From: Ioannis Giotis (giotis@cs.washington.edu)
Date: Tue Nov 30 2004 - 16:50:27 PST
Another aspect of security in the internet is protecting the network
from attacks that effect its operation. Nowadays, it is becoming more
common to witness attacks where the attacker uses congestion as the way
to make a host or a link unreachable. In other cases, it also observed
that an unusual high demand of a service from a group can have the same
effect.
The authors propose a scheme to deal with these phenomena. Instead of
trying to identify the cause and "fix" the problem at its root, they try
to limit the consequences. Their scheme consists of two main parts, a
local mechanism that manages flow at a router and can detect attacks and
try to limit the bandwidth allocated to these flows, and a pushback
mechanism which is an extension to push the limiting points further
closer to the origins of the attack. The scheme is intuitive and seems
it deals with the problem in simulations. It also is easy to implement
and doesn't require all routers to upgrade in order to provide
additional security.
It is very positive that the authors take into account the side effects
of their scheme and take them into consideration to provide their
solution. On the other hand these side effects such as limiting of
legitimate flows are still there and could lead to severe issues. Also,
policy decisions play a significant role in their detection and limiting
algorithms which could be a major weakness in the system, as attackers
could easily reconfigure their attacks so as to go undetected when using
bad policy decisions. Finally, despite the advantage of dealing with the
attack immediately, not solving the problem at its root, leaves a lot of
room for attackers to find new weaknesses in this scheme.
Overall, this scheme is certainly worth looking at, mainly because there
are no alternatives today dealing with these types of attacks. However,
I feel that by the time such a scheme could be implemented, new
attacking techniques will emerge that will render this scheme useless.
This archive was generated by hypermail 2.1.6 : Tue Nov 30 2004 - 16:50:28 PST