05-03-2013, 03:11 PM
DefendingWireless Infrastructure Against the Challenge of DDoS Attacks
1DefendingWireless Infrastructure.pdf (Size: 306.22 KB / Downloads: 18)
Abstract
This paper addresses possible Distributed Denial-of-Service (DDoS) attacks toward the wireless Internet including the Wireless
Extended Internet, the Wireless Portal Network, and the Wireless Ad Hoc network. We propose a conceptual model for defending against
DDoS attacks on the wireless Internet, which incorporates both cooperative technological solutions and economic incentive mechanisms built
on usage-based fees. Cost-effectiveness is also addressed through an illustrative implementation scheme using Policy Based Networking
(PBN). By investigating both technological and economic difficulties in defense of DDoS attacks which have plagued the wired Internet, our
aim here is to foster further development of wireless Internet infrastructure as a more secure and efficient platform for mobile commerce.
Introduction
The wireless Internet has become an exciting realm for
m-commerce at an amazing speed. The estimated number
of wireless subscribers was 109 million in December 2000
in the US alone, according to a semi-annual wireless industry
survey conducted by Cellular Telecommunications Industry
Association [4]. It represented an increase of 27.2% from a
year earlier, adding nearly 23.43 million new users. According
to a new study released by Strategy Analytics, the global
cellular market will grow at an annual rate of 17% over the
next five years, reaching $700 billion with 1.4 billion global
wireless subscribers by 2005 [22].
M-commerce is not a simple duplication of e-commerce
upon wireless devices. As pointed out by market research institutions
including Goldman Sachs [10] and Bear Stearns [1],
“m-commerce is about information and transactions that are
timely” [1, pp. 140].
Is wireless infrastructure ready for time-sensitive m-commerce?
From a technological perspective, it is ready for
anytime, anywhere access. 3G wireless technology also enables
high-speed access. However from a security perspective,
time-sensitive m-commerce is vulnerable to network delays
or even network denial caused by a dangerous type of
security problem – the Distributed Denial-of-Service (DDoS)
attack – that has been much publicized but seldom understood
completely [9,16].
Mechanism of DDoS attacks
The DDoS attack is the most advanced form of Denial-of-
Service (DoS) attacks. As the name suggests, the DDoS attack
is distinguished from other DoS attacks by its ability to
deploy its weapons in a “distributed” way over the Internet
and to aggregate these forces to create lethal traffic. What
drives hackers to move DoS attack tools to the distributed
level is the ever-increasing security in potential victims’ systems
in this cat-and-mouse game. Figure 1 outlines the evolution
of both attacks and defenses. For a detailed explanation
see [9,16].
Wireless Extended Internet
In theWireless Extended Internet, wireless technology is used
only for the last mile. Wireless access providers, or wireless
ISPs, connect mobile devices to fixed networks via radio
frequency (RF) channels. The traditional Client/Server architecture,
as well as existing transport layer protocols (usually
TCP), is also used for the Wireless Extended Internet. Therefore,
DDoS attacks seen in the wired Internet are still feasible
in the Wireless Extended Internet.
Wireless Ad Hoc Network
A Wireless Ad Hoc Network (also called multihop network
or Peer-to-peer wireless network) is formed temporarily by a
group of mobile devices, which have a common mission or
interest. Adhering to a strict admission policy and communication
rules, all these devices form a special community of
equals to share information. There is no designated client
or server. All members communicate over wireless channels
directly without any fixed networking infrastructure or
centralized administration. In this structure, all mobile hosts
communicate with each other in a wireless multi-hop routing
style. Each mobile node maintains all the links within the
defined radius (called zone) and acts as a router in the network.
If a member is out of its destination member’s zone or
it is not in a line-of-sight, all messages between them must
pass through one or more routers. All members are free to
move around and join and leave a network at will without any
technical difficulties, subject to admission control. The routing
scheme is adjusted dynamically according to the changing
network topology.
Defending against DDoS attacks on the wireless
Internet
In the event of a typical DDoS attack, the victim alone cannot
effectively defend herself/himself. Cooperation among all
involved parties is indispensable. Figure 4 presents our conceptual
model for defending against a DDoS attack, which
illustrates a two-layer coordinated defense problem and an
implementation problem.
In the two-layer coordinated defense problem, the first
layer focuses on effective coordinated technological solutions.
The second layer deals with the incentive mechanism
that, in an economic perspective, makes people involved in
a DDoS attack feel that cooperating with each other is the
best strategy. In past practice, unfortunately, little attention
has been paid to this second layer problem compared with the
public focus on technologies. Ironically, this incentive problem
causes the most headaches in practice [9]. As a solution,
we propose to use usage-based fees as the foundation of the
incentive mechanism.
Coordinated technological solutions
There are four types of coordinated technological solutions,
as shown in figure 5 [9].
Two comments are necessary for figure 5. First, different
solutions can coexist to achieve a better defense. For example,
user-level traffic control and coordinated filters can be
implemented simultaneously to be more effective. Second, as
in the wired Internet example, coordination is often required
to be global, whereas in the wireless Internet case local coordination
may suffice. For example, to avoid an attack on radio
frequencies in a certain geographical area, it is sufficient to require
coordination only among involved wireless devices and
base stations in that area. Below we analyze the characteristics
of these four coordinated technological solutions.
A consistent incentive structure
According to the Yankee Group, a Boston consulting firm, the
DDoS attack in February 2000 cost approximately $1.2 billion,
not to mention the damage to consumer confidence
in e-commerce [18]. Effective coordinated solutions to
DDoS attacks are critical for the future of e-commerce and
m-commerce. However, a fervent advocacy of coordinated
solutions does not necessarily result in actual implementation.
Sample research by icsa.net, for example, shows that
less than 15 percent of all corporate users are filtering source
IP addresses. An even smaller percentage of Internet service
providers – less than 8 percent – are doing this type of filtering
[15].
Cost-effectiveness
The history of the Internet shows that the de facto criteria for
success in any proposal are whether that solution is proactive
and consistent with mainstream and commercial Internet
technologies. Because of the anonymous and “best effort” usage
of the Internet, it is arduous and costly to regulate the infrastructure
against DDoS attacks. Several advanced network
management technologies have been proposed to address the
traffic control problem. Employing these existing technologies
will significantly reduce the costs and risks in designing
future wireless Internet.
Concluding remarks
The DDoS attack threatens all time-sensitive m-commerce
services. Fortunately the wireless Internet currently has a
distinctive advantage over the wired Internet in defending
against the DDoS attack: the timing. When DDoS attacks
came to the wired Internet, the infrastructure of the wired
Internet had been stable for decades, albeit lacking reliable
mechanisms for QoS control and incentive structures for traffic
control. As a result, it was repeatedly targeted by DDoS
attacks. In comparison, the wireless Internet industry has a
chance to address DDoS attacks before it fully matures.