Detecting DoS Attacks and Service Violations in QoS-enabled Networks

From NMSL

Denial of Service (DoS) attacks pose a serious threat for the Internet. DoS attacks can consume memory, CPU, and network resources and damage or shut down the operation of the resource under attack (victim). As an example of the severity of the DoS problem, the San Diego Supercomputer Center reported 12,805 DoS attacks over a three-week period in February 2001. Wide spectrum of motivation behind these DoS attacks exists. They range from political conflicts and economical benefits for competitors to just curiosity of some computer geeks. Furthermore, cyber terrorism may not be excluded in the future.

In addition to DoS attacks, quality of service (QoS)-enabled networks are vulnerable to another type of attacks, namely, the QoS attacks. A QoS-enabled network, such as a differentiated services network, offers different classes of service for different costs. Differences in the charging rates may entice some users to steal bandwidth or other network resources. We define an attacker in this environment as a user who tries to get more resources, i.e., a better service class, than what he has signed (paid) for. Since the differentiated services framework is based on aggregation of flows into service classes, legitimate customer traffic may experience degraded QoS as a result of the illegally injected traffic. Taken to an extreme, that excess traffic may result in a denial of service attack. This creates a need for developing an effective defense mechanism that automates the detection and reaction to attacks on the QoS-enabled networks.

In this project, we study the denial of service attacks and their potential threat on the Internet. We classify the solutions proposed in the literature for thwarting DoS attacks, and we conduct a comparative evaluation study among them. We draw insightful comments from the comparison that guide the selection of one or more defending approaches suitable for a given environment. In addition, we propose network monitoring techniques to detect service violations and to infer DoS attacks. We believe that network monitoring has the potential to detect DoS attacks in early stages before they severely harm the victim. Our conjecture is that a DoS attack injects a huge amount of traffic into the network, which may alter the internal characteristics (e.g., delay and loss ratio) of the network. Monitoring watches for these changes and identifies the congested links, which helps in locating the attacker and alerting the victim.


People


Publications

  • M. Hefeeda and A. Habib, Detecting DoS Attacks and Service Violations in QoS-enabled Networks, Book Chapter in Handbook on Security and Networks, World Scientific Publishing Co., In Press. (Invited)
  • A. Habib, M. Hefeeda, and B. Bhargava, Detecting Service Violations and DoS Attacks, In Proc. of Network and Distributed Systems Security Symposium (NDSS'03), pages 177--189, San Diego, CA, February 2003. (Acceptance: 21%)


References and Links

  • A. Bremler-Barr, H. Levy, U. Ben-Porat, Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks, INFOCOM 2008.
  • Mirkovic, J. and Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34, 2 (Apr. 2004), 39-53.
  • Goodrich, M.T. , Probabilistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking, Volume: 16, Issue: 1, pages 15-24, Feb. 2008