Layer-4 Service Differentiation and Resource Isolation

While the Differentiated Services (DiffServ) infrastructure is scalable and robust in providing network Quality of Service (QoS), there are serious drawbacks with the services provided by DiffServ: (1) the services are coarse-grained and oneway only; (2) no service differentiation and resource isolation are provided to meta-data packets such as TCP SYN and ACK packets. Moreover, the coarse-grained service differentiation and the lack of resource isolation at IP routers exposes its vulnerability to Distributed Denial of Service (DDoS) attacks [10]. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a scalable fine-grained DiffServ (sf-DiffServ) architecture that provides fine-grained service differentiation and resource isolation among thinner Behavior Aggregates (BAs). The sfDiffServ architecture consists of a fine-grained QoS classifier and an adaptive weight-based resource manager at IP routers. A two-stage packet classification mechanism is devised to decouple the fine-grained QoS lookup from the routing lookup at core routers. Due to its scalable QoS support for TCP control segments, sf-DiffServ supports bi-directional differentiated services for TCP sessions. Most importantly, the fine-grained resource isolation provided inside the sf-DiffServ is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS at-