Secure TLS: Preventing DoS Attacks with Lower Layer Authentication

Völker, Lars; Schöller, Marcus

doi:10.1007/978-3-540-69962-0_20

Lars Völker⁵ &
Marcus Schöller⁶

Part of the book series: Informatik aktuell ((INFORMAT))

697 Accesses
2 Citations

Abstract

SSL/TLS has been designed to protect authenticity, integrity, and confidentiality. However, considering the possibility of TCP data injection, as described in [Wa04], it becomes obvious that this protocol is vulnerable to DoS attacks just because it is layered upon TCP. In this paper, we analyze DoS-attacks on SSL/TLS and describe a simple, yet effective way to provide protection for SSL/TLS by protecting the underlying TCP connection. We focus on a simple, feasible, and efficient solution, trying to balance security and usability issues by using the built-in key exchange of SSL/TLS to initialize TCP’s MD5 option.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 69.99; Price excludes VAT (USA)

Softcover Book: USD 89.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

[AAL⁺05]_Arends, R., Austein, R., Larson, M., Massey, D., und Rose, S. DNS Security Introduction and Requirements. RFC 4033. March 2005.
Google Scholar
Cox, A., Miller, D. S., und Schwartz, D. RFC2385 (MD5 signature in TCP packets) support. Linux Kernel Mailinglist. Mar 2002.
Google Scholar
Dierks, T. und Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346. April 2006. Updated by RFCs 4366, 4680, 4681.
Google Scholar
Eastlake 3rd, D. und Jones, P. US Secure Hash Algorithm 1 (SHA1). RFC 3174. September 2001.
Google Scholar
Freier, A. O., Freier, A. O., und Kocher, P. C. The SSL Protocol Version 3.0. Draft. Nov 1998. http://wp.netscape.com/eng/ssl3/.
Google Scholar
[FGM⁺99]_Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., und Berners-Lee, T. Hypertext Transfer Protocol — HTTP/1.1. RFC 2616. June 1999. Updated by RFC 2817.
Google Scholar
Frankel, S. und Herbert, H. The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec. RFC 3566. September 2003.
Google Scholar
Heffernan, A. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385. August 1998.
Google Scholar
Jacobson, V., Braden, R., und Borman, D. TCP Extensions for High Performance. RFC 1323. May 1992.
Google Scholar
Kaufman, C. Internet Key Exchange (IKEv2) Protocol. RFC 4306. December 2005.
Google Scholar
Krawczyk, H., Bellare, M., und Canetti, R. HMAC: Keyed-Hashing for Message Authentication. RFC 2104. February 1997.
Google Scholar
Kent, S. IP Authentication Header. RFC 4302. December 2005.
Google Scholar
Kent, S. und Seo, K. Security Architecture for the Internet Protocol. RFC 4301. December 2005.
Google Scholar
Madson, C. und Glenn, R. The Use of HMAC-MD5-96 within ESP and AH. RFC 2403 (Proposed Standard). November 1998.
Google Scholar
Madson, C. und Glenn, R. The Use of HMAC-SHA-1-96 within ESP and AH. RFC 2404. November 1998.
Google Scholar
Mathis, M., Mahdavi, J., Floyd, S., und Romanow, A. TCP Selective Acknowledgement Options. RFC 2018. October 1996.
Google Scholar
McDonald, D., Metz, C, und Phan, B. PF_KEY Key Management API, Version 2. RFC 2367. July 1998.
Google Scholar
Metzger, P. und Simpson, W. IP Authentication using Keyed MD5. RFC 1828. August 1995.
Google Scholar
Netfilter-Group. The netfuter/iptables project homepage. Website. http://www.netfilter.org/.
Google Scholar
Postel, J. Transmission Control Protocol. RFC 793. September 1981. Updated by RFC 3168.
Google Scholar
Rivest, R. The MD5 Message-Digest Algorithm. RFC 1321 (Informational). April 1992.
Google Scholar
Rescorla, E. und Modadugu, N. Datagram Transport Layer Security. RFC 4347. April 2006.
Google Scholar
Richardson, M. und Redelmeier, D. Opportunistic Encryption using the Internet Key Exchange (IKE). RFC 4322. December 2005.
Google Scholar
Stewart, R. und Stewart, R. Improving TCP’s Robustness to Blind In-Window Attacks. Draft v5. Jun 2006.
Google Scholar
Watson, P. A.: Slipping in the Windows: TCP reset attacks. In: Cansecwest. 2004.
Google Scholar
Wang, X. und Yu, H.: How to break md5 and other hash functions. In: Advances in Cryptology-Eurocrypt. 2005.
Google Scholar
Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis. Whitepaper. Apr 2001. http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm.
Google Scholar

Download references

Author information

Authors and Affiliations

Institute of Telematics, Universität Karlsruhe (TH), Karlsruhe
Lars Völker
Computing Department, Lancaster University, Lancaster
Marcus Schöller

Authors

Lars Völker
View author publications
You can also search for this author in PubMed Google Scholar
Marcus Schöller
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Institut für Informatik u. Angewandte Mathematik, Universität Bern, Neubrückstr. 10, CH-3012, Bern
Torsten Braun
Wilhelm-Schickard-Institut für Informatik, Universität Tübingen, Sand 13, D-72076, Tübingen
Georg Carle
Institut für Informatik, Universität Zürich, Binzmühlestr. 14, CH-8050, Zürich
Burkhard Stiller

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Völker, L., Schöller, M. (2007). Secure TLS: Preventing DoS Attacks with Lower Layer Authentication. In: Braun, T., Carle, G., Stiller, B. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69962-0_20

Download citation

DOI: https://doi.org/10.1007/978-3-540-69962-0_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69961-3
Online ISBN: 978-3-540-69962-0
eBook Packages: Computer Science and Engineering (German Language)

Publish with us

Policies and ethics