New DoS Defense Method Based on Strong Designated Verifier Signatures

We present a novel technique for source authentication of a packet stream in a network, which intends to give guarantees that a specific network flow really comes from a claimed origin. This mechanism, named packet level authentication (PLA), can be an essential tool for addressing Denial of Service (DoS) attacks. Based on designated verifier signature schemes, our proposal is an appropriate and unprecedented solution applying digital signatures for DoS prevention. Our scheme does not rely on an expensive public-key infrastructure and makes use of light cryptography machinery that is suitable in the context of the Internet of Things (IoT). We analyze our proposed scheme as a defense measure considering known DoS attacks and present a formal proof of its resilience face to eventual adversaries. Furthermore, we compare our solution to already existent strategies, highlighting its advantages and drawbacks

Saturation analysis of IoT devices acting as reflectors on amplified reflection distributed denial of service attacks

Dissertação (mestrado)—Universidade de Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, Mestrado Profissional em Engenharia Elétrica, 2020.No contexto dos ataques distribuídos de negação de serviço (DDoS), os ataques por reflexão amplificada (AR-DDoS) representam uma tendência que vem se intensificando ao longo dos últimos anos, com volumes de tráfego cada vez maiores. Isso se deve, em parte, à crescente utilização de dispositivos da Internet das Coisas (IoT) nestes ataques, principalmente devido à ampla superfície de ataque que tais dispositivos proporcionam. Com esta motivação, foram exe- cutados diversos ataques AR-DDoS com três dispositivos IoT típicos (gateway ADSL, câmera IP e Raspberry Pi) atuando como refletores, em ambiente controlado, explorando três protocolos comumente encontrados na Internet das Coisas – SSDP, SNMP e CoAP – , sendo o último uma tendência recente, sobre IPv4 e IPv6 (quando possível), de forma a se avaliar a saturação desses equipamentos e as taxas máximas de amplificação dos ataques em curso. Os resultados obtidos são consistentes com estudos anteriores envolvendo equipamentos convencionais e caracterizam a saturação dos refletores para baixas taxas de injeção de pacotes.In the context of distributed denial of service (DDoS) attacks, those which use amplified re- flection (AR-DDoS) represent a trend that has been intensifying over the past few years, with increasing volumes of traffic. This happens, in part, due to the increasing use of Internet of Things (IoT) devices in those attacks, mainly because of the extensive attack surface that IoT de- vices provide. With this motivation, several AR-DDoS attacks were carried out with three typical IoT devices (ADSL gateway, IP camera and Raspberry Pi) acting as reflectors, in a controlled en- vironment, abusing three protocols commonly found on IoT devices - SSDP , SNMP and CoAP -, the latter one a recent trend, over IPv4 and IPv6 (when possible), in order to assess their satura- tion behavior and the maximum amplification rates of the ongoing attacks. The results achieved are consistent with previous studies involving conventional equipment and characterize reflector saturation at low probe injection rates