Denial of service attack can be defended using different defense mechanism at various locations in the network (Abliz, 2011). The defense mechanism is aimed at preventing the attack from causing damage on the network. The most common defense mechanism include secure overlays, self-certifying addresses and spoofed packet.
Read also Network Security and Modern Day Computer Network Attacks
Filtering spoofed packets
Studies have shown that DoS attackers uses IP address spoofing to hide the origin of an attack. The attackers uses amplification and reflection technique which depend on IP address spoofing. Therefore, filtering defense mechanisms have been designed to prevent DoS Attack traffic with spoofed source address from reaching the target, through dropping packets with false IP addresses (AsosheH, & Ramezani, 2008). Filtering spoofed mechanism use various filtering techniques such as Martian address filtering and source address validation, egress/ingress filtering, route-based filtering, source address validity enforcement protocol, hop-count filtering, IPv4 source guard and passport.
Read also Confidentiality, Access Control and Data Integrity – Network Security Policy
Martian Address Filtering and Source Address Validation: This techniques works by specifying that a router should not permit the passage of any Martian packets. Martian packet is described as packet whose destination or source specifies an IP Address designated by the Internet Assigned Numbers Authority (IANA). The source address validation technique requires the router to filter traffic based on a comparison of the forwarding table and the source address of a packet (Kulkarni, & Bush, 2006). Analysis indicated that when the filtering is enable, it allows the router to silently drop packets if the interface on which the packets was received is not the interface on which a packet would be forwarded to reach the address contained in the source address. On the other hand, Martian address filtering prevent the possibility of spoofing for a small set of addresses. The combination of the Martian address filtering and source address validation ensures that the source address spoofing is completely eliminated on the network.
Ingress/egress filtering: The function of the ingress/egress filtering is to permit the traffic to leave or enter the network only if its source addresses are within the expected IP addresses range. Ingress filtering is described as filtering the traffic entering the network, while egress filtering is described as filtering exiting the network (Abliz, 2011). The main purpose of the ingress or egress filtering is to determine the expected addresses at a particular port.
Route-Based Filtering: Route-Based distributed packet filtering (DPF) technique was proposed by Park and Lee with the objective of filtering out spoofed packet flows. DPF relies on the routing information to examine if the packets arriving at a router such as border router at an AS is accurate in accordance to its inscribed destination or source addresses, considering the reachability restrictions imposed by routing and network topology. However, there are several limitation associated with DPF (Abliz, 2011). For example, it become easier for the attack to occur if multiple routes are allowed in routing packets from sources because the attackers may use spoofed source IP addresses to circumvent route-based filtering. In addition, DPF sometimes drop legitimates packets if there has recently been a route change.
During early stages of network design, accountability issues receives very little attention because IP addresses accountability is overlooked. As a result, self-certifying addresses technique addresses the issues of IP address accountability in the network. There are two specific methods that are used to improve accountability IP addresses: Host identity protocol and accountable internet protocol.
Read also Measures Taken to Ensure Network System Security – Memo
Host identity protocol: The designer of the Host Identity Protocol (HIP) proposed the new namespace referred to as Host Identity namespace and a new protocol layer called Host Identity Protocol between the transport and internetworking layers. It is important to note that each host may have more than one host identifier, but no two hosts can have the same Host Identifier (Abliz, 2011). The difference between host identity and host identifiers is that host identity is described as abstract entity that is identified, whereas the host identifier is described as the concrete bit pattern that is used in the identification process.
Accountable Internet Protocol (AIP): AIP is established to eliminate the lack of secure binding of a host to its IP address, and lack of secure binding of an AS number to the IP prefixes owned by that AS. AIP uses self-certifying addresses to detect source address spoofing and uses a network interface implemented shut-off to enable receiver to send a signed shut-off messages to a sender from who it does not want to receive traffic (AsosheH, & Ramezani, 2008). Due to its effectiveness and simplicity of the AIP in prevention of DoS attack, future generation internet protocols would be relying on this technology.
Read also NETW561 – Network Case Study – VOIP Security Concerns
The objectives of the secure overlays is to prohibit DoS attack on the limited set of networks they protect through routing traffic destined to a protected network by an overlay network that is built a top of IP. The secure overlays ensures that only authorized users are allow to access the network since it provide DoS resistance and redundancy. This make it impossible for the attackers to instigate DoS on the secure networks or servers (Abliz, 2011). Secure overlay mechanism depend on the assumption that the overlay servers or network is the only method for hosts outside the trusted domain of the protected network to communicate with secured networks. Secure overlay approach uses two methods to ensure that network is protected from DoS attack. These methods are Secure Overlay Service (SOS) and secure-i3.Secure overlay service (SOS): This technique involve selection of a set of node distributed throughout a large area network and are logically linked through secure tunneling. The purpose of the SOS architecture is to permit communication only between a user given prior permission to visit the site and a protected site (AsosheH, & Ramezani, 2008). SOS is very effective in prevention of DoS attack since it simply chooses the alternative access point if the access point is attacked. In addition, it allows the exit of the node if it is attacked within the overlay.
Order Unique Answer Now