Keeping denial-of-service attackers in the dark

Gal Badishi, Amir Herzberg, Idit Keidar

Research output: Contribution to journalArticlepeer-review

67 Scopus citations


We consider the problem of overcoming (distributed) denial-of-service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, for example, by observing service performance degradation or by eavesdropping on messages or parts thereof. A solution for this problem In a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker's packets. The main challenge In presenting such a solution is to exploit existing packet-filtering mechanisms in a way that allows fast processing of packets but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available efficient packet-filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixed ports and instead performs "pseudorandom port hopping." We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.

Original languageEnglish
Pages (from-to)191-204
Number of pages14
JournalIEEE Transactions on Dependable and Secure Computing
Issue number3
StatePublished - 2007

Bibliographical note

Funding Information:
Gal Badishi is supported by the Israeli Ministry of Science. A preliminary version of this paper appeared in the Proceedings of the International Symposium on Distributed Computing (DISC ’05).


  • Availability
  • Protocols
  • Reliability
  • Serviceability


Dive into the research topics of 'Keeping denial-of-service attackers in the dark'. Together they form a unique fingerprint.

Cite this