Title :
Reducing the Impact of DoS Attacks on Endpoint IP Security
Author :
Touch, Joseph D. ; Yang, Yi-Hua Edward
Author_Institution :
Inst. of Inf. Sci., Southern California Univ., Marina del Rey, CA
Abstract :
IP security is designed to protect hosts from attack, but can itself provide a way to overwhelm the resources of a host. One such denial of service (DoS) attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources to reject unwanted traffic. This paper examines the impact of such attacks, and provides a preliminary exploration of ways to reduce their impact. Measurements of the impact of DoS attack traffic on times86-based hosts in FreeBSD indicate that a single DoS attacker can reduce throughput by half. This impact can be reduced to approximately 20% by layering low-effort nonce validation on IPsec´s more CPU-intensive cryptographic algorithms, but the choice of algorithm does not have as large an effect. This work suggests that effective DoS resistance requires an hierarchical defense using both nonces and strong cryptography at the endpoints.
Keywords :
IP networks; cryptography; telecommunication security; telecommunication traffic; DoS attacks; FreeBSD; cryptographic algorithms; denial of service attack; endpoint IP security; false IPsec traffic; low-effort nonce validation; x86-based hosts; Authentication; Computer crime; Cryptography; Hardware; Portable computers; Protection; Security; Switches; Telecommunication traffic; Throughput;
Conference_Titel :
Secure Network Protocols, 2006. 2nd IEEE Workshop on
Conference_Location :
Santa Barbara, CA
Print_ISBN :
1-4244-0773-7
Electronic_ISBN :
1-4244-0774-5
DOI :
10.1109/NPSEC.2006.320340
