PREVENTION OF OVERLOAD-BASED SERVICE FAILURE OF SECURITY AGGREGATION POINT

摘要

There are provided measures for enabling/realizing prevention of an overload-based service failure of a security aggregation point, such as for example prevention of a DDoS attack on an IKE aggregation point. Such measures exemplarily comprise detection of presence of an overload condition with respect to establishment of certificate-based security associations between one or more clients and a security aggregation point, dynamic population of a blacklist for unauthorized clients,i.e. clients which are unauthorized for establishment of a certificate-based security association (e.g. clients having no valid certificate),with at least source information identifying clients having undergone authentication failure, check of the blacklist for a match with source information in an initiation request from a client in response to the initiation request, and rejection of the initiation request from the client on the basis of a match between the source information in the initiation request and the source information in the blacklist.