Title :
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks
Author :
Wang, Haining ; Shin, Kang G.
Author_Institution :
Dept. of Electr. Eng. & Comput. Sci., Michigan Univ., Ann Arbor, MI, USA
Abstract :
The lack-of service differentiation and resource isolation by current IP routers exposes their vulnerability to Distributed Denial of Service (DDoS) attacks (Garber, 2000), causing a serious threat to the availability of Internet services. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a transport-aware IP (tIP) router architecture that provides fine-grained service differentiation and resource isolation among different classes of traffic aggregates. The tIP router architecture consists of a fine-grained Quality-of-Service (QoS) classifier and an adaptive weight-based resource manager. A two-stage packet-classification mechanism is devised to decouple the fine-grained QoS lookup from the usual routing lookup at core routers. The fine-grained service differentiation and resource isolation provided inside the tIP router is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS attacks. Moreover, the tIP architecture is stateless and compatible with the Differentiated Service (DiffServ) infrastructure. Thanks to its scalable QoS support for TCP control segments, the tIP router supports bidirectional differentiated services for TCP sessions.
Keywords :
Internet; quality of service; security of data; telecommunication network routing; telecommunication security; transport protocols; DDoS attacks; DiffServ; Distributed Denial of Service; IP headers; IP routers; Internet service availability; TCP; adaptive weight-based resource manager; fine-grained QoS lookup; fine-grained Quality-of-Service; packet classification; resource isolation; resource management; service differentiation; tIP router; transport-aware IP router; two-stage packet-classification; Aggregates; Availability; Computer crime; Counting circuits; Protection; Quality management; Quality of service; Resource management; Routing; Web and internet services;
Journal_Title :
Parallel and Distributed Systems, IEEE Transactions on
DOI :
10.1109/TPDS.2003.1233710