An experimental study on the applicability of SYN cookies to networked constrained devices
| Autor: | Pablo Garaizar, Juan Jose Echevarria, Jon Legarda |
|---|---|
| Rok vydání: | 2017 |
| Předmět: |
Engineering
Class (computer programming) business.industry 020208 electrical & electronic engineering 020206 networking & telecommunications Denial-of-service attack 02 engineering and technology SYN cookies Computer security computer.software_genre Server 0202 electrical engineering electronic engineering information engineering The Internet SYN flood business Queue Protocol (object-oriented programming) computer Software Computer network |
| Zdroj: | Software: Practice and Experience. 48:740-749 |
| ISSN: | 0038-0644 |
| Popis: | Summary The Internet protocol suite is increasingly used on devices with constrained resources that operate as both clients and servers within the Internet of Things paradigm. However, these devices usually apply few—if any—security measures. Therefore, they are vulnerable to network attacks, particularly to denial of service attacks. The well-known SYN flood attack works by filling up the connection queue with fake SYN requests. When the queue is full, new connections cannot be opened until some entries are removed after a time-out. Class 2 constrained devices—according to the RFC 7228—are highly vulnerable to this attack because of their limited available memory, even in low-rate attacks. This paper analyses and compares in a class 2 constrained device the performance of 2 commonly used defence mechanisms (ie, recycle half-open connections and SYN cookies) during a low-rate SYN flood. We first review 2 SYN cookies implementations (ie, Linux and FreeBSD) and compare them with a hybrid approach in a class 2 device. Finally, experimental results prove that the proposed SYN cookies implementation is more effective than recycling the oldest half-open connections. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
Plný text