A method for mitigating denial of service attacks on differentiated services networks

Abstract

This thesis presents a method for countering Denial of Service (DoS) attacks in networks that provide Quality of Service (QoS) guarantees using Differentiated Service (DiffServ). This approach uses feedback from the DiffServ provider to initiate packet signing at the source. The signature allows the DiffServ provider to distinguish valid packets from malicious packets. This mechanism can also be used to provide key management for other digital signature methods, such as the Internet Protocol Authentication Header (IP AH). However, unlike other methods, our solution requires no encryption or cryptographic processing on a per-packet basis. Instead, it utilizes the sender's ability to alter its packet signatures faster than the attacker can duplicate the changes. This method also avoids the fragmentation and decreased throughput associated with increased packet size of IP AH through use of existing fields in the IP header. This method results in a significant reduction in valid packets that are dropped during a DoS attack. Thus, a DiffServ provider would be able to maintain QoS guarantees during an attack without incurring the overhead associated with cryptographic signatures. A C++ implementation of this DoS countermeasure for the ns2 network simulator and the experimental simulation scripts are included as appendices.