The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Minority First Gateway for Protecting QoS of Legitimate Traffic from Intentional Network Congestion

인위적인 네트워크 혼잡으로부터 정상 트래픽의 서비스 품질을 보호하기 위한 소수자 우선 게이트웨이

  • 안개일 (한국전자통신연구원 네트워크보안 연구부)
  • Published : 2005.07.01
Download PDF
⟨ Previous Next ⟩

Abstract

A Denial of Sewice (DoS) attack attempts to prevent legitimate users of a sewice from being adequately served by monopolizing networks resources and, eventually, resulting in network or system congestion. This paper proposes a Minority First (MF) gateway, which is capable of guaranteeing the Quality of Service (QoS) of legitimate service traffic under DoS situations. A MF gateway can rapidly determine whether an aggregated flow is a congestion-inducer and can protect the QoS of legitimate traffic by providing high priority service to the legitimate as aggregate flows, and localize network congestion only upon attack traffic by providing low priority to aggregate flows regarded as congestion-inducer. We verify through simulation that the suggested mechanism possesses excellence in that it guarantees the QoS of legitimate traffic not only under a regular DoS occurrence, but also under a Distributed DoS (DDoS) attack which brings about multiple concurrent occurrences of network congestion.

서비스 거부 공격은 네트워크 자원을 독점하여 서버 시스템 및 네트워크상에 인위적인 혼잡을 발생시키는 공격으로써, 일반 사용자가 정상적인 서비스를 제공받지 못하도록 하는 것을 목적으로 한다. 본 논문에서는 인위적인 네트워크 혼잡 상황에서도 정상 트래픽의 서비스 품질을 보장할 수 있는 소수자 우선 게이트웨이를 제안한다. 소수자 우선 게이트웨이는 어떤 집합 플로우가 혼잡유발 트래픽인지를 빠르게 결정할 수 있는 방법을 제공한다. 소수자 우선 게이트웨이는 정상 트래픽으로 판정된 집합 플로우에게는 높은 우선순위의 서비스를 제공하여 그 품질을 보호하고, 혼잡유발 트래픽으로 판정된 집합 플로우에게는 낮은 우선순위의 서비스를 제공하여 네트워크 혼잡이 혼잡유발 트래픽에게만 영향을 미치도록 한다. 제안하는 소수자 우선 게이트웨이는 서비스 거부 공격 뿐만 아니라 다중 노드에서 동시에 혼잡을 일으키는 분산 서비스 거부 공격에서도 정상 트래픽의 서비스 품질을 보장하는 효과를 제공함을 시뮬레이션을 통하여 확인하였다.

Keywords

References

  1. 전완근, 류성철, 김승철, 'MS-SQL 서버 웜 - 슬래머(Slammer) 공격 테스트 및 사고대응,' CERTCC-KR, 사고노트, Jan. 2003
  2. K. J. Houle and G. M. Weaver. 'Trends in Denial of Service Attack Technology,' The fall 2001 NANOG meeting, Oct. 2001
  3. X. Geng and A. B. Whinston, 'Defeating Distributed Denial of Service Attacks', IT Pro, pp 36-41, July 2000 https://doi.org/10.1109/6294.869381
  4. S. Keshav, 'An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network', Addison Wesley, 1997
  5. S. Floyd, 'TCP and explicit congestion notification,' ACM Computer Communication Review, vol. 24, no. 5, pp. 10-23, Oct. 1994
  6. Sally Floyd and Van Jacobson, 'Random Early Detection Gateways for Congestion Avoidance,' IEEE Transactions on Networking, Vol.1, No.4, pp.397-413, Aug. 1993 https://doi.org/10.1109/90.251892
  7. Cisco, 'Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks,' white paper, http://www.cisco.com/.../newsflash.html, Feb. 2000
  8. R. Mahajan, S. M. Bellovin, S. Floyd, and et al., 'Controlling High Bandwidth Aggregates in the Network,' ACM SIGCOMM Computer Communications Review, Vol. 32, No. 3, pp. 62-73, July 2002
  9. D.K.Y. Yau, J.C.S. Lui, and Feng Liang, 'Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles,' Tenth IEEE International Workshop on Quality of Service, pp.35-44, May 2002
  10. P. Ferguson and D. Senie, 'Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,' IETF, RFC 2827, May 2000
  11. T. Killalea, 'Recommended Internet Service Provider Security Services and Procedures,' IETF, RFC 3013, Nov. 2000
  12. Cheng Jin, Haining Wang, Kang G. Shin, 'Hop-count filtering: an effective defense against spoofed DDoS traffic,' ACM CCS, pp. 30-41, Oct. 2003
  13. Cisco, 'Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge', http://www.cisco.com/.../uRPF_Enhancement.pdf, Feb. 2001
  14. J. Jung, B. Krishnamurthy and M. Rabinovich, 'Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,' The 11th International World Wide Web Conference, pp. 252-262, May 2002
  15. K. Nichols, S. Blake, F. Baker and D. Black, 'Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers,' IETF, RFC 2474
  16. F. Baker, W. Weiss and J. Wroclawski, 'Assured Forwarding PHB Group,' IETF, RFC 2597
  17. V. Jacobson, K. Nichols, K. Poduri, 'An Expedited Forwarding PHB,' IETF, RFC 2598
  18. UCB/LBNL/VINT, 'ns Notes and Documentation,' http://www.isi.edu/nsnam/ns