Last Articles


Most popular password

Network Information Security: Myths and Realities Omnipotence hackers

Hackers and crackers, or what is good and what is bad?

Chronology of the ARPANET - INTERNET

Protection system in Windows - Fact or Fiction

The basic principles of security

Manager SAM and Active Directory

Administrative boundaries: the forest or domain?

Can you trust a domain that is connected to the Internet?

Идентификаторы защиты (SID)

Why can not I log in as an administrator from any location?

Network security model and resource sharing

Remote attacks on distributed computing systems

Characteristics and mechanisms of implementation of standard remote attacks

Fake ARP-server on the Internet

False DNS-server on the Internet

Substitution of one of the subjects TCP-connections on the Internet

Malfunction host on the network

Mythical remote attacks on the Internet

Dedicated channel communication between objects distributed CS

Control of virtual connections in the distributed CS

If the communication system of remote objects PBC does not incorporate the use of robust control algorithms for the connection, then get rid of one type of remote attacks on the compound system can be substituted by other types of UA - Denial of service.

Therefore, to ensure reliable operation and performance of each object distributed CS is first necessary to control the process of creating a connection.

The second task is obvious: as the network operating system can not simultaneously have an infinite number of open VC, then, if the VC is idle for a certain system time-out is its closure.

Next, consider a possible algorithm to ensure control over the creation of connections in PBC.

The main problem to be solved in this case, is not to allow one entity to take the interaction of all the virtual channels of the system.

Recall that when you create a VC system received a request to establish the connection is put in the queue, and when it comes to time, the system will work out the answer to the query and sends it back to the sender of the request. The task of controlling the establishment of the connection is just to define the rules based on which the system could either put the request in the queue or not.

If all the requests come automatically put the system in place (as constructed, all network operating systems that support the protocol TCP / IP), it is in case of attack leads to queue overflow and denial of service of all other legitimate requests.

This is due to the fact that the attacker sends so many requests per second, how much will the traffic (thousands of requests per second), and a regular user with a legal connection request can send a few requests per minute! Consequently, the probability of connection in such a situation, if the overflow queue, one to a million at best. It is therefore necessary to impose restrictions on the queuing of requests from one object.

However, if the PBC any object of the system can send a request on behalf of (with addresses) of any other system, as noted earlier, to solve the problem of control is not possible.

Therefore, to ensure this capability was introduced by Proposition 5, from which to every visitor on the package object must be specified route traversed by them, allowing up to a sub-network to confirm the authenticity of the sender. Given this fact, allowing weed out all packets with an invalid sender address, you can suggest the following condition setting request in turn: in the system introduces a restriction on the number of processed requests per second from one sub-network.

This is the maximum number of becoming a queue of requests per second is determined directly by the operating system and depends on the following parameters of the network operating system: speed, virtual memory, number of concurrent virtual channels, the queue length, etc.

Restrictions imposed do not allow an attacker to overflow the queue, since only its first few requests are queued for service, and the rest will be ignored.

The first request is authorized user of the other sub-networks will also be immediately put in place.

By cons of this method of solving the problem of control over the creation of compounds can be attributed the fact that, as the address of the sender can be authenticated with an accuracy of only up to a - network, an attacker can send requests on behalf of any object of this sub-network. Consequently, in the event of an attack all other objects from sub-network attacks will be unable to connect to uke object.

However, since, firstly, an attacker on the route specified in the package will be calculated up to its sub-network and, secondly, will not happen malfunction target of attack, such an attack is unlikely to be meaningful.

So, in conclusion of the regular requirement for secure communications systems in a distributed Sun

Top 5 most read

The basic rules of safe behavior on the Internet

Manager SAM and Active Directory

You forget your password. What should I do? Part 3

Social engineering as a way of committing crimes in the sphere of computer information

Идентификаторы защиты (SID)

Copyright © 2010 BRV ISTCOM S.R.L.- раскрутка сайта