Abstract
Networked and distributed systems have introduced a new significant threat to the availability of data and services: network denial of service attacks. A well known example is the TCP SYN flooding. In general, any statefull handshake protocol is vulnerable to similar attacks. This paper examines the network denial of service in detail and surveys and compares different approaches towards preventing the attacks. As a conclusion, a number of protocol design principles are identified essential in designing network denial of service resistant protocols, and examples provided on applying the principles.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35515-3_53
Chapter PDF
Similar content being viewed by others
Keywords
- Information Security
- Protocol Message
- Resource Allocation Model
- Information Warfare
- Client Authentication
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
T. Aura and P. Nikander. Stateless protocols. In ICICS’97, LNCS 1334. Springer—Verlag, 1997.
K. P. Birman. Building Secure and Reliable Applications. Manning Publications Corporation, Greenvich, CT, USA, 1996.
Buffer overflow in MIME-aware mail and news clients. CA-98.10.
Denial-of-service attack via ping. CA-96.26.
TCP SYN flooding and IP spoofing attacks. CA-96.21.
C. Cowan et al. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX/Sec’98.
W. H. Cunningham. Optimal attack and reinforcement of a network. J. ACM, 32 (3): 549–561, 1985.
E. Dahlhaus et al. The complexity of multiway cuts. In 24th ACM STOC, 1992.
D. E. Denning. Information warfare and security. Addison—Wesley Longman, Inc., Reading, MA, USA, 1999.
Proc. DoD computer security center invitational workshop on network security. New Orleans, LA, USA, March 1985.
J. Glasgow, G. MacEwen, and P. Panangaden. A logic for reasoning about security. ACM TOCS, 10 (3): 226–264, 1992.
V. Gligor. A note on the denial-of-service problem. In IEEE S&P, 1983.
V. D. Gligor. A note on denial-of-service in operating systems. IEEE TOSE, 10 (3): 320–324, 1984.
S. Hirose and K. Matsuura. Enhancing the resistance of a provably secure key agreement protocol to a denial-of-service attack. In ICICS’99, LNCS 1726. Springer—Verlag, 1999.
Information technology security evaluation criteria (ITSEC), version 1.2. COM(92) 298 final, Brussels, Sept., 1992.
L. J.C., editor. Dependability: Basic concepts and terminology. Springer—Verlag, Vienna, AT, 1992.
A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In 1999 ISOC NDSS.
P. Kam and W. Simpson. Photuris: A session-key management protocol. IETF RFC 2522, 1999.
P. Karn and W. Simpson. Photuris: Design criteria. In SAC’99, LNCS, Springer—Verlag, 1999.
K. J. Keus and M. Ullman. Availability: A central and up-to-date user requirement for it security. In 10th ACSAC, 1994.
K. J. Keus and M. Ullman. Availability: Theory and fundamentals for practical evaluation and use. In 10th ACSAC, 1994.
J. Leiwo, C. Gamage, and Y. Zheng. A method to implement a denial of service protection base. In ACISP’97, LNCS 1270, Springer—Verlag, 1997.
J. Leiwo and Y. Zheng. Layered protection of availability. In1997 Pacific Asia Conference on Information Systems.
D. Maughan, M. Schertler, M. Schneider, and J. Turner. Internet security association and key management protocol ( ISAKMP ). IETF RFC 2408, 1998.
C. Meadows. A formal framework and evaluation method for network denial of service. In 12th IEEE CSFW, 1999.
J. K. Millen. A resource allocation model for denial of service. In IEEE S&P, 1992.
J. K. Millen. Denial of service: A perspective. In Dependable Computing for Critical Applications 4. Springer—Verlag, 1995.
T. C. Miller. strlcpy and strlcat — consistent, safe, string copy and concatenation. OpenBSD project, http://www.openbsd.org, 1996.
R. Needham. Denial of service. In 1st ACM CCS, 1994.
R. M. Needham. Denial of service: An example. CACM, 37 (11): 4246, 1994.
D. B. Parker. Restating the foundation of information security. In IFIP/Sec’92.
D. B. Parker. A new framework for information security to avoid information anarchy. In IFIP/Sec’95.
D. B. Parker. Fighting Computer Crime: A New Framework for Protecting Information. John Wiley & Sons, 1998.
C. A. Phillips. The network inhibition problem. In 25th ACM STOC, 1993.
F. B. Schneider, ed. Trust in Cyberspace. NAP, 1999.
C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni. Analysis of a denial of service attack on TCP. In IEEE S&P, 1997.
A. Silberschatz and P. B. Galvin. Operating Systems Concepts. Addison—Wesley, Reading, MA, USA, 1994.
W. A. Simpson. IKE/ISAKMP considered harmful.;login;, 24 (6): 48–58, 1999.
M. Stoer and F. Wagner. A simple min-cut algorithm. J.ACM, 44 (4): 585–591, 1997.
C.-F. Yu and V. D. Gligor. A specification and verification method for preventing denial of service. IEEE TOSE, 16 (6): 581–592, 1990.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this paper
Cite this paper
Leiwo, J., Aura, T., Nikander, P. (2000). Towards Network Denial of Service Resistant Protocols. In: Qing, S., Eloff, J.H.P. (eds) Information Security for Global Information Infrastructures. SEC 2000. IFIP — The International Federation for Information Processing, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35515-3_31
Download citation
DOI: https://doi.org/10.1007/978-0-387-35515-3_31
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5479-7
Online ISBN: 978-0-387-35515-3
eBook Packages: Springer Book Archive