Benjamin Rothenberger, ETH Zurich
From 12.00 until 13.30
At CNB/F/110 (Lunch) + CNB/F/100.9 (Seminar), ETH Zurich
Universitätstrasse 6, 8092 Zurich
IP address spoofing allows large-scale Distributed Denial of Service (DDoS) reflection attacks. In these attacks, an adversary sends the initial packet of a communication protocol to a reflector, without performing a full handshake. An efficient first-packet authentication system can mitigate such attacks. This work presents the design, implementation, analysis, and experimental evaluation of PISKES, an efficient first-packet authentication system, that scales to Internet-wide deployment and is based on symmetric cryptography for authentication and verification. In PISKES, latency-critical operations are moved to the client side, whereas a victim server can efficiently verify source authenticity. We show the effectiveness and scalability of our system through a prototype implementation that is able to verify a packet within 85 ns.