1 / 12

DoS attacks prevention

DoS attacks prevention. Avital Yachin Under supervision of Gal Badishi SoftLab – June 2006. What is DoS. server. client. attacker. What is DDoS. zombie. zombie. server. zombie. zombie. zombie. zombie. Possible solutions. Firewall (specific ports) ?

glenda
Download Presentation

DoS attacks prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoS attacks prevention Avital Yachin Under supervision of Gal Badishi SoftLab – June 2006

  2. What is DoS server client attacker

  3. What is DDoS zombie zombie server zombie zombie zombie zombie

  4. Possible solutions • Firewall (specific ports) ? • Heuristic (identifying and blocking the attacker) ? • Clients Authentication ? • At what level ?

  5. Selected solution • Both sides authenticate the other side at the packet level. • Current implementation filters packets at the transport layer (UDP). • Can be generalized to the IP layer.

  6. IP Data IP Header UDP Data UDP Header UDP Data UDP Header IP Data IP Header How it works Outgoing Packets Key

  7. IP Data IP Header UDP Data UDP Header UDP Data UDP Header IP Data IP Header How it works Incoming Packets Key ? = Key

  8. User mode Kernel mode How it works Application TCP/IP Driver NDIS Driver Network Card NDIS Hook Driver Encapsulator

  9. Authentication Method • Hashing (SHA-1) of current time and a secret code. • Authentication token changes periodically (not for every packet  much cheaper). • Clocks synchronization. • Client’s secret code is known to server.

  10. Conclusions • There’s no simple solution to wire flood. • Packets can be filtered at lower levels thus preventing system resources abuse. • Solution is “cheaper” than IPSEC (but doesn’t handle encryption).

  11. Future Enhancements • Filtering packets at the IP layer (solution for TCP and others). • Auto time synchronization. • Full kernel mode implementation (performance / flexibility tradeoff).

  12. Demo

More Related