A Feedback Mechanism for Mitigating Denial of Service Attacks against Differentiated Services Clients

Abstract

Differentiated Service (DiffServ) networks provide Quality of Service (QoS) guarantees by policing traffic into a fixed number of pre-existing classes. DoS¹

attacks against DiffServ clients will be more targeted and require less attack bandwidth than current attacks due to the per-client and per-class bandwidth limitations which must be imposed to ensure QoS guarantees. In this paper, we present a technique for defeating a DoS attack on a DiffServ client through dynamic modification of packet headers. This technique allows the DiffServ network to distinguish valid traffic from malicious traffic, but does not require cryptographic processing on a per-packet basis and does not increase packet size. We also examine the sensitivity of our system to the traffic policerâ s token bucket size.