Upload
vielka-schultz
View
28
Download
1
Embed Size (px)
DESCRIPTION
Protecting Network Quality of Service Against Denial of Service Attacks. Douglas S. Reeves S. Felix Wu Fengmin Gong Talk: “00-17 reeves” CACC Research Review Meeting October 25, 2000. New Capabilities. Discriminating between users; a good thing! - PowerPoint PPT Presentation
Citation preview
NC STATE UNIVERSITY / MCNC
Protecting Protecting Network Quality of Network Quality of
Service Against Service Against Denial of Service AttacksDenial of Service Attacks
Douglas S. Reeves S. Felix Wu Fengmin Gong
Talk: “00-17 reeves”
CACC Research Review Meeting
October 25, 2000
2
NC STATE UNIVERSITY / MCNC
New Capabilities...New Capabilities...
• Discriminating between users; a good thing!– Bandwidth, quality, response time, …
• Based on trust, need, importance, credit, urgency, .... : Policies!
3
NC STATE UNIVERSITY / MCNC
...New Vulnerabilities...New Vulnerabilities
• Steps– provisioning– user signaling– Admission control– network signaling– Traffic policing
• Each step is vulnerable!
4
NC STATE UNIVERSITY / MCNC
Attack 1: Excessive User Attack 1: Excessive User DemandsDemands
• Everyone asks for...– ...maximum resource amount– ...premium service
5
NC STATE UNIVERSITY / MCNC
Our Solution: Resource Our Solution: Resource PricingPricing
• (An example: Telephone Network)
6
NC STATE UNIVERSITY / MCNC
Resource Prices Based on Resource Prices Based on DemandDemand
• Predicted-load (static) pricing
• Auction-based (semi-static) pricing
• Congestion-based (dynamic) pricing
• Combined approaches
7
NC STATE UNIVERSITY / MCNC
Policy Specification / Policy Specification / EnforcementEnforcement• What determines the price?
• How much can each user pay?
8
NC STATE UNIVERSITY / MCNC
Provable FairnessProvable Fairness
• Fairness is a policy
• Achievable...– Pareto optimal– Weighted max-min fair– Proportional fair– Equal QoS– Maximal aggregate utility– Maximum revenue
9
NC STATE UNIVERSITY / MCNC
Comparison With Other Comparison With Other Approaches Approaches • First-come, first-served
– “grab resources early and often”
• Fixed (absolute) priority– starvation problems
• Non-weighted fairness (TCP)– everyone is equal?
• Other resource pricing work– static / centralized, restricted fairness
10
NC STATE UNIVERSITY / MCNC
Future Work: Future Work: ImplementationImplementation
• Fall 2000 (management tools: Summer 2001)
11
NC STATE UNIVERSITY / MCNC
Fut. Wk.: 3rd Party Fut. Wk.: 3rd Party AuthorizationAuthorization
• Spring 2001
12
NC STATE UNIVERSITY / MCNC
Future Work: Service Class Future Work: Service Class ProvisioningProvisioning• Given predicted demand for each
service class...– how much of each service class should
network owner provision?– what price charge for each class?
• Goals: maximum profit, maximum utility, ...?
13
NC STATE UNIVERSITY / MCNC
Future Work: Protecting Future Work: Protecting the Pricing Mechanismthe Pricing Mechanism• Vulnerability to attack
• Protecting…– RSVP– COPS– SIP– Policy server and databases– Authorization server, user database,
billing database
• Spring 2002
14
NC STATE UNIVERSITY / MCNC
Impact of This WorkImpact of This Work
• Disincentives for "bad" user behavior
• Ability to flexibly specify and enforce policies
• Efficient (optimal) allocation
• Economic incentives for deployment of new services
15
NC STATE UNIVERSITY / MCNC
Attack 3: TCP Packet Attack 3: TCP Packet DroppingDropping• Congestion causes "normal" packet
dropping
• Can malicious packet dropping (not due to normal congestion) be detected?– due to corrupted routers– due to "unfriendly" users
16
NC STATE UNIVERSITY / MCNC
Attack 4: Compromised Attack 4: Compromised DiffServ RoutersDiffServ Routers
17
NC STATE UNIVERSITY / MCNC
Attack TypesAttack Types
• Dropping one data flow to benefit others
• Injecting(spoofing, flooding,...) packets to a high priority flow
• Remarking packets in a data flow
• Delaying packets in a data flow
• Compromised ingress, core, or egress routers