Fess Parker's Doubletree, Santa Barbara, CA, USA
Nov. 12, 2006 to Nov. 12, 2006
Joseph Touch , Senior Member, IEEE, USC's Information Sciences Institute, Marina del Rey, CA, 90292 USA, 310-448-9151; e-mail: firstname.lastname@example.org
Yi-hua Yang , USC's Information Sciences Institute, Marina del Rey, CA, 90292 USA, 310-448-9151; e-mail: email@example.com
IP security is designed to protect hosts from attack, but can itself provide a way to overwhelm the resources of a host. One such denial of service (DoS) attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources to reject unwanted traffic. This paper examines the impact of such attacks, and provides a preliminary exploration of ways to reduce their impact. Measurements of the impact of DoS attack traffic on x86-based hosts in FreeBSD indicate that a single DoS attacker can reduce throughput by half. This impact can be reduced to approximately 20% by layering low-effort nonce validation on IPsec's more CPU-intensive cryptographic algorithms, but the choice of algorithm does not have as large an effect. This work suggests that effective DoS resistance requires an hierarchical defense using both nonces and strong cryptography at the endpoints.
Joseph Touch, Yi-hua Yang, "Reducing the Impact of DoS Attacks on Endpoint IP Security", NPSEC, 2006, IEEE Workshop on Secure Network Protocols, IEEE Workshop on Secure Network Protocols 2006, pp. 6-11, doi:10.1109/npsec.2006.320340