This article summarizes a proposed solution to thwart DDOS attacks on the internet based on PEIP (Path Enhanced IP), an extension to the IP protocol.
On Friday, October 21, 2016, a major DDOS attack crippled access to major Web sites, including Amazon and Netflix.
PEIP and Fair Service are proposals by Don Cohen that may have been able to mitigate this attack. PEIP extends the IP protocol (the Internet Protocol, the basis of the internet) to provide information that allows determining the router-to-router path of packets sent over the internet. Currently, when an IP packet is received by a router, there is no information stored with the packet to indicate the sequence of routers the packet traversed on its way to the destination (DDOS target). This enables hackers to get away with setting up zombie processes on a multitude of hosts that send packets to attack a destination IP address by forging the source address and simply flooding the destination with those packets. Since the IP packets that arrive at the target host do not contain information about the actual sequence of routers that the packet traversed on its way to the targeted host and since the source IP address is forged, it is very difficult to determine which packets are real and which ones are part of the attack.
PEIP and Fair Service could be a game changer if adopted by enough ISPs and router manufacturers. Using PEIP, it becomes possible to determine, for each packet arriving at a target host being attacked, what path of routers was used to deliver the packet. It then becomes possible to thwart DDOS attacks not by denying packets but, rather, by ONLY allowing each incoming path of routers to receive their “fair share” of service. I.e., rather than attempting to figure out which packets are attack packets, which is not possible due to forged source IP addresses, instead, the solution is to allow in the forged packets but ONLY GIVE THEM A SMALL PERCENTAGE OF THE ALLOWED TRAFFIC ARRIVING AT THE TARGETED HOST. The idea is that packets arriving via routing paths that are not compromised by the attack will receive service. The attacking path still receives service but only a small fraction and no more than all of the uncompromised paths, rendering the DDOS attack ineffective in most cases. Hence the term Fair Service to describe this approach to DDOS mitigation.
Fair Service and PEIP are have been implemented in test networks and are described in detail in A Fair Service Approach to Defending Against Packet Flooding Attacks and Changing IP
to Eliminate Source Forgery (proposals dates back to 2001).
I know Don Cohen and K. Narayanswamy personally and vouch for the veracity of what is claimed and documented in this paper. DDOS is a sufficiently important problem that an infrastructure-wide solution such as PEIP and Fair Service should be considered by Cisco and other router manufacturers and ISPs as a way to greatly lessen the threat of DDOS. Don and Swamy contacted Cisco (and some ISPs) over ten years ago to make them aware of this solution to the DDOS problem but, among other things, Cisco did not want to modify its routers, which would be necessary to properly implement PEIP. The recent DDOS attack of October 21, 2016 is a reminder that we still need to improve the infrastructure (if not via PEIP then in some way) in order to properly deal with DDOS. Don Cohen would still be happy to hear from Cisco, other router manufacturers and major ISPs to answer any questions they have as to why PEIP and Fair Service is a viable approach to mitigating DDOS attacks. Contacts: Don Cohen <don@isis.cs3-inc.com> and K. Narayanaswamy <swamy@cs3-inc.com>.
Dennis G. Allard
Santa Monica
October 22, 2016
How would PEIP and Fair Service stop a ddos coming from thousands of compromised systems? By identifying each rogue connection and giving it a small percentage of the bandwidth by fair share, thousands of connections would still overwhelm most systems by the combination of ( %bandwidth * sheer number of connections).
PEIP and Fair Service are not overwhelmed by the “sheer number of connections” because what matters is the set of router paths leading to each host. Think of the host being targeted. Now consider the spanning tree of the graph of routers that are involved in routing packets to that host. If every router in that spanning tree has implemented Fair Service then most paths will be providing unhindered service. Even the most prolific attack can only compromise a tiny set of the router paths and even then if Fair Service is implemented all the way back to each source host, even the initial packets from each zombie source client will only receive Fair Service.
I have asked Don Cohen to reply here in more detail. Let’s see what he has to say.
Obviously this all depends on all kinds of things like how many packets fit in which pipes and how fast the server can process them.
Ultimately if every machine on the internet except one victim is attacking then that victim will get a mighty small share, but the all-but one already have many other ways to attack the single victim. When you talk about #connections I think you’re describing a particular type of attack that involves using storage on the server – the attackers are not just sending packets but actually trying to make legitimate connections. Or maybe there really are a huge number of legitimate users out there.
Servers can also use peip to fairly allocate connections. If the server does this, and, just for example, the server is able to serve 1000 connections/sec, and there are 100000 machines (actually I should say paths – different locations) requesting service, then the victim would get his fair share of one connection / 100 sec – pretty bad, but a lot different from zero.
If you’re instead just talking about packet flooding, things are a lot better.
Don, thank you for replying. This cleared up some things for me!