Security researchers develop DoS attack filter

October 6, 2009 – 5:47 AM

Researchers have come up with host-based security software that blocks distributed denial-of-service attacks (DDoS) without swamping the memory and CPU of the host machines.

The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.”

This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says Chwan-Hwa “John” Wu, a professor of electrical and computer engineering at Auburn and lead author of the paper.

The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says.

Under IPCAF authorised users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time.


You must be logged in to post a comment.