master's thesis
Gregor Robert Krmelj (Author), Mojca Ciglarič (Mentor), Matjaž Pančur (Co-mentor)

Abstract

Single Packet Authorization (SPA) is a method of gaining network access to a network service by sending a single IP packet which contains all the necessary data to authenticate and authorize a particular client. The result of the exchange is a temporary firewall rule that enables the client access to the requested service. OpenSPA is an implementation of SPA which we have re-implemented from the ground up with countermeasures for Denial of Service (DoS) attacks and replaced the binary encoding protocol with a TLV variant. Using our testing environment with a 100 Gbit/s network we were able to defend against a 6.7 Mpps DoS attacks using a single CPU core and a 106 Mpps attack using 16 CPU cores.

Keywords

SPA;firewall;network security;eBPF;XDP;network protocol design;hidden services;computer science;master's thesis;

Data

Language: English
Year of publishing:
Typology: 2.09 - Master's Thesis
Organization: UL FRI - Faculty of Computer and Information Science
Publisher: [G. R. Krmelj]
UDC: 004.7(043.2)
COBISS: 136683779 Link will open in a new window
Views: 71
Downloads: 18
Average score: 0 (0 votes)
Metadata: JSON JSON-RDF JSON-LD TURTLE N-TRIPLES XML RDFA MICRODATA DC-XML DC-RDF RDF

Other data

Secondary language: Slovenian
Secondary title: Skalabilnost protokola SPA v programsko določenem robu omrežja
Secondary abstract: Preverjanje pristnosti z enim paketom (ang. Single Packet Authorization -- SPA) je metoda, s katero lahko pridobimo dostop do storitve izključno na podlagi enega paketa IP. V ta paket shranimo vse informacije, ki jih strežnik potrebuje, da lahko preveri pristnost zahtevka. V primeru, da imamo pravico do željene storitve, strežnik v požarnem zidu določi začasno pravilo, ki nam (odjemalcu) omogoči dostop. Med odprtokodne implementacije principa SPA spada tudi OpenSPA. V magistrski nalogi bomo predstavili našo novo implementacijo protokola OpenSPA. Novosti protokola sta zaščita ob napadih ohromitev storitve (ang. Denial of Service -- DoS) in binarno kodiranje podatkov v formatu TLV. Znotraj testnega okolja z omrežjem hitrosti 100 Gbit/s smo lahko obranili napad DoS velikosti 6.7 Mpps z uporabo 1 jedra in napad DoS velikosti 106 Mpps z uporabo 16 jeder.
Secondary keywords: SPA;požarni zid;omrežna varnost;eBPF;XDP;omrežni protokoli;skrite storitve;magisteriji;Računalništvo;Univerzitetna in visokošolska dela;
Type (COBISS): Master's thesis/paper
Study programme: 1000471
Embargo end date (OpenAIRE): 1970-01-01
Thesis comment: Univ. v Ljubljani, Fak. za računalništvo in informatiko
Pages: XVI, 66 str.
ID: 17332127
Recommended works:
, master's thesis
, master's thesis
, master's thesis
, no subtitle data available
, master's thesis