Modelling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPACF) capability to resist massive denial of service attacks

Authors:
Chwan-Hwa 'John' Wu;Tong Liu;Chun-Ching 'Andy' Huang;J. David Irwin
Affiliations:
Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA.;Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA.;Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA.;Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA
Venue:
International Journal of Information and Computer Security
Year:
2009

Citing 27
Cited 1

Survey of closed queueing networks with blocking

ACM Computing Surveys (CSUR)
Open, Closed, and Mixed Networks of Queues with Different Classes of Customers

Journal of the ACM (JACM)
Secure communications over insecure channels

Communications of the ACM
Efficient, DoS-resistant, secure key exchange for internet protocols

Proceedings of the 9th ACM conference on Computer and communications security
Stateless connections

ICICS '97 Proceedings of the First International Conference on Information and Communication Security
Enhancing the Resistence of a Provably Secure Key Agreement Protocol to a Denial-of-Service Attack

ICICS '99 Proceedings of the Second International Conference on Information and Communication Security
Pricing via Processing or Combatting Junk Mail

CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Towards Network Denial of Service Resistant Protocols

Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures
Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks

CMS '99 Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security
Proofs of Work and Bread Pudding Protocols

CMS '99 Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security
A Formal Framework and Evaluation Method for Network Denial of Service

CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Defending Against Denial-of-Service Attacks with Puzzle Auctions

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Scalability and Flexibility in Authentication Services: The KryptoKnight Approach

INFOCOM '97 Proceedings of the INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution
Just fast keying: Key agreement in a hostile internet

ACM Transactions on Information and System Security (TISSEC)
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
New client puzzle outsourcing techniques for DoS resistance

Proceedings of the 11th ACM conference on Computer and communications security
Analyzing security protocols with secrecy types and logic programs

Journal of the ACM (JACM)
Leap-Frog Packet Linking and Diverse Key Distributions for Improved Integrity in Network Broadcasts

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Distributed Denial of Service Attacks and Anonymous Group Authentication on the Internet

ICITA '05 Proceedings of the Third International Conference on Information Technology and Applications (ICITA'05) Volume 2 - Volume 02
Denial-of-Service Attack-Detection Techniques

IEEE Internet Computing
PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks

IEEE Transactions on Dependable and Secure Computing
Collaborative detection and filtering of shrew DDoS attacks using spectral analysis

Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Collaborative Detection of DDoS Attacks over Multiple Network Domains

IEEE Transactions on Parallel and Distributed Systems
Bound analysis of closed queueing networks with workload burstiness

SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise

IEEE Transactions on Computers
Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security

IEEE Transactions on Information Forensics and Security

Exposing WPA2 security protocol vulnerabilities

International Journal of Information and Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Denial of Service (DoS)/Distributed DoS (DDoS) attack is an eminent threat to an Authentication Server (AS), which is used to guard access to firewalls, virtual private networks and resources connected by wired/wireless networks. In this paper, a new protocol called Identity-Based Privacy-Protected Access Control Filter (IPACF) is proposed to counter DoS/DDoS attacks. The IPACF is stateless for both user and AS since a user and responder must authenticate each other. The value and identity for authentication are changed in every frame. Thus, the privacy of both user and server is protected. The performance of the implementation is reported in this paper. In order to counter more DoS/DDoS attacks that issue fake requests, parallel processing technique is used to implement the AS. The performance comparison of dual server and single server is also reported. To study the capability of IPACF when facing massive DDoS attacks, simulations using OPNET for a network consisting of 1000 nodes with 10 Gbps pipe to the AS are carried out. The simulations show that the performance of AS has very little degradation in terms of packet latency and CPU utilisation for users. Queueing models are used to compare simulations and agreement between models and simulations is acceptable.