In-network server-directed client authentication and packet classification

Defenses against Distributed Denial-of-Service (DDoS) attacks are commercially available and deployed by Internet Service Providers (ISPs) at the network and transport layers. However, attackers increasingly target vulnerabilities at the application layer. Launched from bots, these attacks seek to exhaust server resources, such as CPU and disk bandwidth. Because these attacks use normal-looking requests, ISP defenses can´t distinguish them. We describe Forward Sentinel (FS), a novel device that enables ISPs to protect servers against such attacks. When load on a server reaches a level suggestive of attack, FS intercepts traffic and requires the server´s clients to authenticate. Moreover, protected servers can signal to FS the desired class of service for a client´s packets (e.g., after client authentication by the server). FS can be configured to mark packets for different classes of service or drop them according to the results of client authentication, number of packets forwarded, and server signaling. Experiments demonstrate that FS can effectively protect servers against DDoS attacks at the network, transport, and application layers.