Preventing denial of service attacks on quality of service

Capabilities are being added to IP networks to support quality of service (QoS) guarantees. These guarantees are needed for many applications, such as voice and video transmission, real-time control, etc. Little attention has been paid to making these capabilities secure; in their present form, they are vulnerable to attack. The ARQoS project is examining these vulnerabilities, and ways to prevent denial-of-service attacks on QoS capabilities. In this paper, we describe two important parts of the project. The first part is the application of a pricing paradigm to resource allocation. User acquisition of network resources must be authorized, and the relative amount of resources that can be requested is carefully controlled. We present a distributed method of pricing which is highly flexible and responsive to changing conditions. Experimental results illustrate its effectiveness. The second part is the detection of TCP dropping attacks by compromised routers. The detection occurs at the end system and does not require any cooperation from the network. We have enhanced a method of statistically analyzing traffic patterns to detect dropping attacks. The method has been implemented and tested over the Internet, and results are presented