Using Identity-Based Privacy-Protected Access Control Filter (IPACF) To Against Denial of Service Attacks and Protect User Privacy

摘要

Denial of service (DoS)/Distributed DoS (DDoS) attack is an eminent threat to an authentication server, which is used to guard access to firewalls, virtual private networks and wired/wireless networks. The major problem is that an authentication server needs to verify whether a request is from a legitimate user and if intensive computation and/or memory resources are needed for verifying a request, then DoS/DDoS attack is feasible. In this paper, a new protocol called Identity-Based Privacy-Protected Access Control Filter (IPACF) is proposed to counter DoS/DDoS attack. This protocol is an improvement of IDF (Identity-Based Dynamic Access Control Filter). The proposed protocol is stateless because it does not create a state for an authentication request unless the request is from a legitimate user. Moreover, the IPACF is stateless for both user and authentication server since a user and responder authenticate each other. A filter value, which is generated by pre-shared secrets, is sent in a frame and checked to see if the request is legitimate. Note that the process of checking filter value is not intensive computation. The filter value is tabulated in a table with user identity so that a filter value represents a user's identity and only the legitimate user and authentication server can figure out the identity. When a filter value is from a legitimate source, a new filter value will be generated for the next frame. Consequently, the filter value is changed for every frame. Thus the privacy of both user and server are protected. The IPACF is implemented for both user and authentication server. The performance of the implementation is reported in this paper. In order to counter more DoS/DDoS attacks that issue fake requests, parallel processing technique is used to implement the authentication server, which is divided into server 1 and server 2. Server 1 only checks the validity of the request filter value against the filter value table. If the request is legitimate, the request will be passed to server 2 for generating a new filter value; otherwise, the fake request is rejected by server 1. The performance comparison of dual server and single server is also reported.