Steps Towards a DoS-resistant Internet ArchitectureMark Handley, Adam GreenhalghUniversity College London{M.Handley, A.Greenhalgh}@cs.ucl.ac.ukABSTRACTDefending against DoS attacks is extremely difficult; effective so-lutions probably require significant changes to the Internet architec-ture. We present a series of architectural changes aimed at prevent-ing most flooding DoS attacks, and making the remaining attackseasier to defend against. The goal is to stimulate a debate on trade-offs between the flexibility needed for future Internet evolution andthe need to be robust to attack.Categories and Subject DescriptorsC.2.0 [COMPUTER-COMMUNICATION NETWORKS]:General - Security and ProtectionGeneral TermsDesign, SecurityKeywordsInternet, Denial-of-Service, Security, Network Architecture1. INTRODUCTIONDenial-of-Service (DoS) attacks are one of the most significantproblems currently facing the Internet and its users. For many usersthese attacks are merely an irritation - even if they understand thereason for the poor performance they occasionally observe. How-ever, for the Internet to achieve its full potential, it has to be able tooffer highly reliable service, even in the face of hostility.We will examine some significant changes to the Internet archi-tecture aimed at making the Internet more robust. Such changesshould not be made lightly - any widespread change has real costsassociated with it. In writing this paper we are only too awarethat the problem of DoS attacks can not be completely solved bythe architecture we propose. The problem needs to be tackled onmany fronts simultaneously. However we do believe that architec-tural changes are necessary. The only question is what form thosechanges must take? In this paper we will take a fairly radical posi-tion, with the aim of stimulating this debate.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SIGCOMM’04 Workshops, Aug. 30+Sept. 3, 2004, Portland, Oregon, USA.Copyright 2004 ACM 1-58113-942-X/04/0008 ...$5.00.2. THE NATURE OF THE PROBLEMThe first step in considering a security problem is to considerthe nature of the threat. In [9], the Internet Architecture Boardprovides a detailed discussion of the nature of DoS attacks on In-ternet systems, and we strongly recommend this document. Ba-sically all systems are vulnerable to some form of attack, be theyclients, servers, firewalls, routers or links. Attacks can attempt toexhaust processing power, memory, bandwidth, quotas, disk-space,and pretty much any other “consumable” that a system requires toperform its job.One modern PC connected to a high-speed network can sourcearound 1Gb/s of traffic, which is enough to saturate many networklinks and, if the traffic is carefully crafted, enough to overload manylarge servers. However, traffic from a single machine is relativelyeasily filtered. Although automated mechanisms to push-back suchfilters towards the source are not widely deployed, there are fewtechnical problems in doing so[13][10].Unfortunately source-address spoofing makes it harder to push-back filters without causing collateral damage. Further, many DoSattacks are reflection attacks[16], where the attacker sends traffic toa third party, spoofing the source address of the victim. The thirdparty then replies to the victim, overwhelming them. The attackercan then use many third parties to spread his attack, so now thetraffic is “originating” from all over the Internet. In addition, somereflection attacks manage to amplify the original attack because theresponses sent by the third party are larger or more numerous[6][9]than the original messages sent by the attacker.The biggest DoS problem is caused by distributed denial of ser-vice (DDoS) attacks, where the attacker compromises a large num-ber of systems and then uses these “zombie” systems to attackthe victim. DDoS attacks of sufficient scale provide the firepowerneeded to overwhelm almost all victims. They can also be com-bined with spoofing or reflection to make the attack even more dif-ficult to defend against. Currently most DDoS attacks do not botherto spoof the source addresses because, as no automatic push-backmechanism is widely deployed, it takes so long to shut down eachzombie that there is no need to hide their identity.DDoS is principally an issue due to widespread exploitation ofsoftware vulnerabilities, which permit the control of large numbersof compromised systems. To gain sufficient scale, such exploitationis typically automated using worms, viruses, or automated scanningfrom already-compromised hosts (so called “bots”). Fast-spreadingworms are extremely hard to combat in the current Internet Archi-tecture, so these are a particular concern[14]. Although viruses andbots are a serious issue, their spread rate is slower, which permits awider range of defense options.493. DEFENSEIt is important to begin by recognizing that it is not possible tocompletely protect all servers against all DDoS attacks. If a suffi-ciently subtle attacker with sufficiently many compromised hosts athis disposal can mimic legitimate traffic well enough that the victimcannot tell good from bad, there is little that can be done beyondload-shedding, adding server resources, and minimizing collateraldamage. However, our ultimate goal is that this is the only way topersistently DoS-attack a server, and that routers and client systemsare invulnerable to DoS attacks.Viewing the problem from a high level, there are many trackswe can take to make a network architecture that is more resilient toDoS than the current Internet:• Significant improvements in end-system software security willreduce the ease with which systems are compromised, andhence make the construction of zombie-armies more diffi-cult. However, we do not expect this to be sufficient by itself.• Reducing the ability of worms and viruses to spread quicklywill reduce the threat of very large scale DoS attacks. Fastspreading worms are a particular threat, because they outpacethe speed of any possible human mediated response.• Preventing source-address spoofing will aid the shutdown ofattacks that do occur using