Computer based communication systems and in particular the Internet are vulnerable to various types of security attacks. Included in such attacks are denial of service attacks in which one or more nodes in the system become congested because of excess traffic. In this regard a denial of service attack involves blocking somebody's ability to use some service on a network. Denial-of-Service (DoS) attacks are common across the Internet with many being launched daily at various targets. Many of the attacks involve specially constructed packets designed to either take advantage of flaws in software, or to tie up resources within devices. These are known as packet flooding attacks.
For some packet flooding attacks, especially bandwidth exhaustion, the victim is powerless to mitigate the attack. The victim can implement mechanisms to prevent system crashes, but for example in the case of a bandwidth attack, cannot receive any legitimate traffic.
In any event, considerable effort has been and continues to be devoted to methods and systems for mitigating DOS attacks. In order to implement mitigation measures against an attack, the measures must be implemented upstream from the victim at a point where the attack traffic consists of less than 100% of the incoming data. A typical method of reacting to an attack for a packet flood victim would be to contact the network provider out-of-band and if possible, institute a blocking rule to drop the attacker's traffic, if this indeed is possible.
For an in-band request to be sent to an upstream network provider, the victim must be able to prove an authenticity of this request to the provider. Otherwise a malicious user could cause denials of service simply by requesting a router to block certain addresses. Prior art solutions to the problem require a keyed messaging scheme which may possibly require a Public Key Infrastructure to manage.
In a publication by Mahajan, Ratul entitled “Controlling High Bandwidth Aggregates in the Network”, AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research, Jul. 13, 2001 a solution is proposed wherein if a host determines that they are under attack, a message is sent to an upstream router requesting that some mitigating policy be implemented. In this scheme congestion signature is generated and passed to the router for blocking purposes.
In such systems where a victim must contact an upstream router to request a mitigation mechanism, the victim must be able to prove their identity to the router. Otherwise, as discussed above, a malicious user could request mitigation mechanisms for users operating normally and produce a denial-of-service attack.
To combat this, prior art solutions require an authentication mechanism between users and their upstream routers. For ICMP traceback, a digital signature is used. For the number of users that are typically involved (too many for “shared secret” keying) a commonly proposed solution is an implementation of a Public Key Infrastructure. PKIs are not simple to implement and require significant resource overhead.