• Title/Summary/Keyword: 유효세션

Search Result 25, Processing Time 0.017 seconds

The automatic generation of MPTCP session keys using ECDH (MPTCP에서 ECDH를 이용한 세션 키 자동생성에 관한 연구)

  • Sun, Seol-hee;Kim, Eun-gi
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.20 no.10
    • /
    • pp.1912-1918
    • /
    • 2016
  • MPTCP(Multipath Transmission Control Protocol) is able to compose many TCP paths when two hosts connect and the data is able to be transported through these paths simultaneously. When a new path is added, the authentication between both hosts is necessary to check the validity of host. So, MPTCP exchanges a key when initiating an connection and makes a token by using this key for authentication. However the original MPTCP is vulnerable to MITM(Man In The Middle) attacks because the key is transported in clear text. Therefore, we applied a ECDH(Elliptic Curve Diffie-Hellman) key exchange algorithm to original MPTCP and replaced the original key to the ECDH public key. And, by generating the secret key after the public key exchanges, only two hosts is able to make the token using the secret key to add new subflow. Also, we designed and implemented a method supporting encryption and decryption of data using a shared secret key to apply confidentiality to original MPTCP.

A Patching-Based VOD System supporting VCR Operations (VCR 동작을 지원하는 패칭 기반의 주문형 비디오 시스템)

  • 조창식;마평수;이기호;강지훈
    • Journal of KIISE:Information Networking
    • /
    • v.30 no.1
    • /
    • pp.9-16
    • /
    • 2003
  • In this paper, we propose a method for supporting VCR operations in a patching based multicast VOD system. Random access, pause and resume operations are supported in our system, and the channel and session scheduling algorithms for the VCR operations are proposed. When it is necessary to join a sharable multicast channel in the admission control for the VCR operations, the patching technique, which shares an on-going regular channel and allocates a new patching channel for the missing data, is used. Therefore, unlike the previous approach that allocates an excessive number of I-channels, service latency is minimized and channel usage is optimized in our system. Moreover buffered data. which is saved in disk during patching, is reused to prevent unnecessary patching channel allocation. For this. the patching management information is extended and a buffed data management scheme is proposed. In our system, the First-Come-First-Served scheduling is used to inform clients the service latency for the VCR operations immediately.

Implementation of High Performance TCP Proxy Logic against TCP Flooding Attack on Network Interface Card (TCP 플러딩 공격 방어를 위한 네트워크 인터페이스용 고성능 TCP 프락시 제어 로직 구현)

  • Kim, Byoung-Koo;Kim, Ik-Kyun;Kim, Dae-Won;Oh, Jin-Tae;Jang, Jong-Soo;Chung, Tai-Myoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.21 no.2
    • /
    • pp.119-129
    • /
    • 2011
  • TCP-related Flooding attacks still dominate Distributed Denial of Service Attack. It is a great challenge to accurately detect the TCP flood attack in hish speed network. In this paper, we propose the NIC_Cookie logic implementation, which is a kind of security offload engine against TCP-related DDoS attacks, on network interface card. NIC_Cookie has robustness against DDoS attack itself and it is independent on server OS and external network configuration. It supports not IP-based response method but packet-level response, therefore it can handle attacks of NAT-based user group. We evaluate that the latency time of NIC_Cookie logics is $7{\times}10^{-6}$ seconds and we show 2Gbps wire-speed performance through a benchmark test.

An Adaptive Server Clustering for Terminal Service in a Thin-Client Environment (썬-클라이언트 환경에서의 터미널 서비스를 위한 적응적 서버 클러스터링)

  • Jung Yunjae;Kwak Hukeun;Chung Kyusik
    • Journal of KIISE:Information Networking
    • /
    • v.31 no.6
    • /
    • pp.582-594
    • /
    • 2004
  • In school PC labs or other educational purpose PC labs with a few dozens of PCs, computers are configured in a distributed architecture so that they are set up, maintained and upgraded separately. As an alternative to the distributed architecture, we can consider a thin-client computing environment. In a thin-client computing environment, client side devices provide mainly I/O functions with user friendly GUI and multimedia processing support whereas remote servers called terminal server provide computing power. In order to support many clients in the environment, a cluster of terminal servers can be configured. In this architecture, it is difficult due to the characteristics of terminal session persistence and different pattern of computing usage of users so that the utilization of terminal server resources becomes low. To overcome this disadvantage, we propose an adaptive terminal cluster where terminal servers ,ire partitioned into groups and a terminal server in a light-loaded group can be dynamically reassigned to a heavy-loaded group at run time. The proposed adaptive scheme is compared with a generic terminal service cluster and a group based non-adaptive terminal server cluster. Experimental results show the effectiveness of the proposed scheme.

Implementation and Validation of the Web DDoS Shelter System(WDSS) (웹 DDoS 대피소 시스템(WDSS) 구현 및 성능검증)

  • Park, Jae-Hyung;Kim, Kang-Hyoun
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.4 no.4
    • /
    • pp.135-140
    • /
    • 2015
  • The WDSS improves defensive capacity against web application layer DDoS attack by using web cache server and L7 switch which are added on the DDoS shelter system. When web DDoS attack occurs, security agents divert traffic from backbone network to sub-network of the WDSS and then DDoS protection device and L7 switch block abnormal packets. In the meantime, web cache server responds only to requests of normal clients and maintains stable web service. In this way, the WDSS can counteract the web DDoS attack which generates small traffic and depletes server-client session resource. Furthermore, the WDSS does not require IP tunneling because it is not necessary to retransfer the normal requests to original web server. In this paper, we validate operation of the WDSS and verify defensive capability against web application layer DDoS attacks. In order to do this, we built the WDSS on backbone network of an ISP. And we performed web DDoS tests by using a testing system that consists of zombie PCs. The tests were performed by three types and various amounts of web DDoS attacks. Test results suggest that the WDSS can detect small traffic of the web DDoS attacks which do not have repeat flow whereas the formal DDoS shelter system cannot.