NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks...
-
Upload
julian-leonard-patrick -
Category
Documents
-
view
218 -
download
0
description
Transcript of NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks...
NC STATE UNIVERSITY / MCNC
Protecting Protecting Network Quality of Network Quality of
Service Against Service Against Denial of Service AttacksDenial of Service Attacks
Douglas S. Reeves S. Felix Wu Fengmin Gong
Talk: “00-17 reeves”CACC Research Review Meeting
October 25, 2000
2
NC STATE UNIVERSITY / MCNC
New Capabilities...New Capabilities...• Discriminating between users; a
good thing!– Bandwidth, quality, response time, …
• Based on trust, need, importance, credit, urgency, .... : Policies!
3
NC STATE UNIVERSITY / MCNC
...New Vulnerabilities...New Vulnerabilities
• Steps– provisioning– user signaling– Admission control– network signaling– Traffic policing
• Each step is vulnerable!
4
NC STATE UNIVERSITY / MCNC
Attack 1: Excessive User Attack 1: Excessive User DemandsDemands
• Everyone asks for...– ...maximum resource amount– ...premium service
5
NC STATE UNIVERSITY / MCNC
Our Solution: Resource Our Solution: Resource PricingPricing
• (An example: Telephone Network)
6
NC STATE UNIVERSITY / MCNC
Resource Prices Based on Resource Prices Based on DemandDemand
• Predicted-load (static) pricing• Auction-based (semi-static) pricing• Congestion-based (dynamic) pricing• Combined approaches
7
NC STATE UNIVERSITY / MCNC
Policy Specification / Policy Specification / EnforcementEnforcement• What determines the price?
• How much can each user pay?
8
NC STATE UNIVERSITY / MCNC
Provable FairnessProvable Fairness
• Fairness is a policy• Achievable...
– Pareto optimal– Weighted max-min fair– Proportional fair– Equal QoS– Maximal aggregate utility– Maximum revenue
9
NC STATE UNIVERSITY / MCNC
Comparison With Other Comparison With Other Approaches Approaches • First-come, first-served
– “grab resources early and often”• Fixed (absolute) priority
– starvation problems• Non-weighted fairness (TCP)
– everyone is equal?• Other resource pricing work
– static / centralized, restricted fairness
10
NC STATE UNIVERSITY / MCNC
Future Work: Future Work: ImplementationImplementation
• Fall 2000 (management tools: Summer 2001)
11
NC STATE UNIVERSITY / MCNC
Fut. Wk.: 3rd Party Fut. Wk.: 3rd Party AuthorizationAuthorization
• Spring 2001
12
NC STATE UNIVERSITY / MCNC
Future Work: Service Class Future Work: Service Class ProvisioningProvisioning• Given predicted demand for each
service class...– how much of each service class should
network owner provision?– what price charge for each class?
• Goals: maximum profit, maximum utility, ...?
13
NC STATE UNIVERSITY / MCNC
Future Work: Protecting Future Work: Protecting the Pricing Mechanismthe Pricing Mechanism• Vulnerability to attack• Protecting…
– RSVP– COPS– SIP– Policy server and databases– Authorization server, user database,
billing database• Spring 2002
14
NC STATE UNIVERSITY / MCNC
Impact of This WorkImpact of This Work
• Disincentives for "bad" user behavior• Ability to flexibly specify and enforce
policies• Efficient (optimal) allocation• Economic incentives for deployment
of new services
15
NC STATE UNIVERSITY / MCNC
Attack 3: TCP Packet Attack 3: TCP Packet DroppingDropping• Congestion causes "normal" packet
dropping• Can malicious packet dropping (not
due to normal congestion) be detected?– due to corrupted routers– due to "unfriendly" users
16
NC STATE UNIVERSITY / MCNC
Attack 4: Compromised Attack 4: Compromised DiffServ RoutersDiffServ Routers
17
NC STATE UNIVERSITY / MCNC
Attack TypesAttack Types
• Dropping one data flow to benefit others
• Injecting(spoofing, flooding,...) packets to a high priority flow
• Remarking packets in a data flow• Delaying packets in a data flow• Compromised ingress, core, or
egress routers