Programming routers to improve network security

Denial of Service (DoS ) attacks represent, in today’s Internet, one of the most complex issues to address. In this paper we present a novel approach to deal with Distributed DoS (DDoS ) attacks in the Internet. We propose a model for an Active Security System, comprising a number of components that actively cooperate in order to effectively react to a wide range of attacks. Functional to our approach is a network signaling protocol, named Active Security Protocol , which allows a set of active routers to interact in order to isolate the sources of a DDoS attack even in the case of address spoofing. Deployment and tuning of the Active Security System are ideally suited to a Programmable Network environment. 1 Denial of Service: attacks and protection Denial of Service attacks aim at compromising a distributed system’s availability by consuming its resources as much as possible [1]. Several attack techniques have been conceived and exploited over the Internet in the past few years. Among them, Distributed DoS (DDoS) attacks represent the most complex case to deal with. Two are the key actions that must be performed when recognizing and reacting to DoS attacks: Intrusion Detection and Traceback. An Intrusion Detection System (IDS) [2] is an entity devoted to the detection of both non-authorized uses and misuses of a system. Recently, lots of efforts have been devoted to the definition and introduction of IDS components inside network routers, even within the IETF community. IP Traceback is concerned with detecting the source(s) of a DoS attack. The most complex issue it has to face is related to the fact that the attackers often use spoofed IP addresses, thus preventing effective detection via a simple analysis of the IP header of the received packets. As a countermeasure to this attack strategy, packet marking techniques are often employed.