"Preventing Denial of Service Attacks on Quality of Service"

Errin Fulp, Zhi Fu, Douglas S. Reeves, S. Felix Wu, and Xiaobing Zhang

Abstract

Capabilities are being added to packet-switched networks to support 
Quality of Service (QoS) guarantees.  These guarantees are needed for 
many applications such as voice and video transmission, real-time 
control, etc.  Little attention has been paid to making these 
capabilities secure; in their present form they are vulnerable to attack.

The ARQOS project is examining these vulnerabilities and ways to prevent 
denial of service attacks on Quality of Service capabilities.  Protection 
of the control flow and the data flow is being addressed.  In this paper, 
we describe two important parts of the project.

The first part is the application of a pricing paradigm to resource allocation.  
User acquisition of network resources must be authorized, and the relative 
amount of resources that can be requested is carefully controlled.  We 
present a distributed method of pricing which is highly flexible and 
responsive to changing conditions.  Experimental results illustrate its 
effectiveness.

The second part is the detection of TCP dropping attacks by compromised 
routers.  The detection occurs at the end system and does not require any 
cooperation from the network.  We have enhanced a method of statistically 
analyzing traffic patterns to detect the signs of a dropping attack.  The 
method has been implemented and tested over the Internet, and results are 
presented.