Defending against Denial of Service in a Self-Aware Network: A practical approach

In recent years, Denial of Service attacks have evolved into a predominant network security threat. Motivated by an impressive variety of reasons and directed against an equally impressive variety of targets, DoS attacks are not as difficult to launch as one would expect. Protection against them is, however, disproportionately difficult. Recognising the fact that the networks of the near future will feature self-awareness and online monitoring, we present a comprehensive system for DoS defence that is specifically designed for such self-aware networks. The incoming traffic at each node is monitored with a detection mechanism that is based on maximum likelihood estimation. In response to high probability of attack, the traffic is then prioritised and rate-limited according to the measured probability. Since in a Self-Aware Network, packet routing is dynamic and depends on current network metrics, both detection and response must run individually on each network node, since the nodes through which the attack traffic will pass, may change continuously. We present the experimental results that we obtained using this DoS defence system applied on a real networking testbed that runs the Self-Aware CPN routing protocol.