Towards emergency networks security with per-flow queue rate management

When statistical multiplexing is used to provide connectivity to a number of client hosts through a high-delay link, the original TCP as well as TCP variants born to improve performance on those links often provide poor performance and sub-optimal QoS properties. To guarantee intra-protocol fairness, inter-protocol friendliness, low queues utilization and optimal throughput in mission-critical scenarios, Congestion Control Middleware Layer (C²ML) has been proposed as a tool for centralized and collaborative resource management. However, C²ML offers only very limited security guarantees. Because emergencies may be natural or man-provoked, in the latter case there may be interest to cut out legitimate users from the communication networks that support disaster recovery operations. In this paper we present Queue Rate Management (QRM), an Active Queue Management scheme able to provide protection from Resource Exhaustion Attacks in scenarios where access to the shared link is controlled by C²ML; the proposed algorithm checks whether a node is exceeding its allowed rate, and consequently decides whether to keep or drop packets coming from that node. We mathematically prove that with QRM the gateway queue size can never exceed the Bandwidth-Delay Product of the channel. Furthermore, we use the ns-3 simulator to compare QRM with CoDel and RED, showing how QRM provides better performance in terms of both throughput and QoS guarantees when employed with C²ML.