This Article 
 Bibliographic References 
 Add to: 
Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks
September 2003 (vol. 14 no. 9)
pp. 873-884

Abstract—The lack of service differentiation and resource isolation by current IP routers exposes their vulnerability to Distributed Denial of Service (DDoS) attacks, causing a serious threat to the availability of Internet services. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a transport-aware IP (tIP) router architecture that provides fine-grained service differentiation and resource isolation among different classes of traffic aggregates. The tIP router architecture consists of a fine-grained Quality-of-Service (QoS) classifier and an adaptive weight-based resource manager. A two-stage packet-classification mechanism is devised to decouple the fine-grained QoS lookup from the usual routing lookup at core routers. The fine-grained service differentiation and resource isolation provided inside the tIP router is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS attacks. Moreover, the tIP architecture is stateless and compatible with the Differentiated Service (DiffServ) infrastructure. Thanks to its scalable QoS support for TCP control segments, the tIP router supports bidirectional differentiated services for TCP sessions.

[1] T. Abdelzaher and K. Shin, "End-Host Architecture for QoS-Adaptive Communication," Proc. IEEE Real-Time Technology and Applications Symp., IEEE Press, Piscataway, N.J., June 1998, pp. 121-130.
[2] G. Banga, P. Druschel, and J. Mogul, Resource Containers: A New Facility for Resource Management in Server Systems Proc. Third Symp. Operating System Design and Implementation, Feb. 1999.
[3] H. Balakrishnan, V. Padmanabhan, and R.H. Katz, The Effects of Asymmetry on TCP Performance Proc. ACM/IEEE MOBICOM, Sept. 1997.
[4] S.M. Bellovin, ICMP Traceback Messages Internet Draft: draft-bellovin-itrace-00.txt, Mar. 2000.
[5] Y. Bernet et al., A Framework for Differentiated Services IETF Internet Draft, Feb. 1999.
[6] N. Bhatti and R. Friedrich, “Web Server Support for Tiered Services,” IEEE Network J., vol. 13, no. 5, Sept./Oct. 1999.
[7] S. Blake et al., An Architecture for Differentiated Services RFC 2475, Dec. 1998.
[8] CAIDA's Traffic Workload Overview, learn/trafficworkloadtcpudp.xml, 1999.
[9] D. Dittrich, Distributed Denial of Service (DDoS) Attacks/Tools Page http://staff.washington. edu/dittrich/misc/ ddos, 2002.
[10] S. Floyd and V. Jacobson, “Link-Sharing and Resource Management Models for Packet Networks,” IEEE Trans. Networking, vol. 3, no. 4, pp. 365-386, Aug. 1995.
[11] P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing RFC 2267, Jan. 1998.
[12] L. Garber, Denial-of-Service Attack Rip the Internet Computer, Apr. 2000.
[13] A. Garg and A. Reddy, Mitigation of DoS Attacks through QoS Regulation Proc. Int'l Workshop Quality of Service, May 2002.
[14] S. Gibson, Distributed Reflection Denial of Service technical report, Gibson Research Corp.,, Feb. 2002.
[15] T.M. Gil and M. Poletter, MULTOPS: A Data-Structure for Bandwidth Attack Detection Proc. USENIX Security Symp., Aug. 2001.
[16] P. Gupta and N. McKeown, Packet Classification on Multiple Fields Proc. ACM SIGCOMM, Sept. 1999.
[17] J. Ioannidis and S.M. Bellovin, Implementing Pushback: Router-Based Defense Against DDoS Attacks Proc. Network and Distributed System Security Symp., Feb. 2002.
[18] T.V. Lakshman and D. Stiliadis, High Speed Policy-based Packet Forwarding Using Efficient Multi-Dimensional Range Matching Proc. ACM SIGCOMM, Sept. 1998.
[19] R. Manajan et al., Controlling High Bandwidth Aggregates in the Network ICSI technical report, July 2001.
[20] J. McQuillan, Layer 4 Switching Data Comm., Oct. 1997.
[21] S. McCreary and K. Claffy, Trends in Wide Area IP Traffic Patterns A View from Ames Internet Exchange Proc. Int'l Technical Conf., Sept. 2000.
[22] A. Mena and J. Heidemann, An Empirical Study of Real Audio Traffic Proc. IEEE INFOCOM, Mar. 2000.
[23] A. Miyoshi and R. Rajkumar, Protecting Resources with Resource Control Lists Proc. IEEE Real-Time Technology and Applications Symp., May 2001.
[24] D. Moore, G. Voelker, and S. Savage, Inferring Internet Denial of Service Activity Proc. USENIX Security Symp., Aug. 2001.
[25] S. Murphy, DiffServ Additions to ns-2 http://www.teltec. du diffserv/, May 2000.
[26] K. Nichols, V. Jacobson, and L. Zhang, A Two-Bit Differentiated Services Architecture for the Internet RFC 2638, July 1999.
[27] NLANR Network Traffic Packet Header Traces,http://pma.nlanr.netTraces/, 2002.
[28] K. Papagiannaki, P. Thiran, J. Crowcroft, and C. Diot, Preferential Treatment of Acknowledgment Packets in a Differentiated Services Network Proc. Int'l Workshop QoS, June 2001.
[29] K. Park and H. Lee, On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Proc. ACM SIGCOMM, Aug. 2001.
[30] V. Paxson, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks ACM Computer Comm. Rev., vol. 31, no. 3, July 2001.
[31] K.K. Ramakrishnan and S. Floyd, A Proposal to Add Explicit Congestion Notification (ECN) to IP RFC 2481, Jan. 1999.
[32] D. Rizzetto and C. Catania, A Voice over IP Service Architecture for Integrated Communications IEEE Network, vol. 13, no. 3, June 1999.
[33] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback Proc. ACM SIGCOMM, Aug. 2000.
[34] H. Schulzrinne, A. Rao, and R. Lanphier, Real Time Streaming Protocol (RTSP) RFC 2326, Apr. 1998.
[35] A.C. Snoren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, and W.T. Strayer, Hash-Based IP Traceback Proc. ACM SIGCOMM, Aug. 2001.
[36] D. Song and A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback Proc. Infocom, Apr. 2001.
[37] O. Spatscheck and L. Peterson, Defending against Denial of Service Attacks in Scout Proc. Third Symp. Operating System Design and Implementation, Feb. 1999.
[38] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, Fast and Scalable Layer Four Switching Proc. ACM SIGCOMM, Sept. 1998.
[39] W. Stevens, TCP/IP Illustrated. vol. 1, Addison-Wesley, 1994.
[40] R. Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods Proc. Ninth USENIX Security Symp., Aug. 2000.
[41] K. Thompson, G.J. Miller, and R. Wilder, “Wide-Area Internet Traffic Patterns and Characteristics,” IEEE Network, vol. 11, no. 6, pp. 10-23, Nov./Dec. 1997.
[42] Network Simulator UCB/LBNL/VINT, ns-2,http://www.isi. edu/nsnamns/, 1999.
[43] H. Wang, D. Zhang, and K.G. Shin, Detecting SYN Flooding Attacks Proc. IEEE INFOCOM, June 2002.
[44] H. Wang, C. Shen, and K.G. Shin, Adaptive-Weighted Packet Scheduling for Premium Service Proc. IEEE Int'l Conf. Comm., June 2001.
[45] P. Wang, Y. Yemini, D. Florissi, J. Zinky, and P. Florissi, Experimental QoS Performances of Multimedia Applications Proc. IEEE INFOCOM, Mar. 2000.
[46] D.K.Y. Yau, J.C.S. Lui, and F. Liang, Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles Proc. IEEE Int'l Workshop Quality of Service, May 2002.
[47] L. Zhang, S. Shenker, and D. Clark, Observations on the Dynamics of a Congestion Control Algorithm: The Effects of Two Way Traffic Proc. ACM SIGCOMM, Sept. 1991.
[48] Y. Zhang and B. Singh, A Multi-Layer IPsec Protocol Proc. Ninth USENIX Security Symp., Aug. 2000.

Index Terms:
Distributed Denial of Service (DDoS) attacks, layer-4 differentiation, resource isolation, packet classification.
Haining Wang, Kang G. Shin, "Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 14, no. 9, pp. 873-884, Sept. 2003, doi:10.1109/TPDS.2003.1233710
Usage of this product signifies your acceptance of the Terms of Use.