• Corpus ID: 5961

EIP - Preventing DDoD with Ephemeral IP Identifiers Cryptographically Generated

  title={EIP - Preventing DDoD with Ephemeral IP Identifiers Cryptographically Generated},
  author={Ricardo Martins and Jos{\'e} Legatheaux Martins and Henrique Jo{\~a}o L. Domingos},
Nowadays, denial of service (DoS) attacks represent a significant fraction of all attacks that take place in the Internet and their intensity is always growing. The main DoS attack methods consist of flooding their victims with bogus packets, queries or replies, so as to prevent them from fulfilling their roles. Preventing DoS attacks at network level would be simpler if end-to-end strong authentication in any packet exchange was mandatory. However, it is also likely that its mandatory adoption… 
1 Citations

Figures and Tables from this paper

Lisp Mapping System as DoS Amplification Vector
This letter explores how control messages can be an amplification vector for DoS attacks, and evaluates the possible amplification factor based on a real deployment, showing that the amplification factor exists.


A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks
The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Booters — An analysis of DDoS-as-a-service attacks
The characteristics of 14 distinct Booters are analysed based on more than 250 GB of network data from real attacks to show that Booters pose a real threat that should not be underestimated, especially since the analysis suggests that they can easily increase their firepower based on their current infrastructure.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
A simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point is discussed.
Preventing DDoS attacks by identifier/locator separation
It is argued that identifier/location separation can also help prevent distributed denial-of-service (DDoS) attacks and numerical results are presented to demonstrate that, even if many zombies attack a victim, identifier/locator separation helps detect DDoS attacks.
Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 Networks
An in-depth look at HIP is provided, discussing its architecture, design, benefits, potential drawbacks, and ongoing work.
AmpPot: Monitoring and Defending Against Amplification DDoS Attacks
It is found that the vast majority of attacks are short-lived and most victims are attacked only once, which is confirmed by the detailed analysis of four popular Linux-based DDoS botnets.
Is it congestion or a DDoS attack?
The inability of representative defense schemes such as adaptive queue management and aggregate congestion control to detect the quiet attack is demonstrated and it is shown that shortlived TCP flows can be intentionally misused.
TLS Client Puzzles Extension
Client puzzles allow a TLS server to defend itself against asymmetric DDoS attacks and allows servers to employ a layered defense that represents an improvement over pure rate-limiting strategies.
Designing a Deployable Future Internet : the Locator / Identifier Separation Protocol ( LISP ) case
This work uses LISP as reference to describe the different design choices necessary to achieve deployability, which is the ultimate goal of any new Future Internet architecture.
Rate-limiting State
By design, the Internet core is dumb, and the edge is smart, which has enabled the Internet’s wildcat growth, since without complexity the core can grow at the speed of demand.