Browse > Article

Minority First Gateway for Protecting QoS of Legitimate Traffic from Intentional Network Congestion  

Ann Gae-Il (한국전자통신연구원 네트워크보안 연구부)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.30, no.7B, 2005 , pp. 489-498 More about this Journal
Abstract
A Denial of Sewice (DoS) attack attempts to prevent legitimate users of a sewice from being adequately served by monopolizing networks resources and, eventually, resulting in network or system congestion. This paper proposes a Minority First (MF) gateway, which is capable of guaranteeing the Quality of Service (QoS) of legitimate service traffic under DoS situations. A MF gateway can rapidly determine whether an aggregated flow is a congestion-inducer and can protect the QoS of legitimate traffic by providing high priority service to the legitimate as aggregate flows, and localize network congestion only upon attack traffic by providing low priority to aggregate flows regarded as congestion-inducer. We verify through simulation that the suggested mechanism possesses excellence in that it guarantees the QoS of legitimate traffic not only under a regular DoS occurrence, but also under a Distributed DoS (DDoS) attack which brings about multiple concurrent occurrences of network congestion.
Keywords
Network Congestion; DDoS Attack; QoS; Protection of legitimate Traffic;
Citations & Related Records
연도 인용수 순위
  • Reference
1 T. Killalea, 'Recommended Internet Service Provider Security Services and Procedures,' IETF, RFC 3013, Nov. 2000
2 Cheng Jin, Haining Wang, Kang G. Shin, 'Hop-count filtering: an effective defense against spoofed DDoS traffic,' ACM CCS, pp. 30-41, Oct. 2003
3 J. Jung, B. Krishnamurthy and M. Rabinovich, 'Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,' The 11th International World Wide Web Conference, pp. 252-262, May 2002
4 V. Jacobson, K. Nichols, K. Poduri, 'An Expedited Forwarding PHB,' IETF, RFC 2598
5 X. Geng and A. B. Whinston, 'Defeating Distributed Denial of Service Attacks', IT Pro, pp 36-41, July 2000   DOI   ScienceOn
6 P. Ferguson and D. Senie, 'Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,' IETF, RFC 2827, May 2000
7 UCB/LBNL/VINT, 'ns Notes and Documentation,' http://www.isi.edu/nsnam/ns
8 K. Nichols, S. Blake, F. Baker and D. Black, 'Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers,' IETF, RFC 2474
9 F. Baker, W. Weiss and J. Wroclawski, 'Assured Forwarding PHB Group,' IETF, RFC 2597
10 S. Keshav, 'An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network', Addison Wesley, 1997
11 D.K.Y. Yau, J.C.S. Lui, and Feng Liang, 'Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles,' Tenth IEEE International Workshop on Quality of Service, pp.35-44, May 2002
12 전완근, 류성철, 김승철, 'MS-SQL 서버 웜 - 슬래머(Slammer) 공격 테스트 및 사고대응,' CERTCC-KR, 사고노트, Jan. 2003
13 K. J. Houle and G. M. Weaver. 'Trends in Denial of Service Attack Technology,' The fall 2001 NANOG meeting, Oct. 2001
14 S. Floyd, 'TCP and explicit congestion notification,' ACM Computer Communication Review, vol. 24, no. 5, pp. 10-23, Oct. 1994
15 Cisco, 'Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge', http://www.cisco.com/.../uRPF_Enhancement.pdf, Feb. 2001
16 R. Mahajan, S. M. Bellovin, S. Floyd, and et al., 'Controlling High Bandwidth Aggregates in the Network,' ACM SIGCOMM Computer Communications Review, Vol. 32, No. 3, pp. 62-73, July 2002
17 Cisco, 'Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks,' white paper, http://www.cisco.com/.../newsflash.html, Feb. 2000
18 Sally Floyd and Van Jacobson, 'Random Early Detection Gateways for Congestion Avoidance,' IEEE Transactions on Networking, Vol.1, No.4, pp.397-413, Aug. 1993   DOI   ScienceOn