DoS Protection for a Pragmatic Multiservice Network Based on Programmable Networks

We propose a scenario of a multiservice network, based on pragmatic ideas of programmable networks. Active routers are capable of processing both active and legacy packets. This scenario is vulnerable to a Denial of Service attack, which consists in inserting false legacy packets into active routers. We propose a mechanism for detecting the injection of fake legacy packets into active routers. This mechanism consists in exchanging accounting information on the traffic between neighboring active routers. The exchange of accounting information must be carried out in a secure way using secure active packets. The proposed mechanism is sensitive to the loss of packets. To deal with this problem some improvements in the mechanism has been proposed. An important issue is the procedure for discharging packets when an attack has been detected. We propose an easy and efficient mechanism that would be improved in future work.

[1]  Arturo Azcorra,et al.  A practical approach to network-based processing , 2002, Proceedings of Fourth Annual International Workshop on Active Middleware Services.

[2]  Jelena Mirkovic,et al.  Source-end DDoS defense , 2003, Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003..

[3]  David Wetherall,et al.  Introducing new Internet services: why and how , 1998, IEEE Netw..

[4]  Donald F. Towsley,et al.  Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone , 2002, IEEE/ACM Transactions on Networking.

[5]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[6]  Craig Partridge,et al.  Packet reordering is not pathological network behavior , 1999, TNET.

[7]  Maria Calderon,et al.  Multidomain Network Based on Programmable Networks: Security Architecture , 2005 .

[8]  Dave Katz,et al.  IP Router Alert Option , 1997, RFC.

[9]  Marina Vannucci,et al.  Detecting Traffic Anomalies at the Source through aggregate analysis of packet header data , 2003 .

[10]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.