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[2]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[3]  Takamichi Saito,et al.  On Compromising Password-Based Authentication over HTTPS , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[4]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[5]  Men Long,et al.  Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information , 2006, IEEE Transactions on Industrial Informatics.

[6]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[7]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[8]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[9]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[10]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[11]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[12]  Hikmat Farhat Protecting TCP services from denial of service attacks , 2006, LSAD '06.

[13]  Hovav Shacham,et al.  Client-side caching for TLS , 2004, TSEC.

[14]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[15]  Ching-Hsien Hsu,et al.  Tracers placement for IP traceback against DDoS attacks , 2006, IWCMC '06.

[16]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[17]  Xiaotie Deng,et al.  The methodology and an application to fight against Unicode attacks , 2006, SOUPS '06.

[18]  M. Morii,et al.  Port randomized VPN by mobile codes , 2004, First IEEE Consumer Communications and Networking Conference, 2004. CCNC 2004..

[19]  Robert H. Deng,et al.  A practical password-based two-server authentication and key exchange system , 2006, IEEE Transactions on Dependable and Secure Computing.