Secure communications over insecure channels
Communications of the ACM
Efficient, DoS-resistant, secure key exchange for internet protocols
Proceedings of the 9th ACM conference on Computer and communications security
ICICS '97 Proceedings of the First International Conference on Information and Communication Security
Enhancing the Resistence of a Provably Secure Key Agreement Protocol to a Denial-of-Service Attack
ICICS '99 Proceedings of the Second International Conference on Information and Communication Security
Pricing via Processing or Combatting Junk Mail
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Towards Network Denial of Service Resistant Protocols
Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures
Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks
CMS '99 Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security
Proofs of Work and Bread Pudding Protocols
CMS '99 Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security
A Formal Framework and Evaluation Method for Network Denial of Service
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Defending Against Denial-of-Service Attacks with Puzzle Auctions
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Scalability and Flexibility in Authentication Services: The KryptoKnight Approach
INFOCOM '97 Proceedings of the INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
New client puzzle outsourcing techniques for DoS resistance
Proceedings of the 11th ACM conference on Computer and communications security
Leap-Frog Packet Linking and Diverse Key Distributions for Improved Integrity in Network Broadcasts
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Distributed Denial of Service Attacks and Anonymous Group Authentication on the Internet
ICITA '05 Proceedings of the Third International Conference on Information Technology and Applications (ICITA'05) Volume 2 - Volume 02
Denial-of-Service Attack-Detection Techniques
IEEE Internet Computing
Using client puzzles to protect TLS
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Inter-domain and DoS-resistant call establishment protocol (IDDR-CEP): work in progress
Principles, Systems and Applications of IP Telecommunications
Adversarial security: getting to the root of the problem
iNetSec'10 Proceedings of the 2010 IFIP WG 11.4 international conference on Open research problems in network security
Transaction-based authentication and key agreement protocol for inter-domain VoIP
Journal of Network and Computer Applications
Hi-index | 0.00 |
Denial of service (DoS)/Distributed DoS (DDoS) attack is an eminent threat to an authentication server, which is used to guard access to firewalls, virtual private networks and wired/wireless networks. The major problem is that an authentication server needs to verify whether a request is from a legitimate user and if intensive computation and/or memory resources are needed for verifying a request, then DoS/DDoS attack is feasible. In this paper, a new protocol called Identity-Based Privacy-Protected Access Control Filter (IPACF) is proposed to counter DoS/DDoS attack. This protocol is an improvement of IDF (Identity-Based Dynamic Access Control Filter). The proposed protocol is stateless because it does not create a state for an authentication request unless the request is from a legitimate user. Moreover, the IPACF is stateless for both user and authentication server since a user and responder authenticate each other. A filter value, which is generated by pre-shared secrets, is sent in a frame and checked to see if the request is legitimate. Note that the process of checking filter value is not intensive computation. The filter value is tabulated in a table with user identity so that a filter value represents a user's identity and only the legitimate user and authentication server can figure out the identity. When a filter value is from a legitimate source, a new filter value will be generated for the next frame. Consequently, the filter value is changed for every frame. Thus the privacy of both user and server are protected. The IPACF is implemented for both user and authentication server. The performance of the implementation is reported in this paper. In order to counter more DoS/DDoS attacks that issue fake requests, parallel processing technique is used to implement the authentication server, which is divided into server 1 and server 2. Server 1 only checks the validity of the request filter value against the filter value table. If the request is legitimate, the request will be passed to server 2 for generating a new filter value; otherwise, the fake request is rejected by server 1. The performance comparison of dual server and single server is also reported.