Assuring Network Service with Bandwidth and Integrity Based Fairness

During an Internet distributed denial-of-service (DDoS) attack, attackers pose as a superpower overloading bandwidth and services that otherwise would have been lightly used by genuine users. These legitimate users send few packets and occasionally back-off and fail while competing for resources. The Internet architecture provides only modest support for verifying the true origin of a packet or intention of a sender. This makes identification and filtering of attack traffic difficult. DDoS attacks could be limited greatly if there were a way to fairly distribute the resources among the parties despite limited origin integrity. In our work, we propose two methods for achieving fairness despite no or partial implementation for integrity verification. Adaptive Selective Verification (ASV) provides legitimate clients service despite large but bounded attack rates without any integrity infrastructure. ASV can be implemented, without the cooperation of the core routers, by slight modification of the client and server applications. The other system is Integrity Based Queuing (IBQ). In this work, we expect that integrity will not be perfect, but observe that even an imperfect implementation can improve the effectiveness of queuing when parities with better a integrity level are incentivized. ASV and IBQ together create a mechanism for incentives, infrastructure and independence for network service assurance. ASV is shown to be efficient in terms of bandwidth consumption using network simulations. It differs from previously-investigated adaptive mechanisms for bandwidth based payment by requiring very limited state on server. Our study of IBQ includes proof of direct relationship of integrity to service, a network simulation for comparative study, simulation with real attack traffic and security analysis. Our network assurance architecture provides a synergistic approach for defending against DDoS attacks. With moderate infrastructure support, IBQ can be an architecture to provide graded source validation on the Internet. Clients that do not have the support from the ISP, use their spare bandwidth with ASV for service.