Abstract
We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversaries that can eavesdrop on messages, or parts thereof, but with some delay. We show a protocol that mitigates DoS attacks by eavesdropping adversaries, using only available, efficient packet filtering mechanisms based mainly on (addresses and) port numbers. Our protocol avoids the use of fixed ports, and instead performs ‘pseudo-random port hopping’. We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we analyze the proposed protocol, and show that it provides effective DoS prevention for realistic attack and deployment scenarios.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Andersen, D.G.: Mayday: Distributed filtering for internet services. In: Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems, USITS (2003)
Argyraki, K., Cheriton, D.R.: Active internet traffic filtering: Real-time response to denial-of-service attacks. In: Proceedings of the USENIX Annual Technical Conference (April 2005)
Atkinson, R.: Security architecture for the internet protocol. RFC 2401, IETF (1998)
Badishi, G., Herzberg, A., Keidar, I.: Keeping denial-of-service attackers in the dark. TR CCIT 541, Department of Electrical Engineering, Technion (July 2005)
Badishi, G., Keidar, I., Sasson, A.: Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. In: The International Conference on Dependable Systems and Networks (DSN), June/July 2004, pp. 223–232 (2004)
Collins, M., Reiter, M.K.: An empirical analysis of target-resident dos filters. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy, May 2004, pp. 103–114 (2004)
CSI/FBI. Computer crime and security survey (2003)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the Association for Computing Machinery 33(4), 792–807 (1986)
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Atluri, V., Liu, P. (eds.) Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS-03), October 27–30, pp. 30–41. ACM Press, New York (2003)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In: Proceedings of the International World Wide Web Conference, May 2002, pp. 252–262. IEEE, Los Alamitos (2002)
Juniper Networks. The need for pervasive application-level attack protection
Keromytis, A.D., Misra, V., Rubenstein, D.: Sos: An architecture for mitigating ddos attacks. Journal on Selected Areas in Communications 21(1), 176–188 (2004)
Krishnamurthy, B., Wang, J.: On network-aware clustering of Web clients. In: Proceedings of the SIGCOMM (August 2000)
Mahajan, P., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. Computer Communications Review 32(3), 62–73 (2002)
Moore, D., Voelker, G., Savage, S.: Inferring Internet denial-of-service activity. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 9–22 (2001)
NetContinuum. Web application firewall: How netcontinuum stops the 21 classes of web application threats
P-Cube. DoS protection
P-Cube. Minimizing the effects of DoS attacks
Riverhead Networks. Defeating DDoS attacks
Schwartz, S.M.: Frequency hopping spread spectrum (fhss)
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: IEEE Symposium on Security and Privacy (May 2003)
Yaar, A., Perrig, A., Song, D.: An endhost capability mechanism to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Badishi, G., Herzberg, A., Keidar, I. (2005). Keeping Denial-of-Service Attackers in the Dark. In: Fraigniaud, P. (eds) Distributed Computing. DISC 2005. Lecture Notes in Computer Science, vol 3724. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11561927_4
Download citation
DOI: https://doi.org/10.1007/11561927_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29163-3
Online ISBN: 978-3-540-32075-3
eBook Packages: Computer ScienceComputer Science (R0)