A solution for DDOS packet flooding attacks

This article summarizes a proposed solution to thwart DDOS attacks on the internet based on PEIP (Path Enhanced IP), an extension to the IP protocol.

On Friday, October 21, 2016, a major DDOS attack crippled access to major Web sites, including Amazon and Netflix.

PEIP and Fair Service are proposals by Don Cohen that may have been able to mitigate this attack. PEIP extends the IP protocol (the Internet Protocol, the basis of the internet) to provide information that allows determining the router-to-router path of packets sent over the internet. Currently, when an IP packet is received by a router, there is no information stored with the packet to indicate the sequence of routers the packet traversed on its way to the destination (DDOS target). This enables hackers to get away with setting up zombie processes on a multitude of hosts that send packets to attack a destination IP address by forging the source address and simply flooding the destination with those packets. Since the IP packets that arrive at the target host do not contain information about the actual sequence of routers that the packet traversed on its way to the targeted host and since the source IP address is forged, it is very difficult to determine which packets are real and which ones are part of the attack.

PEIP and Fair Service could be a game changer if adopted by enough ISPs and router manufacturers. Using PEIP, it becomes possible to determine, for each packet arriving at a target host being attacked, what path of routers was used to deliver the packet. It then becomes possible to thwart DDOS attacks not by denying packets but, rather, by ONLY allowing each incoming path of routers to receive their “fair share” of service. I.e., rather than attempting to figure out which packets are attack packets, which is not possible due to forged source IP addresses, instead, the solution is to allow in the forged packets but ONLY GIVE THEM A SMALL PERCENTAGE OF THE ALLOWED TRAFFIC ARRIVING AT THE TARGETED HOST. The idea is that packets arriving via routing paths that are not compromised by the attack will receive service. The attacking path still receives service but only a small fraction and no more than all of the uncompromised paths, rendering the DDOS attack ineffective in most cases. Hence the term Fair Service to describe this approach to DDOS mitigation.

Fair Service and PEIP are have been implemented in test networks and are described in detail in A Fair Service Approach to Defending Against Packet Flooding Attacks and Changing IP
to Eliminate Source Forgery
(proposals dates back to 2001).

I know Don Cohen and K. Narayanswamy personally and vouch for the veracity of what is claimed and documented in this paper. DDOS is a sufficiently important problem that an infrastructure-wide solution such as PEIP and Fair Service should be considered by Cisco and other router manufacturers and ISPs as a way to greatly lessen the threat of DDOS. Don and Swamy contacted Cisco (and some ISPs) over ten years ago to make them aware of this solution to the DDOS problem but, among other things, Cisco did not want to modify its routers, which would be necessary to properly implement PEIP. The recent DDOS attack of October 21, 2016 is a reminder that we still need to improve the infrastructure (if not via PEIP then in some way) in order to properly deal with DDOS. Don Cohen would still be happy to hear from Cisco, other router manufacturers and major ISPs to answer any questions they have as to why PEIP and Fair Service is a viable approach to mitigating DDOS attacks. Contacts: Don Cohen <don@isis.cs3-inc.com> and K. Narayanaswamy <swamy@cs3-inc.com>.

Dennis G. Allard
Santa Monica
October 22, 2016