[Resource Topic] 2005/298: Keeping Denial-of-Service Attackers in the Dark

Welcome to the resource topic for 2005/298

Keeping Denial-of-Service Attackers in the Dark

Authors: Gal Badishi, Amir Herzberg, Idit Keidar


We consider the problem of overcoming (Distributed) Denial of Service
(DoS) attacks by realistic adversaries that have knowledge
of their attack’s successfulness, e.g., by observing service performance
degradation, or by eavesdropping on messages or parts thereof.
A solution for this problem in a high-speed network environment
necessitates lightweight mechanisms for differentiating between
valid traffic and the attacker’s packets.
The main challenge in presenting such a solution is to exploit
existing packet filtering mechanisms in a way that allows fast
processing of packets, but is complex enough so that the attacker
cannot efficiently craft packets that pass the filters.
We show a protocol that mitigates DoS attacks by adversaries that
can eavesdrop and (with some delay) adapt their attacks accordingly.
The protocol uses only available, efficient packet filtering mechanisms
based mainly on (addresses and) port numbers.
Our protocol avoids the use of fixed
ports, and instead performs `pseudo-random port hopping’. We model
the underlying packet-filtering services and define measures for the
capabilities of the adversary and for the success rate of the protocol.
Using these, we provide a novel rigorous analysis of the impact
of DoS on an end-to-end protocol, and show that our protocol
provides effective DoS prevention for realistic attack and
deployment scenarios.

ePrint: https://eprint.iacr.org/2005/298

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .