skip to content

Department of Computer Science and Technology

image of computer code

A researcher here was presented with an award today for work that he and colleagues conducted more than 20 years ago. 

But it is precisely because the research – into the then new phenomenon of denial-of-service attacks on web servers – is considered to have stood the test of time that it is receiving recognition now. 

Dr Markus Kuhn and his co-authors were honoured with the 'Test of Time Award' for their paper Analysis of a denial of service attack on TCP at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Security and Privacy.

The award, says the organisation, "recognizes past papers for their broad and lasting impact on both research and practice in computer security and privacy".

Markus (pictured right) co-authored the paper while he was a Fulbright Scholar finishing a Masters' degree at Purdue University, just before coming to this department for his PhD. The paper was one of the first to address the problem of denial-of-service attacks.

"There had just been a series of these attacks – several dozen – on well-known commercial websites," Markus says.

"The attackers sent out a small number of data packets, carefully chosen to maximize the resource consumption of a targeted web server, in order to overload and effectively disconnect it remotely from the internet in a way that is difficult to trace back to the location of the attacker. We wrote this paper in the immediate aftermath of the attacks."

"The award recognizes past papers for their broad and lasting impact on both research and practice in computer security and privacy."


The researchers – Christoph Schuba, Ivan Krsul, Markus, Gene Spafford, Aurobindo Sundaram and Diego Zamboni – analysed in detail the attack strategy that the websites (including that of the then-fledgling Amazon) had suffered: the 'SYN flooding' attack.

This exploited a weakness in the implementation of the initial handshake of the TCP protocol in major server operating systems. Their paper provided a quick fix in the form of a 'synkill' tool, which detects and neutralizes the attack by injecting TCP reset messages.

It also described several countermeasures that could be added to TCP implementations or network gateways, some of which soon became common practice and are still widely used today.

"Our 'synkill' solution essentially reset the connection to free the resources that were clogging up the server, so that was the main contribution. But our paper also pointed out many other potential solutions, many of which were later implemented in firewalls or in updates to operating systems," he says.

Twenty years on, Markus – now a Senior Lecturer here – is still working in the field of security. He teaches second- and third-year undergraduate courses in Security, Cryptography and Digital Signal Processing, among others, and runs a fourth-year Hardware Security practical module.

His students are sometimes treated to little demonstrations of how to pick bicycle locks or suitcase locks to show their vulnerabilities. "I do this to demonstrate similar vulnerabilities in software programmes," he says. "These are to do with what are called side channels, which release additional information about how the lock works."

In the case of a bicycle lock, this may be a difference in the way the numbered rings turn when they reach the right number when the lock is put under pressure. In the case of a website password, it can be to do with the length of time the website software takes to reveal whether the password that has been inputted is correct or incorrect.

And as a researcher, he is a member of the Security Group here. He focuses on the hardware and digital signal-processing aspects of computer security. "I look at techniques for eavesdropping on computers and on smartcards – such as bank payment cards. The aim of the research is to find out what is possible, what are the limits on what is possible, and therefore what protection standards are needed."

He is also interested in distance-bounding protocols that confirm, based on the speed of light, how near or far devices are from each other at most.

"If you have a card that operates doors or turnstiles in the building where you work, when you’re in the pub, someone could hold a fake door-reader device next to your wallet or handbag, and by forwarding the data, they could open these doors remotely to allow someone else into the building," he explains.

In the case of this week’s IEEE Symposium, however, no physical doors will need to be opened. Commonly known as 'the Oakland Conference', it is not taking place in San Francisco, as originally planned, but in cyberspace. And that brings one advantage.

"Because I am teaching, I would not have been able to travel to San Francisco for this event," he says. "But because it is virtual this year, I can be present for the awards ceremony."

Main image: Markus Spiske / Unsplash.





Published by Rachel Gardner on Monday 18th May 2020