Wednesday, October 7, 2009

DDoS Blocking?

From Network World:
October 5, Network World - (International) Prototype security software blocks DDoS attacks. Researchers have come up with host-based security software that blocks distributed denial-of-service attacks without swamping the memory and CPU of the host machines.The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.” This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says a professor of electrical and computer engineering at Auburn and lead author of the paper. The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says. Under IPCAF authorized users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time. The receiving machines simply check the field value in each packet in order to decide whether to reject it. Only after the filter value checks out are more memory and CPU resources allocated to further process the packets, the professor says. IPCAF runs on servers and client machines and does its work with negligible impact on performance of the machines involved, he says. For instance, the CPU on a machine running IPCAF and processing legitimate requests during testing was 10.21 percent. That rose to 11.78 percent when the same machine was under attack, the professor says. Source: http://www.computerworld.com/s/article/9138982/Prototype_security_software_blocks _DDoS_attacks

No comments:

Blog Archive