Denial-of-Service Resistance in Key Establishment

Denial of Service (DoS) attacks are an increasing problem for network connected systems. Key establishment protocols are applications that are particularly vulnerable to DoS attack as they are typically required to perform computationally expensive cryptographic operations in order to authenticate the protocol initiator and to generate the cryptographic keying material that will subsequently be used to secure the communications between initiator and responder. The goal of DoS resistance in key establishment protocols is to ensure that attackers cannot prevent a legitimate initiator and responder deriving cryptographic keys without expending resources beyond a responder-determined threshold. In this work we review the strategies and techniques used to improve resistance to DoS attacks. Three key establishment protocols implementing DoS resistance techniques are critically reviewed and the impact of misapplication of the techniques on DoS resistance is discussed. Recommendations on effectively applying resistance techniques to key establishment protocols are made

Survey on: Software Puzzle for Offsetting DoS Attack

A Denial of Service (DoS) attack is a malevolent attempt to make a server or a network resource inaccessible to users, usually by temporarily breaking or suspending the services of a host connected to the Internet. DoS attacks and Distributed DoS (DDoS) attacks attempt to deplete an online service's resource such as network bandwidth, memory and computational power by overwhelming the service with bogus requests. Thus, DoS and DDoS attacks have become a major problem for users of computer systems connected to the Internet. Many state-art of the techniques used for defending the internet from these attacks have been discussed in this paper. After conducting an exhaustive survey on these techniques it has been found that the proposed software puzzle scheme that randomly generates only after a client request is received at the server side gives better performance as compared with previous techniques

A Novel WLAN Client Puzzle against DoS Attack Based on Pattern Matching

Despite the popularity of 802.11 based networks, they suffer several types of DoS attack, launched by an attacker whose aim is to make an access point (AP) unavailable to legitimate users. One of the most common DoS attacks on 802.11 based networks is to deplete the resources of the AP. A serious situation like this can occur when the AP receives a burst of connection requests. This paper addresses this common DoS attack and proposes a lightweight puzzle, based on pattern-matching. Using a pattern-matching technique, this model adequately resists resource-depletion attacks in terms of both puzzle generation and solution verification. Using a sensible series of contextual comparisons, the outcomes were modelled by a simulator, and the security definition and proofs are verified, among other results

Efficient trapdoor-based client puzzle system against DoS attacks

Denial of service (DoS) and distributed denial of service (DDoS) are serious threats to computer networks. DoS and DDoS attacks aim to shut down a target server by depleting its resources and rendering it incapable of offering stable and integrated service to legitimate clients. Preventing DoS and DDoS attacks is a difficult task. A promising countermeasure against DoS attacks is the Client Puzzle method, which nevertheless faces a number of challenges, such as the complexity of puzzle construction and solution verification. Our research focuses on exploring novel puzzle constructions to satisfy the high demands of DoS defence in practice. In this thesis, we first identify the underlying weaknesses of existing client puzzles. To mitigate these vulnerabilities, we recommend the necessary requirements for good client puzzles. Based on this, we propose a new model for puzzle distribution, called the Trapdoor-based Client Puzzle System (TCPS). Two specific schemes are presented to construct puzzles within TCPS. We depict these two schemes, where each trapdoor algorithm is applied respectively. Both schemes have two distinct features: the computational overheads are low, and the difficulty level of puzzles is measurable. Moreover, both puzzle schemes are provably secure under traditional hard problems in mathematics. Our contribution to client puzzle defence against DoS attacks can be summarised as follows: * Identify the shortcomings of existing client puzzles. * Recommend the requirements of good client puzzles. * Formally define the Trapdoor-based Client Puzzle System, along with strict security conditions. * Propose a client puzzle scheme whose security is based on the RSA Assumption. Effectiveness and security are analysed and proven. * Propose a second client puzzle scheme whose security is based on the Discrete Logarithm Problem (DLP). Similarly, effectiveness and security are also analysed. * Provide a possible configuration for system parameters. * Discuss further possible attacks and their solutions. As our research is carried out in DoS attack scenarios, we also introduce this technical background before our achievements are presented

Preventing Denial of Service Attacks in IoT Networks through Verifiable Delay Functions

Permissionless distributed ledgers provide a promising approach to deal with the Internet of Things (IoT) paradigm. Since IoT devices mostly generate data transactions and micropayments, distributed ledgers that use fees to regulate the network access are not an optimal choice. In this paper, we study a feeless architecture developed by IOTA and designed specifically for the IoT. Due to the lack of fees, malicious nodes can exploit this feature to generate an unbounded number of transactions and perform a denial of service attacks. We propose to mitigate these attacks through verifiable delay functions. These functions, which are non-parallelizable, hard to compute, and easy to verify, have been formulated only recently. In our work, we design a denial of service prevention mechanism which addresses network heterogeneity, limited node computational capabilities, and hardware-specific implementation optimizations. Verifiable delay functions have mostly been studied from a theoretical point of view, but little has been done in tangible applications. Hence, this paper can be considered as a pioneer work in the field, since it builds a bridge between this theoretical mathematical framework and a real-world problem

DNA-based client puzzle for WLAN association protocol against connection request flooding

In recent past, Wireless Local Area Network (WLAN) has become more popular because of its flexibility. However, WLANs are subjected to different types of vulnerabilities. To strengthen WLAN security, many high security protocols have been developed. But those solutions are found to be ineffective in preventing Denial of Service (DoS) attacks. A ‘Connection Request Flooding’ DoS (CRF-DoS) attack is launched when an access point (AP) encounters a sudden explosion of connection requests. Among other existing anti CRF-DoS methods, a client puzzle protocol has been noted as a promising and secure potential solution. Nonetheless, so far none of the proposed puzzles satisfy the security requirement of resource-limited and highly heterogeneous WLANs. The CPU disparity, imposing unbearable loads on legitimate users, inefficient puzzle generation and verification algorithms; the susceptibility of puzzle to secondary attacks on legitimate users by embedding fake puzzle parameters; and a notable delay in modifying the puzzle difficulty – these are some drawbacks of currently existing puzzles. To deal with such problems, a secure model of puzzle based on DNA and queuing theory is proposed, which eliminates the above defects while satisfying the Chen puzzle security model. The proposed puzzle (OROD puzzle) is a multifaceted technology that incorporates five main components include DoS detector, queue manager, puzzle generation, puzzle verification, and puzzle solver. To test and evaluate the security and performance, OROD puzzle is developed and implemented in real-world environment. The experimental results showed that the solution verification time of OROD puzzle is up to 289, 160, 9, 3.2, and 2.3 times faster than the Karame-Capkun puzzle, the Rivest time-lock puzzle, the Rangasamy puzzle, the Kuppusamy DLPuz puzzle, and Chen's efficient hash-based puzzle respectively. The results also showed a substantial reduction in puzzle generation time, making the OROD puzzle from 3.7 to 24 times faster than the above puzzles. Moreover, by asking to solve an easy and cost-effective puzzle in OROD puzzle, legitimate users do not suffer from resource exhaustion during puzzle solving, even when under severe DoS attack (high puzzle difficulty)

Mitigating Botnet-based DDoS Attacks against Web Servers

Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity. Researchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication. A server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources. We implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests

Security in peer-to-peer communication systems

P2PSIP (Peer-to-Peer Session Initiation Protocol) is a protocol developed by the IETF (Internet Engineering Task Force) for the establishment, completion and modi¿cation of communication sessions that emerges as a complement to SIP (Session Initiation Protocol) in environments where the original SIP protocol may fail for technical, ¿nancial, security, or social reasons. In order to do so, P2PSIP systems replace all the architecture of servers of the original SIP systems used for the registration and location of users, by a structured P2P network that distributes these functions among all the user agents that are part of the system. This new architecture, as with any emerging system, presents a completely new security problematic which analysis, subject of this thesis, is of crucial importance for its secure development and future standardization. Starting with a study of the state of the art in network security and continuing with more speci¿c systems such as SIP and P2P, we identify the most important security services within the architecture of a P2PSIP communication system: access control, bootstrap, routing, storage and communication. Once the security services have been identi¿ed, we conduct an analysis of the attacks that can a¿ect each of them, as well as a study of the existing countermeasures that can be used to prevent or mitigate these attacks. Based on the presented attacks and the weaknesses found in the existing measures to prevent them, we design speci¿c solutions to improve the security of P2PSIP communication systems. To this end, we focus on the service that stands as the cornerstone of P2PSIP communication systems¿ security: access control. Among the new designed solutions stand out: a certi¿cation model based on the segregation of the identity of users and nodes, a model for secure access control for on-the-¿y P2PSIP systems and an authorization framework for P2PSIP systems built on the recently published Internet Attribute Certi¿cate Pro¿le for Authorization. Finally, based on the existing measures and the new solutions designed, we de¿ne a set of security recommendations that should be considered for the design, implementation and maintenance of P2PSIP communication systems.Postprint (published version