Change-Point Monitoring for the Detection of DoS Attacks
IEEE Transactions on Dependable and Secure Computing
Robust TCP congestion recovery
Journal of High Speed Networks
Counteract SYN flooding using second chance packet filtering
Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication
| Hi-index | 0.00 |
While the Differentiated Services (DiffServ) infrastructure is scalable and robust in providing network Quality of Service (QoS), there are serious drawbacks with the services provided by DiffServ: (1) the services are coarse-grained and one-way only; (2) no service differentiation and resource isolation are provided to meta-data packets such as TCP SYN and ACK packets. Moreover, the coarse-grained service differentiation and the lack of resource isolation at IP routers exposes its vulnerability to Distributed Denial of Service (DDoS) attacks[10]. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a scalable fine-grained DiffServ (sf-DiffServ) architecture that provides fine-grained service differentiation and resource isolation among thinner Behavior Aggregates (BAs). The sf-DiffServ architecture consists of a fine-grained QoS classifier and an adaptive weight-based resource manager at IP routers. A two-stage packet classification mechanism is devised to decouple the fine-grained QoS lookup from the routinglookup at core routers. Due to its scalable QoS support for TCP control segments, sf-DiffServ supports bi-directional dif-ferentiated services for TCP sessions. Most importantly, the fine-grained resource isolation provided inside the sf-DiffServ is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS attacks.