01001: Denial of Service/Protection Bases
By: Pat AdamsA model for denial-of-service attacks has been around since at least 1983, so why the current problems with syn floods? Denial of service protection bases, as defined by the Yu-Gligor model, can be built into the operating system, and they run the interrupts for tasks wished to be protected from denial of service attacks. It is part of the operating system, and must be kept running continuously, or at least when there is a threat of a denial of service attack, which for most multi-user systems is continuously. The denial of service protection base's job is to kill processes that attempt to hog system resources, or at least temporarily suspend them, so that all processes protected by the denial of service protection base have a chance to run. What this means from a hacker's standpoint is that denial of service protection bases have a vulnerability: They must choose which processes get more time and the designer must set the upper limits of resource use. So while normally, the denial of service attack might consist of a few large processes or many small processes, a mid sized attack could be used to target a specific type of action.
Say, for instance, a targeted user is running a large word processor, but a friendly user is using a small editor or another program that uses few resources. By using a denial of service attack with a mid-sized processes, the target would look like the hog of system resources, and the denial of
service protection base would move more resources away from him to ensure the finite waiting time requirement be kept. Assuming the denial of service protection base uses a conventional time slicing algorithm that makes time slices longer when system use is low and shortens then time slices during high activity, the large process would find the time slices given to it would be insufficient to power its system calls, so it would need more slices to do each task, while the simpler editor would still accomplish its tasks with the shorter slices.
Just another reason Microsoft sucks.
The finite waiting time limit implemented in the denial of service protection base could be used to speed up the Internet. By counting users as processes, when system resources are nearing their low limit, the denial of service protection base could be used in a few ways. By ranking higher level users above others (such as an on-site or named account over anonymous and remote logins) The higher level users would receive their time shares first. As the resources near a certain point, new logins could be refused, keeping an emergency pool of system resources for current users.
Denial of service protection bases of the Yu-Gligor model are set to randomly revoke or give resources from/to two processes, instead of evaluation which is called by a more important program or user, but this most likely saves processor power and time, not to mention keeping the operating system less complicated.
Denial of service protection bases deny service to processes they view as malicious resulting in a kind of contradiction in terms. Some resources may be shared, and an efficient way for sharing of resources would help in protection against denial of service attacks.
[ Author's Note: This article was written after reading from the following source: Millen, Jonathon K. "A Resource Allocation Model For Denial of Service Protection". Journal of Computer Security. Vol. 2, Nos. 2,3: 1993. If you are interested in further exploring the topic, and many others, go to your local university library and read some of the Journals. JoCS is rather abstract, but still interesting, if somewhat dry reading. -oc ]
Say, for instance, a targeted user is running a large word processor, but a friendly user is using a small editor or another program that uses few resources. By using a denial of service attack with a mid-sized processes, the target would look like the hog of system resources, and the denial of
service protection base would move more resources away from him to ensure the finite waiting time requirement be kept. Assuming the denial of service protection base uses a conventional time slicing algorithm that makes time slices longer when system use is low and shortens then time slices during high activity, the large process would find the time slices given to it would be insufficient to power its system calls, so it would need more slices to do each task, while the simpler editor would still accomplish its tasks with the shorter slices.
Just another reason Microsoft sucks.
The finite waiting time limit implemented in the denial of service protection base could be used to speed up the Internet. By counting users as processes, when system resources are nearing their low limit, the denial of service protection base could be used in a few ways. By ranking higher level users above others (such as an on-site or named account over anonymous and remote logins) The higher level users would receive their time shares first. As the resources near a certain point, new logins could be refused, keeping an emergency pool of system resources for current users.
Denial of service protection bases of the Yu-Gligor model are set to randomly revoke or give resources from/to two processes, instead of evaluation which is called by a more important program or user, but this most likely saves processor power and time, not to mention keeping the operating system less complicated.
Denial of service protection bases deny service to processes they view as malicious resulting in a kind of contradiction in terms. Some resources may be shared, and an efficient way for sharing of resources would help in protection against denial of service attacks.
[ Author's Note: This article was written after reading from the following source: Millen, Jonathon K. "A Resource Allocation Model For Denial of Service Protection". Journal of Computer Security. Vol. 2, Nos. 2,3: 1993. If you are interested in further exploring the topic, and many others, go to your local university library and read some of the Journals. JoCS is rather abstract, but still interesting, if somewhat dry reading. -oc ]
Back Next
