Researchers at
Auburn
University claim to have come up
with a better way to fend off denial-of-service attacks, one that lets systems
continue working normally even while under attack.
DoS attacks launch extremely large numbers of attempts to
connect with target systems, overwhelming them and making them unavailable to
their intended users. A distributed DoS attack recruits a network of “zombie”
computers to carry out the attack. In addition to shutting down a target
system, a DoS attack can be used to exploit the target system's response to the
attack to break system firewalls, and access virtual private networks and other
private resources.
“Currently, most of
the algorithms to prevent DoS allow collateral damage. When they stop the
attack, they also stop the service for regular users. Our algorithm does not
allow collateral damage, and you can trace back to the source of the attack,”
said John Wu, professor of electrical and computer engineering at
Auburn,
in
Auburn,
Ala.
The new defense scheme, called Identity-Based
Privacy-Protected Access Control Filter (IPACF), works by blocking threats to a
network’s gatekeeping computers, called authentication servers, permitting legitimate
users with valid passwords access to resources.
According to Wu, normal average latency for a system is 113
milliseconds. Using IPACF, that latency increases to only 145 milliseconds when
a system is under attack, which is not enough of a difference to be detected by
a human user. Similarly, the normal CPU load for a system is 10.21 percent;
under attack and equipped with IPACF, the load increases only to 11.78 percent.
The work has been carried out by Wu, Tong Liu, Andy Huang
and David Irwin of
Auburn. The four
have authored a paper, "Modelling and simulations for Identity-Based
Privacy-Protected Access Control Filter (IPACF) capability to resist massive
denial of service attacks," in Int. J. Information and Computer
Security, 2009, 3, 195-223.
