"Protection of Network Quality of Service
Against Denial of Service Attacks"
As quality of service (QoS) capabilities are added to the Internet, they
may become targets of attack by hackers. They may also be exploited in undesired
ways by normal users. The mechanisms which provide QoS must be properly safeguarded
against attack. There must also be a simple, flexible way for network administrators
to define and enforce a variety of QoS policies.
The ARQoS project addresses these needs. The institutions collaborating
on this project are N.C. State University, the University of California at
Davis, and MCNC. The project has several components:
- Quality of Service is dependent upon proper allocation of network resources.
When resource demand exceeds supply, a means of deciding among competing
demands is needed. We advocate an approach based on pricing theory. This
approach is flexible, scalable, efficient, and adapts quickly to changing
network loads. We are applying this theory to many resource granularities
and timescales. The scope of attacks is limited by this technique.
- Requests by users and responses from the network must be properly authorized
and authenticated to prevent interference or forgery. We are working on
authentication and authorization techniques that are robust, general, and
effective. Attacks are prevented by this technique.
- Attacks cannot always be limited or prevented.We are investigating scalable
methods for monitoring and analyzing QoS performance. Attacks are detected
by this technique.
- Security mechanisms are installed and configured by administrators to
accomplish security objectives, or policies. We are defining a policy specification
language, and creating a method for determining if a set of security mechanisms
are consistent with (accomplish) a policy specification.
This work is funded by a grant from the Defense Advanced Research Projects
Agency, administered by the Air Force Rome Labs under contract F30602-99-1-0540.
An abstract of the original proposal is also available.
last updated 02-feb-2002