Quality of service provisioning for composable routing elements

Han, Seung Chul; Zaroo, Puneet; Yau, David K. Y.; Dong, Yuhan; Gopalan, Prem; Lui, John C. S.

doi:10.1016/j.comnet.2005.08.008

Cited by 1 publication

(1 citation statement)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have an implementation of router throttling on the CROSS/Linux software-programmable router [9]. CROSS/Linux allows a pipeline of processing elements to be flexibly configured for flows of network packets.…”

Section: System Implementationmentioning

confidence: 99%

Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles

Yau

Lui

et al. 2005

IEEE/ACM Trans. Networking

195

View full text Add to dashboard Cite

Our work targets a network architecture and accompanying algorithms for countering distributed denial-of-service (DDoS) attacks directed at an Internet server. The basic mechanism is for a server under stress to install a router throttle at selected upstream routers. The throttle can be the leaky-bucket rate at which a router can forward packets destined for the server. Hence, before aggressive packets can converge to overwhelm the server, participating routers proactively regulate the contributing packet rates to more moderate levels, thus forestalling an impending attack. In allocating the server capacity among the routers, we propose a notion of level-max-min fairness. We first present a control-theoretic model to evaluate algorithm convergence under a varitey of system parameters. In addition, we present packet network simulation results using a realistic global network topology, and various models of good user and attacker distributions and behavior. Using a generator model of web requests parameterized by empirical data, we also evaluate the impact of throttling in protecting user access to a web server. First, for aggressive attackers, the throttle mechanism is highly effective in preferentially dropping attacker traffic over good user traffic. In particular, level-max-min fairness gives better good-user protection than recursive pushback of max-min fair rate limits proposed in the literature. Second, throttling can regulate the experienced server load to below its design limit -in the presence of user dynamics -so that the server can remain operational during a DDoS attack. Lastly, we present implementation results of our prototype on a Pentium III/866 MHz machine. The results show that router throttling has low deployment overhead in time and memory.Index Terms-Congestion control, distributed denial of service, network security, router throttling.

show abstract

Section: System Implementationmentioning

confidence: 99%