Protecting Network Quality of
Service against Denial of
Service Attacks
Douglas S. Reeves
S. Felix Wu
Chandru Sargor
N. C. State University / MCNC
October 6, 1999
Tolerant Networks Program
BAA99-10 Kickoff Meeting
1
Quality of Service - a New
Capability for Packet-Switching

New services
 Guaranteed minimum bandwidth
 Guaranteed maximum delay
 Guaranteed maximum loss rate

Guaranteeing QoS for a “flow” requires
providing adequate resources
2
IntServ / RSVP Operation
PATH messages
DST
SRC
RESV messages
Tspec = 5M
ADspec = 5M
That looks fine
to me…..
Tspec = 5M
ADspec = 4M
Reserve
3M
ADspec = 3M
Reserve
3M
3
DiffServ
DATA flow
SRC1
DST1
SRC2
DST2
Service Agreement
and Traffic Agreement
4
Quality of Service - A New
Vulnerability

Normal users will try to get maximum
QoS without regard to others

Malicious users will try to deny quality of
service for others
5
The ARQOS Project
Selective verification of reservation
signaling (SVR)
Congestion pricing of scarce resources
($$$)
Monitoring of data flows, and integration
with intrusion detection (IDS)
6
SVR: Attacking ADSpec
DST
SRC
ADSpec = 5M
That looks fine
to me…..
ADSpec = 200M
Reserve
5M
Reserve
200M
7
SVR: IETF RSVP Security
Current solution proposed by Fred Baker

All routers, even including those not on
the path, share the same “key table”

Hop-by-hop authentication of messages
– outsiders tampering with packets will be
detected, but corrupted insiders will not be
detected
8
SVR: IETF RSVP Security
(cont.)
Sharing a secret key
A
ADSpec
B
A & B trust each other;
If A is compromised and sends a faulty ADSpec,
there is no way for B to know about it
9
SVR: Our Approach
DST
SRC
ADSpec = 5M
ADSpec = 200M
Correlation and Verification of the Correctness Properties
10
SVR: Verification of Reservations

No need to introduce new features to
RSVP, other existing protocols

Do not need to install verification agents
in every router

Capable of detecting insider attacks
12
SVR: Status

Identified types of possible attacks on
RSVP signals

Solutions for detecting the most
important types of attacks

Now implementing attacks and solutions
14
$$$: Competing for Services
"You can have
5M, 2M, or
1M, at no cost;
what do you
want, and for
how long?”
Service Provider:
Network Resources
5M
5M
5M
5M
5M
5M
Users:
“We all want 5M, from now on!”
15
$$$: Influencing Behavior

Disincentives for bad behavior -- users
incur costs for resource usage

Incentives for good behavior -- profits
for service providers
17
$$$: Competition (cont.)
“5M costs $3/min,
2M costs $2/min,
1M costs $1/min.”
Service Provider:
Network Resources
5M
@$3
2M
@$2
5M
@$3
1M
@$1
5M
@$3
1M
@$1
Users:
18
$$$: Pricing of Resources

Price is right when demand = supply

Flexibility
– combinations of resources and services
– User endowments for non-monetary goals

How are prices set, by whom, and how
are they distributed?
19
$$$: Goals and Assumptions

Fairness vs. “maximum aggregate utility”

The time and data scales for which this
is useful

Real money, or play money?

Charging senders, or receivers

The overhead of billing and accounting
21
$$$: Status

Pricing method

Integration with RSVP

Integration with DiffServ

Infrastructure
22
IDS: Attacks on the Data Flow

From a malicious host (external to
network)
– spoof high priority data flow packets
– send large amounts of data to ingress
router to overload it

From a compromised ingress router
– admit/discard traffic in violation of service
agreement
– inappropriate marking of admitted traffic
23
IDS: Possible Attacks (cont.)
– delay/drop packets from selected flows
– generate additional traffic to degrade
overall network QoS

From a compromised core router
– randomly re-mark flows
– delay/drop packets from selected flows
– generate additional traffic to degrade
overall network QoS
24
IDS: Intrusion Detection System
Security
Management
Entity
SNMPv3
Profile-Based
Analyzer
IDS MIB
Rule-Based
Analyzer
Decision Module
Filtering Engine
Network
25
IDS: Detecting Re-marked
Packets

Downstream IDS will detect anomalous
change in IP header
– raise alarm via SNMP

Security management entity will receive
alarms from IDS entities and correlate
them

Security management entity will query
other routers on the path to isolate
compromised router
26
IDS: Status

Enhance JiNao implementation to make
it protocol independent
– originally targeted for OSPF attack
detection
– now can be used to detect attacks against
any protocol

Identification of data flow attacks

Preliminary design of IDS system
27
Conclusions

Started August ‘99

Implementing RSVP / DiffServ testbed

Exploring collaborations with vendors
28