Showing papers on "Denial-of-service attack published in 1997"

Analysis of a denial of service attack on TCP

Abstract: The paper analyzes a network based denial of service attack for IP (Internet Protocol) based networks. It is popularly called SYN flooding. It works by an attacker sending many TCP (Transmission Control Protocol) connection requests with spoofed source addresses to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources. Once the target host's resources are exhausted, no more incoming TCP connections can be established, thus denying further legitimate access. The paper contributes a detailed analysis of the SYN flooding attack and a discussion of existing and proposed countermeasures. Furthermore, we introduce a new solution approach, explain its design, and evaluate its performance. Our approach offers protection against SYN flooding for all hosts connected to the same local area network, independent of their operating system or networking stack implementation. It is highly portable, configurable, extensible, and requires neither special hardware, nor modifications in routers or protected end systems.

Network security via reverse engineering of TCP code: vulnerability analysis and proposed solutions

Abstract: The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is widely employed to interconnect computing facilities in today's network environments. However, there exist several security vulnerabilities in the TCP specification and additional weaknesses in a number of its implementations. These vulnerabilities may allow an intruder to "attack" TCP-based systems, enabling him/her to "hijack" a TCP connection or cause denial of service to legitimate users. The authors analyze the TCP code via a "reverse engineering" technique called "program slicing" to identify several of these vulnerabilities, especially those that are related to the TCP state-transition diagram. They discuss many of the flaws present in the TCP implementation of many widely used operating systems, such as SUNOS 4.1.3, SVR4, and ULTRIX 4.3. The corresponding TCP attack "signatures" (including the well-known 1994 Christmas Day Mitnick Attack) are described, and recommendations are provided to improve the security state of a TCP-based system (e.g., incorporation of a "timer escape route" from every TCP state). Also, it is anticipated that wide dissemination of this article's results may not only lead to vendor patches to TCP code to plug security holes, but also raise awareness of how program slicing may be used to analyze other networking software and how future designs of TCP and other software can be improved.

A Method to Implement a Denial of Service Protection Base

Abstract: Denial of service attack is an attempt from any authorized or unauthorized entity to allocate resources excessively to prevent normal operation of the system. A method will be presented to specify and enforce a resource allocation policy to prevent denial of service attacks. Resource allocation policy can be formally derived from a waiting time policy where maximum acceptable response times for different processes are specified.

Preventing denial-of-service attacks on a /spl mu/-kernel for WebOSes

Abstract: A goal of World Wide Web operating systems (WebOSes) is to enable clients to download executable content from servers connected to the World Wide Web (WWW). This will make applications more easily available to clients, but some of these applications may be malicious. Thus, a WebOS must be able to control the downloaded content's behavior. We examine a specific type of malicious activity: denial of service attacks using legal system operations. A denial of service attack occurs when an attacker prevents other users from performing their authorized operations. Even when the attacker may not be able to perform such operations. Current systems either do little to prevent denial of service attacks or have a limited scope of prevention of such attacks. For a WebOS, however, the ability to prevent denial of service should be an integral part of the system. We are developing a WebOS using the L4 /spl mu/ kernel as its substrate. We evaluate L4 as a basis of a system that can prevent denial of service attacks. In particular, we identify the /spl mu/ kernel related resources which are subject to denial of service attacks and define /spl mu/ kernel mechanisms to defend against such attacks. Our analysis demonstrates that system resource utilization can be managed by trusted user level servers to prevent denial of service attacks on such resources.

Preventing Denial-of-Service Attalcks on a, p-Kernel for WebOSes

Abstract: A goal of World-wide Web operating systems (WebOSes) is to enabie clients to download executable content from servers connected to the World-wide Web (WWW). This will make applications more easily available to clients, but s0m.e of these applications may be malicious. Thus, a WebOS must be able to control the downloaded content’s behavior. In this paper, we examine a specific type of malicious activity: denialof- service attacks using legal system operations. ‘4 denial-of-service attack occurs when an attacker prevents other users from performing their authorized operations even when the attacker may not be able to perform such operations. Current systems either do little to prevent denial-of-service attacks or have a limited scope of prevention of such attacks. For a WebOS, however, the ability to prevent denial-of-service should be un integral part of the system. We are developing a WebOS using the L4 p-kernel as its substrate. In this paper, we evaluate L4 as a basis of a system that can prevent denial-of-service attacks. In particular, we identify the p-kernel-related resources which are subject to denial-of-service attacks and define pkernel mechanisms to defend against such, attacks. Our analysis demonstrates that system resource utilisation can be managed by trusted, user-level seruers to prevent denial-of-service attacks on ruth resources.

1-Bit Schemes for Service Discrimination in the Internet: Analysis and Evaluation

Abstract: Schemes using a single-bit priority field in IP packets have recently been proposed as a low-cost (both in terms of implementation and architectural changes from the current Internet architecture) way to augment the single class best effort service model of the current Internet to include some kind of service discrimination. Such schemes appear attractive, however it is not clear yet what kind of service model they would provide to applications. We examine this in the paper. Specifically, we describe and solve analytic models of two 1-bit schemes recently proposed by Clark and Crowcroft; we obtain expression for performance measures that characterize the service provided to tagged packets, the service provided to non-tagged packets, and the prevalence of denial of service (i.e. the percentage of tagged packets that do not get the better service). We use these expressions, as well as simulations and experiments from actual implementations on a testbed at INRIA, to illustrate the benefits and shortcomings of the schemes. We also discuss implications of our results such as how these schemes can be used to transmit layered data, and how they would interact with tariffing schemes.

Who Is At the Door

Abstract: The SYN Denial of Service: What SYN really is, why it's needed in TCP/IP, why the denial of service attack works and how to prevent it