Design of secure Diffserv ingress edge routers

Classical Differentiated Service (DiffServ) routers have not considered the security problem in their designs, generally, they have no ability to countering Denial of Service (DoS ) attacks because of their simple system structures. DoS attacks against DiffServ clients are more targeted and require less attack bandwidth than current attacks for classical DiffServ routers due to the per-client and per-class bandwidth limitations, since they must be imposed to ensure QoS guarantees. To solve the problem, in this paper, we present the design of new ingress DiffServ edge router(IDER) for defeating DoS attacks on DiffServ clients. The classifier and access control model of ingress DiffServ edge routers(IDERs) secure the Quality of Service (QoS) by policing traffics and limiting the data rate and access number of traffics, and distinguish the traffics with higher priorities from malicious traffics. The algorithms of secure TCP AQM and UDP AQM are derived from two fluid models. The network behaviors of proposed secure IDERs have been simulated by several to two fluid models with the traffic policing.