Reducing the Impact of DoS Attacks on Endpoint IP Security

Fess Parker's Doubletree, Santa Barbara, CA, USA November 12-November 12

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/npsec.2006.320340

2006 2nd IEEE Workshop on Secure Netw ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Joseph Touch Articles by Yi-hua Yang

	ASCII Text	x
	Joseph Touch, Yi-hua Yang, "Reducing the Impact of DoS Attacks on Endpoint IP Security," IEEE Workshop on Secure Network Protocols, pp. 6-11, 2006 2nd IEEE Workshop on Secure Network Protocols, 2006.

	BibTex	x
	@article{ 10.1109/npsec.2006.320340, author = {Joseph Touch and Yi-hua Yang}, title = {Reducing the Impact of DoS Attacks on Endpoint IP Security}, journal ={IEEE Workshop on Secure Network Protocols}, volume = {0}, year = {2006}, isbn = {1-4244-0773-7}, pages = {6-11}, doi = {http://doi.ieeecomputersociety.org/10.1109/npsec.2006.320340}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - IEEE Workshop on Secure Network Protocols TI - Reducing the Impact of DoS Attacks on Endpoint IP Security SN - 1-4244-0773-7 SP6 EP11 A1 - Joseph Touch, A1 - Yi-hua Yang, PY - 2006 KW - null VL - 0 JA - IEEE Workshop on Secure Network Protocols ER -

Joseph Touch, Senior Member, IEEE, USC's Information Sciences Institute, Marina del Rey, CA, 90292 USA, 310-448-9151; e-mail: touch@isi.edu

Yi-hua Yang, USC's Information Sciences Institute, Marina del Rey, CA, 90292 USA, 310-448-9151; e-mail: yeyang@isi.edu

IP security is designed to protect hosts from attack, but can itself provide a way to overwhelm the resources of a host. One such denial of service (DoS) attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources to reject unwanted traffic. This paper examines the impact of such attacks, and provides a preliminary exploration of ways to reduce their impact. Measurements of the impact of DoS attack traffic on x86-based hosts in FreeBSD indicate that a single DoS attacker can reduce throughput by half. This impact can be reduced to approximately 20% by layering low-effort nonce validation on IPsec's more CPU-intensive cryptographic algorithms, but the choice of algorithm does not have as large an effect. This work suggests that effective DoS resistance requires an hierarchical defense using both nonces and strong cryptography at the endpoints.

Citation:

Joseph Touch, Yi-hua Yang, "Reducing the Impact of DoS Attacks on Endpoint IP Security," npsec, pp.6-11, 2006 2nd IEEE Workshop on Secure Network Protocols, 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.