As computers have become faster, cheaper, they have become ubiquitous in academic, corporate, and government organizations. At the same time, the widespread use of computers has given rise to enormous management complexity and security hazards, and the total cost of owning and maintaining them is becoming unmanageable. The fact that computers are increasingly networked complicates the management problem.
One difficult problem is to maintain services in the presence of network denial of service (DoS) attacks. DoS attackers deny use of the service to other users by exhausting computing resources. For example, an attacker can try to cause a web server to perform excessive computation, or exhaust all available bandwidth to and from the server. In link congestion attacks, the attackers identify pinch-points in the communications substrate and render them inoperable by flooding them with large volumes of traffic. Apart from being costly and annoying, DoS attacks are particularly damaging for time- or life-critical services (e.g., tracking the spread of an real-world epidemic).
Although several mechanisms to suppress or counter DoS attacks have been proposed, these mechanisms are dependent on elements of the network infrastructure. However, providing infrastructure support for this problem may violate the end-to-end (e2e) principle, one of the fundamental tenets of Internet design, which states that functionalities should be placed as close to the network edges as possible in order to keep the network core focused on the task of routing packets. Therefore, it is desirable to provide a solution to the DoS problem without requiring Internet infrastructure changes.