[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: resistance to swamping attacks.
> Bill Sommerfeld wrote:
> > Here's a more specific goal:
> > If a system has a normal communications bandwidth of X, and recieves
> > an incoming storm from forged source addresses with a bandwidth of Y
> > (less than X), it should be able to continue to use at least half of
> > the remaining bandwith (X-Y) constructively to communicate with
> > arbitrary legitimate peers, including peers which had never before
> > communicated with it.
>
> One issue here is probably that if a real packet storm occurs, the links to
> the attacked host become saturated, and no communication whatsoever can
> occur. Or at least: The bandwith for legitimate users sinks drastically
> towards 0. No protocol can fix this, if the routers do not help you.
>
> Assuming that only the end system is saturated, and the link would be able
> to carry more data, then perhaps two goals should be formulated:
>
> a) An endsystem which is flooded by a storm of connection establishment
> requests should try to distinguish 'real' connection requests (well, you
> could build a list of 'preferred hosts', e.g. hosts you had an conenction
> (or SA) lately, and handle these with a preferred ratio. If this is not
> possible or practial, at least all requests should have the same chance
> to succeed. And no, this would not be a very nice persepctive. (X-Y)/2
> would not work here, as you do not a priori know who is legitimate, and
> who not.
> b) Existing connections (or SAs) should be given priority of use for CPU
> power and available bandwith. They should not suffer at all from somebody
> trying to establish (or forge the establishment) of a new connection. [Is
> this wise?]
These are what we came up with here. A more concise description
we came up with is:
a) All resources are FIRST allocated to existing
connections.
b) Remaining resources are allocated 'fairly' on
a per-connection-attempt basis.
c) Connections not fully established have a finite
resource limit, BOTH individually and as an
aggregate class.
I think these are necessary and sufficient.
Joe
----------------------------------------------------------------------
Joe Touch - touch@isi.edu http://www.isi.edu/~touch/
ISI / Project Leader, ATOMIC-2, LSAM http://www.isi.edu/atomic2/
USC / Research Assistant Prof. http://www.isi.edu/lsam/
Follow-Ups: