Auburn University in Alabama has developed a new way of filtering out denial of service attacks on computer networks, including cloud computing systems, which it says could significantly improve security on government, commercial, and educational systems.
Commonly, Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve simply saturating the target machine with external internet requests.
There are ways of configuring a network to filter out known DoS attack software and recognize some of the associated traffic patterns. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.
The new filter circumvents this problem through a new passive protocol at each end of the connection: user and resource.
The protocol - Identity-Based Privacy-Protected Access Control Filter (IPACF) - blocks threats to the Authentication Servers, while allowing legitimate users with valid passwords to access private resources.
The user's computer has to present a one-off filter value for the server to do a quick check, along with a pseudo ID which is also one-time use. Attackers cannot forge either of these values correctly, says the researchers, and so attack packets are filtered out.
One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server.
However, the researchers have tested IPACF by simulating massive DDoS attacks on a network consisting of 1,000 nodes with 10Gbps bandwidth.
They found that the server suffers little degradation, negligible latency and minimal extra processor usage, even when the 10Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just six nanoseconds to reject a non-legitimate information packet.
Details appear in the International Journal of Information and Computer Security.