Security Techniques for Counteracting Attacks in ... - ScienceDirect.com

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 21 (2013) 374 – 381

The 3rd International Conference on Current and Future Trends of Information and Communication Technologies in Healthcare (ICTH-2013)

Security Techniques for Counteracting Attacks in Mobile Healthcare Services Udaya Tupakula*

Vijay Varadharajan

INSS Research, Department of Computing, Faculty of Science, Macquarie University, Sydney-2109, Australia

Abstract Today mobile devices are increasingly being used to provide health related information to healthcare related services on the Internet. However such devices have limited resources to enforce strong security measures and are easily vulnerable to attacks. In this paper we propose techniques for counteracting denial of service attacks on mobile devices that are providing the user’s health related information and for securing the communication between mobile nodes and healthcare service providers on the Internet. © 2013 The Authors. Published by Elsevier B.V. Open access under CC BY-NC-ND license. © 2013 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [name organizer] Selection and peer-review under responsibility of Elhadi M. Shakshuki

Keywords: Mobile Healthcare; Security; Denial of Service; Traceback; IP Security.

1. Introduction A denial of service (DoS) [1, 2] attack prevents access to resources by the legitimate users. Distributed Denial of Service (DDoS) attacks is a case where several hundreds of zombies or botnets (compromised machines) are involved in the generation of attack traffic. DDoS is one of the major threats in the current Internet. There are many challenges when it comes to dealing the attacks on mobile nodes due to their limited resources. We envisage with growth in the wireless Internet and the mobile devices and their use in carrying out sensitive transactions is likely to make denial of service attacks even more a major concern in the near future. For example, there can be severe consequences if such attacks target a mobile device that is used for healthcare services. Hence there is need to develop techniques to detect and prevent denial of service attacks on the mobile devices. In this paper we propose techniques for counteracting denial of services on mobile devices that are being used in the provision of mobile healthcare services. Our model makes use of IPSec protocol [3] for traceback and prevention of attack traffic at the upstream nodes. The paper is organized as follows.

* Corresponding author. Tel.: +61-2-9850-9521; fax: +61-2-98509511. E-mail address: [email protected].

1877-0509 © 2013 The Authors. Published by Elsevier B.V. Open access under CC BY-NC-ND license. Selection and peer-review under responsibility of Elhadi M. Shakshuki doi:10.1016/j.procs.2013.09.049

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

Section 2 presents some of the related work and Section 3 presents the attacker model. In Section 4, we propose techniques for securing the healthcare related communication and also to deal with denial of service attacks on the mobile nodes. In Section 5 we present a prototype implementation of our model and Section 6 concludes the paper. 2. Related Work Distributed Denial of Service (DDoS) attacks are more common in wired networks and there is ongoing research [1, 2] to deal with the attacks. For example, filtering techniques such as [4-6] have been proposed to validate the source address of the IP packets. The main idea is that if traffic with spoofed source addresses can be minimized in the Internet, then this can also minimize DDoS attacks with spoofed source addresses. This will only leave DDoS attacks with correct source addresses to consider. Some authors have suggested traceback techniques [7-10] to identify the approximate spoofed source of attack. The main idea of the traceback techniques is that if the approximate spoofed source of attack can be identified, then attack traffic can be filtered at a point that is nearest to the attacking source. This will result in saving the bandwidth at the victim’s end and for all upstream routers between the victim and the attacking sources. Some traceback techniques [7-10] can be performed only during the time of attack and some traceback techniques [10] are capable of performing post-mortem analysis. Statistical based filtering techniques [11] maintain the normal traffic behavior for each server or network. During the time of attack, the incoming packets are scored by comparing them with the stored traffic pattern. Packets that do not match with the stored patterns are considered to be malicious and dropped. Service specific access control techniques [12] have been proposed to permit only the traffic that is considered to be legitimate to access the services. However most of the techniques proposed to deal with the attacks in wired networks are not readily suitable to deal with the attacks in wireless networks. For example, we need to take different factors into consideration such as limited resources of the mobile nodes which make them easily vulnerable to such attacks and also lack of security techniques to deal with the attacks. There is some prior work related to DoS attacks in wireless networks. Khan et al [13] considers different types of attacks that are possible in the WLAN, WiMax and WMAN technologies. The work specifically highlights the challenges to deal with the passive attacks and categorization of attacks at different layers of the protocol stack. The analysis by He and Mitchell [14] identified DoS vulnerabilities in 802.11i and the work in [15, 16] presents detail discussion on how the attacks can be implemented in practice. Liu and Yu [17] analyzed the authentication request flooding and association request flooding attacks and proposed to use MAC address filtering and traffic pattern filtering which enforces a limit on the maximum number of authentication or association requests from the mobile nodes. Furthermore, some techniques have been proposed to deal with the rouge access points in the wireless networks. Bahl et al [18] suggested dense deployment of sensors for monitoring the wireless networks for rouge access points. This technique makes use of the unused desktop resources in wired networks and USB based wireless adapters to minimize the deployment cost of the security sensors. The technique proposed by Sheng et al [19] detects the rouge access points by monitoring the changes in the round trip time when communicating with the local servers. Zeng et. al [20] proposed cookie based approach to deal with the denial of service attacks on the authentication mechanism during handover process. Xu et al [21] considered different types of jamming attacks and proposed dynamic changing of communication channels to deal with the attacks. Traynor et. al [22] used queue management techniques to deal with the saturation of the wireless links. Geng et al [23] proposed policy based schemes such as usage based charging, capped usage to deal with the DDoS attacks on the mobile nodes. However the proposed technique cannot defend against the ongoing attack on the mobile node and also techniques such as usage based charging may not be effective since the owner of the hosts are not aware about the compromise of

375

376

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

their nodes. Hence, currently there is a lack of comprehensive security techniques to deal with the DDoS attacks in wireless networks. 3. Attacker Model As shown in Figure 1, consider a generic architecture where mobile customers can be accessing voice and data services from their mobile network service provider. In this paper, furthermore we envisage the mobile device to be used for receiving data from body sensor devices and sending it to Healthcare Service Providers (HSPs). In the current scenario, the information captured by different body sensors is forwarded to the user’s mobile device using wireless technologies such as Bluetooth, ZigBee, and WLAN. In some cases, the information from the body sensors is aggregated at the body sensor gateway before forwarding to the mobile device. The mobile device is used for secure communication of the body sensor information to different HSPs using mobile network or WLAN.

Attack 1

HSP N

HSP 1

Attack N

Other Applications

Mobile Network

Attack 1 HSP N

HSP 1

Other Applications

Attack N

SEC Mobile Network

Attack Traffic Secure Data Transfer Insecure Data Transfer Mobile Mobile Different body sensors reporting data to mobile

Figure 1: Current Scenario

Different body sensors reporting data to mobile

Figure 2: Proposed Scenario

One of the main advantages for using mobile device as the gateway is that the information from the body sensors can be accessed by the HSPs even when the user is mobile. However since the body sensor information has to be communicated securely to several HSPs, this could incur high overhead on the mobile device for storing the keys required for secure communication, establishing secure channels and transferring the body sensor information. In addition to this usage, the mobile devices are also used for accessing different applications such as accessing Internet, social networks and playing online games. Currently there is an increasing trend of attackers targeting attacks on mobile devices. Since mobile devices have limited resources, they are easily vulnerable to denial of service attacks. In case of successful attacks on the mobile devices, the HSPs will not have access to body sensor readings. Hence there is a need for techniques to minimize the overhead on the mobile device for secure communication of the body sensor information to different HSPs and a need for securing the mobile device from denial of service attacks.

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

Let us first consider the attacker model. The users can be accessing the service from their mobile network service provider or from foreign agent network service providers. Mobile IP [24] enables such seamless and uninterrupted access to the services to mobile users. Although, mobile devices are used for voice and data communication, the main aim of our work is to deal with DDoS attacks on the data services of the mobile nodes. We consider flooding attacks such as ICMP flood and UDP flood with correct or spoofed source address on the victim mobile devices. The attack traffic can be originating from the computing devices that are connected to wired networks or wireless networks. The owners of the devices from which the attack traffic is originating may not be aware of the compromise of their devices and being used for generation of attack traffic. As shown in Figure 1, there can be several attacking sources that are flooding the victim node with malicious traffic, resulting in the good traffic being dropped before it reaches the mobile node. Hence there is need to prevent the attack traffic at upstream nodes. 4. Our Approach In this section, we propose techniques for securing mobile healthcare services. We aim to deal with denial of service attacks on mobile nodes and minimize the overhead on the mobile device that is used for healthcare services. We assume that the mobile devices have been allocated public IP addresses. This is reasonable following the migration to IPv6. Figure 2 shows the proposed model for securing the mobile healthcare services. We consider that all the users’ traffic that needs to be protected from denial of service attacks passes through a Security Enforcement Component (SEC). SEC can be implemented on existing routers or can be realized as add on module to existing routers. In our model, the attack can be prevented at the upstream nodes which co-operate with the SEC. The darkened nodes in Figure 3 represent the cooperating nodes. The co-operating nodes can request similar service from SEC to protect their customers. The SEC enables secure communication of body sensor information to different HSPs with minimal overhead and also deals with the attacks on the mobile device. There are two logical components in SEC. The first component is a Trusted Health Service Gateway (THSG) which is trusted by the mobile users and the HSPs. In practice, THSG can be implemented by a trusted third party. The mobile user updates the THSG with the information of different HSPs that need to access a user’s body sensor information. The second logical entity is an Attack Prevention Gateway (APG) which deals with denial of service attacks on mobile devices. In practice, the APG can be implemented by a mobile network provider. In this paper, we consider both THSG and APG are being implemented on the same node. 4.1. Operation The information from different body sensor devices is sent over a single secure link to the Trusted Health Service Gateway (THSG). THSG analyses the received information, and forwards the relevant user information to different HSPs. For example, HSP1 may be interested in ECG sensor readings and HSP2 may be interested in obtaining blood and pulse related sensor readings. THSG sends the information using secure communication channels such as IPSec tunnels or establish SSL connections to different HSPs. Since secure communication channels are established by the THSG, it minimizes the overhead on the mobile device and eliminates the need to store keys required for secure communication with different HSPs. Now let us consider how the APG component in SEC (referred to as SEC-APG) deals with the DoS attacks. Since all the traffic from the mobile device passes through the SEC, it develops a legitimate usage pattern for each mobile user. Default security settings are used for new mobile users. For example, security tools such as snort have several generic attack patterns to detect and prevent denial of service attacks. The SEC-APG monitors the traffic destined to the mobile device and prevents any attack traffic

377

378

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

from targeting the mobile device. If the attack traffic reaches a predefined threshold, the SEC-APG initiates techniques for prevention of attack traffic at the upstream co-operating nodes. The SEC-APG updates the co-operating nodes with the details of the victim that is experiencing the DDoS attacks. Now the co-operating nodes filter the traffic that is destined to the victim node and securely forward them to the SEC-APG using IPSec ESP tunneling. The SEC-APG retrieves the victim’s traffic from the tunnel, drops the traffic that is matching with the attack pattern and forwards only legitimate traffic to the victim. The SEC-APG keeps track of the attack traffic originating from each tunnel. If the attack traffic from any of the tunnel exceeds a threshold, then it sends a request to prevent the attack traffic at the upstream co-operating node before performing IPSec ESP tunneling of the traffic. After the tunnel is established between the SEC-APG and the co-operating node, there is no need to perform traceback for prevention of attack traffic at the upstream nodes. The starting point of the tunnel is used as the trusted traceback point for prevention of attack upstream. This is one of important advantages of our model. Furthermore, since IPSec is already a standard and likely to be supported in the near future on most of the existing devices, our model can be easily implemented in practice. As shown in Figure 3, M1G is the SEC for the (victim) mobile node; the B5 darkened nodes are co-operating with A3 A15 the SEC-APG to prevent the attack ---HSP1 A2 B2 upstream. Consider the scenario where A1 B1 B4 B3 Access Point the total traffic to the victim mobile B7 A16 node is originating from 1 to N FA1/ FA2/ WLG M2G/ channels and there are 1 to N-1 secure GGSN GGSN GGSN UISP1G IPSec ESP channels and 1 insecure channel N. Hence the attack traffic can be prevented at the upstream 1 to N-1 security channels. The attack traffic ER1 ER2 ER3 ER4 from the single insecure channel N is prevented at the SEC-APG. We do not Attacking Node perform traceback for the traffic from Benign Node IR1 IR2 IR3 the insecure channel. When the attack traffic reaches a Deployed Device certain threshold, the SEC-APG sends Non-Deployed Device requests to establish a secure tunnel HSS/ SEC ___ Physical Link with the upstream co-operating nodes GMSC VLR M1G/ (ER1, M2G and FA1). Note that the GGSN IPSec ESP Tunnel secure channel to HSP1 is established IR: Intermediary Router RNC by THSG for forwarding body sensor ER: Edge Router information. Now all the traffic FA: Foreign Agent destined to the mobile node will be Node B UISPxG: Upstream ISP Gateway forwarded through the secure tunnel WLG: WLAN Gateway between co-operating node and SECMxG: Mobile Network Gateway Victim APG). The traffic will be tunneled at GGSN: Gateway GPRS Support Node the first deployed router. Since the GMSC: Gateway Mobile Switching Centre tunnels terminate at the SEC-APG, Figure 3: Our Approach there is no need for SEC-APG to perform traceback. The starting point of the tunnel is considered as the node from which the attack traffic is originating. Hence the traceback can be performed to the first co-operating node that is nearest to the attacking source. Also note that

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

traceback and prevention of the attack at upstream nodes is possible even if there is no co-operation from the routers between the co-operating node and the SEC. For example, in Figure 3 traceback can be performed between SEC and ER1even if there is no co-operation from IR1. 4.2. SEC-APG Components Let us now consider how the SEC-APG can be used to detect and prevent attacks on mobile nodes. The SEC-APG components transparently monitor mobile nodes’ traffic for denial of service attacks. Device Identification and Store (DIS), Hybrid Attack Detection (HAD), and Dynamic Attack Prevention (DAP) are the important sub components of SEC-APG. The DIS is used for identification of the mobile devices. It analyses the traffic and maintains the logs of mobile nodes’ traffic. Since we consider IP based communication, the devices can be identified from the source or destination address of the traffic. In our model, the logs are used to determine the statistical security policies for each mobile node. Note that most of the mobile service providers charge the users based on the data downloads and/or uploads. Hence there is a need to log the mobile nodes’ traffic for the purpose of charging the customers. Our model makes use of these logs to determine the statistical behaviour of the mobile nodes’ traffic. The HAD is used for detection of known attacks and detection of suspicious behaviour by monitoring the mobile nodes traffic. It makes use of the signature based and anomaly based techniques for detecting the attacks on the mobile nodes. The evaluation process of the HAD works as follows: If the traffic is not matching with any of the attack signature and found to be legitimate by the anomaly based detection module, then the traffic is forwarded to the destination. If the traffic is matching with a known attack signature or found to be suspicious by the anomaly detection, then the traffic is dropped. We have created a database in the HAD of known attack signatures; the objective is that this database will be continually updated as and when new attack signatures are discovered. For example, we have used attack signatures in the detection engine from snort IDS for services such as Web server running on the mobile node, and for attacks such as distributed denial of service attacks on mobile nodes. If the traffic does not match with any of the attacks\ signatures then it is randomly validated against the statistical policies in the anomaly detection module. The anomaly detection module applies machine learning technique on the mobile node logs to differentiate between legitimate and suspicious behaviour for each mobile node. We are not describing this algorithm here in this paper due to space restrictions. Essentially this algorithm enables the anomaly detection module to capture the dynamic changes for each mobile node and identify the attacks. For example, from the logs we capture the statistical behaviour of a mobile node such as legitimate TCP/IP protocols used by the applications on the node, average packet size and average packet rates. The DAP component analyses all the traffic dropped by the HAD and makes dynamic decisions to deal with the attacks on the mobile nodes. For example, it is used for dynamic prevention of attacks at the upstream co-operating nodes. It maintains the details of upstream co-operating nodes, stores the keys that are used for established IPSec secure tunnels, determines the attack traffic originating from all channels (1 to N-1 secure channels and 1 in secure channel N), and determines thresholds and attack patterns that have to be prevented at the upstream co-operating node (secure tunnel). 5. Implementation In this section, we present the implementation of our model. We have implemented our model as shown in Figure 4 using Cisco 2800 and 2500 series routers with IOS version 12.3. The management node is used for configuring the routers, maintaining the logs using syslog server and for enforcing access control policies on the traffic destined to the victim mobile node. The victim mobile node is a Samsung Galaxy S2 mobile device which is used to access the services in the Internet either via a mobile network

379

380

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

or a WLAN. Since we do not have the resources to test the model for mobile networks, we have used the setup as shown in Figure 4 for our experimentation. However this setup is similar to the case in Figure 3 where all the data traffic from the victim mobile node passes through the SEC/M1G. In Figure 4, all the victims’ traffic passes through Cisco 2800-1 router. ip access-list extended victim-traffic deny udp any 10.0.0.3 0.0.0.0 deny icmp any 10.0.0.3 0.0.0.0 permit tcp any 10.0.0.3 0.0.0.0 eq www Cisco 2800-2

ヲΒヰヰどヱ

S1 172.18.0.1/16 S0:172.16.0.2/16

S1 S0

172.18.0.2/16

Cisco 2500

172.17.0.2/16

192.168.1.0/24 E0 Catalyst 2950

E0 192.168.2.0/24 172.17.0.1/16 172.16.0.1/16

ヲΒヰヰどヲ

Αヰ ヶヰ ヵヰ ヴヰ ンヰ ヲヰ ヱヰ ヰ ヰ

ヲ

ヴ

ヶ

Β

Catalyst 2950 Figure 5: Attack traffic dropped

In this setup the mobile is considered S1 S0 to be accessing different services from WS2 AS2 WS1 AS1 Cisco E0 the web servers. The attacking sources 2800-1 10.0.0.0/ 8 can be flooding the victim node with ip access-list extended victim-traffic ICMP and UDP floods with correct and Catalyst 2950 deny udp any 10.0.0.3 0.0.0.0 spoofed source address. In default deny icmp any 10.0.0.3 0.0.0.0 Aironet permit tcp any 10.0.0.3 0.0.0.0 eq www mode, such floods are prevented at the Access Point Cisco 2800-1 router. The access control WSx: Web Server is configured at Cisco 2800-1 router to MN ASy: Packet Generator 10.0.0.2 permit only web traffic to the victim MN: Management Node victim node. During this stage, any ICMP or 10.0.0.3 UDP flood traffic that is destined to the Figure 4: Prototype victim mobile node is filtered at the Cisco 2800-1 router. However in this case, we cannot differentiate between the attack traffic originating from different attacking domains since the source address is spoofed. Figure 5 shows the attack traffic that is dropped at the routers. The attack starts during time interval 1 sec. The attacking sources AS1 and AS2 in Figure 4 send ICMP and UDP flood about 30 packets/sec using with correct and spoofed source address. The attack traffic is initially dropped at the router 2800-1 router until the threshold reaches 50packets/sec. The packet drops are reported to syslog server on the management node. After the attack reaches threshold of 50 packets/sec, IPsec ESP tunnel is established between the cisco 2800-1 and cisco2880-2 routers. Notice that the attack traffic is still dropped at the Cisco 2800-1 router until the tunnel is established between the routers. After the tunnel is established, we can easily determine attack traffic originating from the tunnel. Now access control is dynamically applied at the Cisco 2800-2 router to prevent the attack traffic and tunnel only the web traffic. Hence at about 4 seconds, we can see that the attack packets are dropped at the upstream co-operating node (source of the tunnel). Notice that the attack traffic originating from Cisco 2500 series router (Non co-operating node) is still dropped at the Cisco 2800-1 router. 6. Conclusion We have proposed techniques for securing healthcare related information communication between mobile devices and health service providers on the Internet. In particular, we have discussed a model and implementation that is able to counteract denial of service attacks on mobile nodes. Our model makes use

Udaya Tupakula and Vijay Varadharajan / Procedia Computer Science 21 (2013) 374 – 381

of IPSec protocol for achieving secure traceback of the upstream nodes through which the attack traffic is passing as well as for preventing the attack at the upstream nodes. We have shown that our model can be implemented in practice using existing devices and discussed performance characteristics of our implementation.

References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]

E.Alomari, B.B. Gupta, S.Karuppayah, “Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art”, International Journal of Computer Applications, 49(7), pp.24-31, July 2012 J.Mirkovic and P.Reiher, “A taxonomy of DDoS attack and DDoS defense mechanism”, ACM SIGCOMM Computer Communication Review, vol.34, pp.39-53, 2004 S.Kent, K.Seo,"Security Architecture for the Internet Protocol", RFC 4301 P.Ferguson and D.Senie, "Network Ingress Filtering: defeating denial of service attacks which employ IP source address spoofing”, RFC 2267, January 1998. J.Li, J.Mirkovic, M.Wang, P.reiher, and L.Zhang, “SAVE: source address validity enforcement protocol,” Proceedings of IEEE INFOCOM, 2004. Z.Duan, X.Yuan, and J.Chandrasekar, “Constructing inter-domain packet filters to control IP Spoofing based on BGP updates,” Proceedings of IEEE INFOCOM, pp. 1-12, 2006. S.Savage, D.Wetherall, A.Karlin, and T. Anderson, “Network support for IP traceback”, ACM/IEEE Transaction on Networking, vol.9, no.3, pp.226-237, June 2001. Udaya Kiran Tupakula, Vijay Varadharajan, “A practical method to counteract denial of service attacks,” In proceedings of the twenty -fifth Australasian computer science conference ACSC2003, Australia. Pages 275-284, Feb 2003. R.Mahajan, S.M.Bellovin, S.Floyd, J.Ioannidis, V. Paxon, and S.Shenker, “Controlling high bandwidth aggregates in the network”, ACM CCR, vol.32, no.3, pp.62-73, Jul.2002. Robert Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods”, Proceedings of 9th Usenix Security Symposium, August 2000. Yoohwan Kim; Wing Cheong Lau; Mooi Choo Chuah; H.J. Chao, “PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks”, IEEE Transactions on Dependable and Secure Computing, Apr. 2006. U.K.Tupakula, V.Varadharajan, S.K. Vuppala, “SBAC: Service Based Access Control”, Proceedings of 14th IEEE ICECCS, June 2009. Khan et al, “DoS attacks and challenges in broadband wireless networks”, International Journal of computer science and network security, Vol 8, No.7, July 2008. C.He and J.C.Mitchell, "Security Analysis and Improvements for IEEE 802.11i", Proceedings of NDSS, San Diego, Feb 2005. R. H. Rahman, N. N. Nowsheen, M. A. Khan and V. H. Khan, “Wireless Lan Security: An In-Depth Study of the Threat and Vulnerabilities,“ Asian Journal of Information Technology, vol. 6(4), pp.441-446, 2007 Vishal Kumkar, Akhil Tiwari, Pawan Tiwari, Ashish Gupta, Prof. Seema Shrawne, "Vulnerabilities of Wireless Security Protocols", International Journal of Advanced Research in Computer Engineering & Technology, 1(2), April 2012. Chibiao Liu, and James Yu, "A Solution to WLAN Authentication and Association DoS Attacks", IAENG International Journal of Computer Science, 34:1, IJCS_34_1_4, 2007. Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh, Alec Wolman, Brian Zill, "Enhancing the Security of Corporate Wi-Fi Networks Using DAIR", Proceedings of ACM MobiSys 2006. Hao Han, Bo Sheng, Chiu C. Tan , Qun Li, Sanglu Lu, "A Timing-Based Scheme for Rogue AP Detection", IEEE Transactions on parallel and distributed Systems, November 2011, vol. 22 no. 11, pp. 1912-1925 Rongfei Zeng, Chuang Lin, Hongkun Yang, Yuanzhuo Wang, Yang Wang, Peter Ungsunan, "A Novel Cookie-based DDoS Protection Scheme and its Performance Analysis", Proc. of IEEE AINA, 2009. Wenyuan Xu, Timothy Wood, Wade Trappe, Yanyong Zhang, “Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service”, Proceedings of ACM WiSe’04, Oct 2004. Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta, “Mitigating Attacks on Open Functionality in SMSCapable Cellular Networks” IEEE/ACM Transactions on Networking, vol. 17, no. 1, Feb. 2009. Xianjun Geng, Yun Huang and Andrew B. Whinston, “Defending Wireless Infrastructure against the challenge of DDoS Attacks”, Mobile Networks and Applications 7(3): 213-223, 2002. RFC 2002, “IP Mobility Support”, http://www.ietf.org/rfc/rfc2003.txt

381