Stealth DoS Attacks on Secure Channels
نویسندگان
چکیده
We initiate study of the use of ‘secure tunnel’ protocols, specifically IPsec, and its availability and performance guarantees to higher-layer protocols, in particular TCP, against Denial/Degradation of Service (DoS) attacks. IPsec is designed to provide privacy and authentication against MITM attackers, and employs an anti-replay mechanism to ensure performance. For our analysis, we define a new family of adversaries, the stealth denial and degradation of service (DoS) adversaries. These adversaries are weaker than the classical MITM adversary, and may be of interest in other works. We analyse their ability to launch (DoS) attacks on secure channels, and show realistic amplification attacks, disrupting TCP communication over secure VPNs using IPsec. In particular, we show that antireplay mechanism is critical for performance by launching a DoS attack on communication over IPsec without antireplay window. We present attacks exploiting insufficient IPsec anti-replay window size, and show how to calculate correct window size. Finally we present attacks on IPsec with correctly adjusted anti-replay window size thus showing that even large anti-replay window does not ensure performance to TCP flows. We then suggest a fix to TCP in IPsec gateway designed to prevent the above attacks, and to provide secure channel immune to degradation and other DoS attacks. Our solution involves changes (only) to the sending gateway machines running IPsec. In addition to their practical importance, our results also raise the challenge of formally defining secure channels immune to DoS and degradation attacks, and providing provably-secure implementations. ∗[email protected] †[email protected]
منابع مشابه
Stealth-MITM DoS Attacks on Secure Channels
We de ne stealth Man-in-the-Middle adversaries, and analyse their ability to launch denial and degradation of service (DoS) attacks on secure channels. We show realistic attacks, disrupting TCP communication over secure VPNs using IPsec. We present: 1. First amplifying DoS attack on IPsec, when deployed without anti-replay window. 2. First amplifying attack on IPsec, when deployed with a `small...
متن کاملIntrusion Tolerance of Stealth DoS Attacks to Web Services
This paper focuses on one of the most harmful categories of Denial of Service attacks, commonly known in the literature as “stealth” attacks. They are performed avoiding to send significant volumes of data, by injecting into the network a low-rate flow of packets in order to evade rate-controlling detection mechanisms. This work presents an intrusion tolerance solution, which aims at providing ...
متن کاملDoS-Resistant Attribute-Based Encryption in Mobile Cloud Computing with Revocation
Security and privacy are very important challenges for outsourced private data over cloud storages. By taking Attribute-Based Encryption (ABE) for Access Control (AC) purpose we use fine-grained AC over cloud storage. In this paper, we extend previous Ciphertext Policy ABE (CP-ABE) schemes especially for mobile and resource-constrained devices in a cloud computing environment in two aspects, a ...
متن کاملHMAC-Based Authentication Protocol: Attacks and Improvements
As a response to a growing interest in RFID systems such as Internet of Things technology along with satisfying the security of these networks, proposing secure authentication protocols are indispensable part of the system design. Hence, authentication protocols to increase security and privacy in RFID applications have gained much attention in the literature. In this study, security and privac...
متن کاملHexPADS: A Platform to Detect "Stealth" Attacks
Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to mea...
متن کامل