11-04-2014, 12:06 PM
A Federated Overlay Network for Denial of Service defense in the Internet
A Federated Overlay Network.docx (Size: 20.93 KB / Downloads: 16)
Introduction
Denial of service attacks are one of the most difficult problems the Internet faces. Using a single machine
or by the collective effort of a number of machines, a very large server can be overwhelmed (by sending
repeated illegitimate requests). This will make the server inaccessible to legitimate users. The Internet is
not very adept at handling this kind of attacks.
High-level FONet architecture and operation
Image taken from paper titled “FONet: A Federated Overlay Network for DoS Defense in the Internet (A
Position Paper)” by “ Jinu Kurian “ and “Kamil Sarac ”This paper titled “ FONet : A Federated Overlay Network for DoS Defense in the Internet (A
Position Paper) ” by “ Jinu Kurian “ and “Kamil Sarac ” provides a way to tackle a such DoS attacks.
The paper proposes the use of a FONet node which authenticate whether a user is a legitimate user or not
before relaying his/her request to the actual server. It is important that server does not store any user
information i.e. it is a stateless node. We use certificates to achieve this. The FONet node will just verify
an encrypted certificate against the users Id. Since both the certificate and the user Id are sent to the
FONet by the user and they are not saved at the FONet. The FONet will forward all the messages from
the legitimate users to the server.
Replay Attacks
It is possible that an interceptor might copy a message and send it back to the receiver to try and
authenticate himself. To thwart this kind of an attack we attach a nonce i.e. a random number and each
time a reply is given to the message the number is incremented. The nonce is used only once and we use
some kind of time stamp function to genrate a nonce.
Key generation
There are 3 types of nodes that are part of this implementation and among them the server and FONet
have their own public private key pairs. We generate these key pairs using the RSA algorithm. We use
SHA algorithm to compute hash for messages when using the Public private key encryption.