TY - GEN
T1 - An empirical study of denial of service mitigation techniques
AU - Badishi, Gal
AU - Herzberg, Amir
AU - Keidar, Idit
AU - Romanov, Oleg
AU - Yachin, Avital
PY - 2008
Y1 - 2008
N2 - We present an empirical study of the resistance of several protocols to denial of service (DoS) attacks on client-server communication. We show that protocols that use authentication alone, e.g., IPSec, provide protection to some extent, but are still susceptible to DoS attacks, even when the network is not congested. In contrast, a protocol that uses a changing filtering identifier (FI) is usually immune to DoS attacks, as long as the network itself is not congested. This approach is called FI hopping. We build and experiment with two prototype implementations of FI hopping. One implementation is a modification of IPSec in a Linux kernel, and a second implementation comes as an NDIS hook driver on a Windows machine. We present results of experiments in which client-server communication is subject to a DoS-attack. Our measurements illustrate that FI hopping withstands severe DoS attacks without hampering the client-server communication. Moreover, our implementations show that FI hopping is simple, practical, and easy to deploy.
AB - We present an empirical study of the resistance of several protocols to denial of service (DoS) attacks on client-server communication. We show that protocols that use authentication alone, e.g., IPSec, provide protection to some extent, but are still susceptible to DoS attacks, even when the network is not congested. In contrast, a protocol that uses a changing filtering identifier (FI) is usually immune to DoS attacks, as long as the network itself is not congested. This approach is called FI hopping. We build and experiment with two prototype implementations of FI hopping. One implementation is a modification of IPSec in a Linux kernel, and a second implementation comes as an NDIS hook driver on a Windows machine. We present results of experiments in which client-server communication is subject to a DoS-attack. Our measurements illustrate that FI hopping withstands severe DoS attacks without hampering the client-server communication. Moreover, our implementations show that FI hopping is simple, practical, and easy to deploy.
UR - http://www.scopus.com/inward/record.url?scp=58149084792&partnerID=8YFLogxK
U2 - 10.1109/SRDS.2008.27
DO - 10.1109/SRDS.2008.27
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:58149084792
SN - 9780769534107
T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems
SP - 115
EP - 124
BT - Proceedings of the 27th IEEE International Symposium on Reliable Distributed Systems, SRDS 2008
PB - IEEE Computer Society
T2 - 27th IEEE International Symposium on Reliable Distributed Systems, SRDS 2008
Y2 - 6 October 2008 through 8 October 2008
ER -