Preventing denial of service attacks on quality of service

Capabilities are being added to IP networks to support quality of service (QoS) guarantees. These guarantees are needed for many applications, such as voice and video transmission, real-time control, etc. Little attention has been paid to making these capabilities secure; in their present form, they are vulnerable to attack. The ARQoS project is examining these vulnerabilities, and ways to prevent denial-of-service attacks on QoS capabilities. In this paper, we describe two important parts of the project. The first part is the application of a pricing paradigm to resource allocation. User acquisition of network resources must be authorized, and the relative amount of resources that can be requested is carefully controlled. We present a distributed method of pricing which is highly flexible and responsive to changing conditions. Experimental results illustrate its effectiveness. The second part is the detection of TCP dropping attacks by compromised routers. The detection occurs at the end system and does not require any cooperation from the network. We have enhanced a method of statistically analyzing traffic patterns to detect dropping attacks. The method has been implemented and tested over the Internet, and results are presented.

[1]  Nikolaos Anerousis,et al.  A Framework for Pricing Virtual Circuit and Virtual Path Services in ATM Networks , 1997 .

[2]  Henning Schulzrinne,et al.  Real-time communication in packet-switched networks , 1994, Proc. IEEE.

[3]  D. Estrin,et al.  RSVP: a new resource reservation protocol , 1993, IEEE Communications Magazine.

[4]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[5]  Deborah Estrin,et al.  RSVP: a new resource ReSerVation Protocol , 1993 .

[6]  Jae-In Kim Comparison of Congestion Control Schemes for ABR Service in ATM Local Area Networks , 1994 .

[7]  Douglas S. Reeves,et al.  Resource allocation and pricing for qos management in computer networks , 1999 .

[8]  Vern Paxson,et al.  End-to-end Internet packet dynamics , 1997, SIGCOMM '97.

[9]  Gopalakrishnan Ramamurthy,et al.  Comparison of congestion control schemes for ABR service in ATM local area networks , 1994, 1994 IEEE GLOBECOM. Communications: The Global Bridge.

[10]  Jay L. Devore,et al.  Probability and statistics for engineering and the sciences , 1982 .

[11]  Jim Boyle,et al.  Accept-Ranges : bytes Content-Length : 55967 Connection : close Content-Type : text / plain Internet Draft , 2012 .

[12]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[13]  Stefan Savage,et al.  TCP congestion control with a misbehaving receiver , 1999, CCRV.

[14]  Frank Kelly,et al.  Rate control for communication networks: shadow prices, proportional fairness and stability , 1998, J. Oper. Res. Soc..

[15]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[16]  L. Walras Elements of Pure Economics , 1954 .

[17]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[18]  Donald F. Ferguson,et al.  Economic models for allocating resources in computer systems , 1996 .