Internet has brought a variety of information and services easily accessible to masses of users. Along with traditional packet switched networks which constitute the Internet, customer networks (also known as stub-ASs) are increasingly considering site multi-homing for redundancy, load balancing and operational policies/costs. In particular, Internet businesses such as e-trade, e-commerce, content providers, and web hosting services greatly benefit from multi-homing due to its load balancing and redundancy properties. Moreover, servers equipped with multiple network interfaces can connect independently to each of the multi-homed links, to improve availability. Failure of a few access links in this case does not severely affect the availability of the server. These advantages are not limited to large businesses. In fact, home offices and home-based businesses also have a need for high availability. One way to achieve this for a home business owner is to buy network access from multiple Internet providers (for example, different cable providers, DSL, satellite, etc), and equip the server with multiple network interfaces. Mobile devices such as laptops and PDAs are already equipped with multiple (wired and) wireless interfaces. The home business market can easily extend to these mobile environments, leveraging on the multiple access options provided by the devices. These factors are influencing the network operators (ISPs) to consider multipath options for the Internet.
Although multipath networks may improve availability, they do not, however, guarantee uninterrupted operation under deliberate network attacks. For example, a large-scale Distributed Denial of Service attacks (DDoS) attack may bring down an entire site, regardless of its connectivity.
A DDoS attack is a computer security problem in which a malicious entity i.e. an attacker uses several networked hosts distributed across the Internet to send large volume of unwanted traffic to consume all the available network resources (such as bandwidth) at or near a server. Due to the large volume of traffic from the attacker, a legitimate client may not be able to reach the server, causing a denial of service to the legitimate client.
DDoS attacks are the network equivalent of Denial-of-Service (DoS) attacks in which the attacker disrupts the services provided by a system, typically, by exploiting known software vulnerabilities or protocol weaknesses. However, unlike DoS attacks, which can be mitigated by improving the software on a system, DDoS attacks are challenging to mitigate. Namely, in the Internet, any source can freely send traffic to any destination and thus a targeted destination can be flooded with data or requests.
DDoS attacks severely affect the availability of a server, which in turn impacts the services offered by that server. For example, an e-banking site under a heavy DDoS attack can no longer serve its customers, resulting in monetary losses and permanent damage to its reputation.
One technique for enhancing the resilience of the Internet against malicious attacks is based on filtering. In filtering, the traffic responsible for the attack is monitored and filtered by routers upstream of the destination. The idea is to identify attack traffic at routers (typically the traffic causing severe congestion) and request upstream routers to start dropping or rate limiting this traffic. However, filtering has several shortcomings. First, the number of false positives is high, because routers make imprecise decisions on what traffic is good or bad. Often, the routers simply lack sufficient knowledge to conclude what part of data traffic to filter out. Second, to prevent trivial attacks using filtering requests, the node making the decisions needs to authenticate itself to the node responsible for filtering. During large-scale attacks, the number of filtering routers could be in the order of thousands, which leads to scalability issues for the authentication component of the system. Finally, installing filters requires cooperation among different Internet Service Providers (ISP), which is often difficult in the Internet, because these ISPs may not have a direct contractual or business relationship.
Another, more recent technique against DDoS attacks is based on network capabilities. The network capability technique advocates fundamental changes to the Internet. Senders or generally data sources must obtain explicit authorization by means of a cryptographic capability token from a receiver before they are allowed to send any significant amount of traffic to the destination. Basically, a sender willing to communicate to a destination sends an initial “request” packet to the receiver. Routers on the forwarding path insert cryptographic tokens called “pre-capabilities” into the requests. Upon receiving the request, the receiver synthesizes a cryptographic token called “host-capability” from pre-capabilities and returns it to the sender. Capabilities use cryptographic techniques so that routers can verify their validity and reject invalid tokens. Subsequent data packets from the sender must carry capabilities; otherwise, routers will drop the packets as unauthorized. Hence, the receiver can reject senders simply by not returning capabilities responsive to their requests. Moreover, the senders' IP addresses need to be valid, otherwise fake IP address in the request packet results in that no capability will ever be received by the sender and thus larger scale communication to the destination from one source may be inhibited. However, the generation of various cryptographic tokens and verifying them results in relatively high complexity and resource consumption.
In the Internet, each data packet between a source and destination may be routed through different nodes thus over differing paths. A multipath network makes use of numerous communication interfaces at the source and destination. Hence, packets of one data stream (e.g. file download) are sent over two or more different communication interfaces and received at the destination over various communication interfaces. Corresponding distribution of packets onto different streams and responsive multiplexing of packets again into a single data stream is dealt with by corresponding layers at protocol stacks of the source and destination. The aforementioned network capability based techniques are not well suited for use in multipath networks and it appears that their adaptation to multipath networks would result in even greater complexity.