As network functions migrate to the cloud, services previously performed in a monolithic processor are separated and distributed among multiple entities/devices. This is advantageous since it not only allows more complex chaining of separate services but it also allows the execution of a service on the best-suited entity in the cloud. For example, the services provided by session border controllers (SBCs) are being virtualized and distributed into entities/devices in the cloud. This allows for the offloading of some of the packet-processing functionality of the (virtual) SBC into the hardware of the underlying (hardware enabled) network such as for example a software defined network (SDN) in which there is a decoupling of the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane). While there are certain advantages to disaggregation of packet processing functionality, it also can result in the introduction of vulnerabilities such as denial of service vectors which significantly weaken the overall SBC service.
One area of particular concern is the support of secure streams when the packet processing is carried out in a distributed manner. Such processing is both compute intensive and network Input/Output (I/O) intensive. It is highly desirable to distribute this processing among multiple processors. In particular, it is desirable to move the packet policing to the underlying network hardware, e.g., SDN hardware, and reserve the SBC, e.g., virtual SBC, for the authentication and confidentiality function on the secure streams. However, as an example of the problems associated with such disaggregation, consider an implementation where the SBC manages the setup of the secure stream and installs a metered flow entry in the SDN with the expected steady-state rate and burst limits. The SDN will then police the stream to the specified limits, forward the allowed packets to the SBC, and then the SBC decrypts the stream and handles the rest of the processing. This approach however introduces vulnerabilities to some relatively straightforward and easy to implement attacks. For example, if an attacker can capture a single packet in a secure stream to the SBC, that attacker can then repeatedly resend the same packet. These attack packets will use up the policing credits in the SDN flow meter, eventually squeezing out packets from the valid stream. The fact that the bogus packets introduced by the attacker are in fact not acceptable for the secure stream is irrelevant because the policing happens before the validation. Furthermore, this attack is permanently effective, i.e., the entire rest of the secure stream is impaired as a result of the attack.
From the above discussion, it should be appreciated that there is a need for improved communications methods, systems and apparatus for improving the protection and resilience of secure communications systems against attacks such as DOS attacks. Furthermore, there is a need for communications methods, systems and apparatus that mitigates the effects of blind DOS attacks and static DOS attacks.