angelos,misra,danr¥ Denial of service (DoS) attacks continue to threaten the reliability of networking systems. Previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to protect the network. This leaves the door open for other attacks that use more sophisticated methods to mask their traffic. We propose an architecture called Secure Overlay Services (SOS) that proactively prevents DoS attacks, geared toward supporting Emergency Services or similar types of communication. The architecture is constructed using a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by (i) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic, and (ii) introducing randomness and anonymity into the architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOSprotected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels.

Weconsider a service provider (SP) who provides access to a communication network or some other form of on-line services. Users access the network and initiate calls that belong to a set of diverse service classes, differing in resource requirements, demand pattern, and call duration.

This paper describes a framework for admission control for a packet-based network where the decisions are taken by edge devices or end-systems, rather than resources within the network. The decisions are based on the results of probe packets that the end-systems send through the network, and require only that resources apply a mark to packets in a way that is load dependent. One application example is the Internet, where marking information is fed back via an ECN bit, and we show howthis approach allows a rich QoS framework for ows or streams. Our approach allows networks to be explicitly analysed, and consequently engineered.

Wavelength division multiplexing technology is emerging as the transmission and switching mechanism for future optical mesh networks. In these networks, it is desired that a wavelength can be routed without electrical conversions. Two technologies are possible for this purpose: Wavelength Selective Cross-Connects (WSXC), and Wavelength Interchanging Cross-Connects (WIXC) which involve wavelength conversion. It is believed that wavelength converters may improve the blocking performance, but there is a mix of results in the literature on the amount of this performance enhancement. In this paper, we use two metrics to quantify the wavelength conversion gain: the reduction in blocking probability and the increase in maximum utilization, compared to a network without converters. We study effects of wavelength routing and selection algorithms on these measures for mesh networks. We use the Overflow Model to analyze the blocking probability for wavelength selective mesh networks using the Fir...

ATM network design and optimization at the call-level may be formulated in the framework of multirate, circuit-switched, loss networks with effective bandwidth encapsulating cell-level behavior. Each service supported on the ATM network is characterized by a rate or bandwidth requirement. Future networks will be characterized by links with very large capacities in circuits and by many rates. Various asymptotic results are given to reduce the attendant complexity of numerical calculations. A central element is a uniform asymptotic approximation (UAA) for link analyses. Moreover, a unified hybrid approach is given which allows asymptotic and nonasymptotic methods of calculations to be used cooperatively. Network loss probabilities are obtained by solving fixed point equations. A canonical problem of route and logical network design is considered. An optimization procedure is proposed, which is guided by gradients obtained by solving a system of equations for implied costs. A novel applic...

The efficient distribution of stored information has become a major concern in the Internet which has increasingly become a vehicle for the transport of stored video. Because of the highly heterogeneous access to the Internet, researchers and engineers have argued for layered encoded video. In this paper we investigate delivering layered encoded video using caches. Based on the stochastic knapsack theory we develop a model for the layered video caching problem. We propose heuristics to determine which videos and which layers in the videos should be cached in order to maximize the revenue from the streaming service. We evaluate the performance of our heuristics through extensive numerical experiments. We find that for typical scenarios, the revenue increases nearly logarithmically with the cache size and linearly with the link bandwidth that connects the cache to the origin servers. We also consider service models with request queuing and negotiations about the delivered stream quality and find that both extensions provide only small revenue increases.

In order to provide an adequate quality of service to large-bandwidth calls, such as video conference calls, service providers of integrated services networks may want to allow some customers to book their calls ahead, i.e., make advance reservations. We propose a scheme for sharing resources among book-ahead (BA) calls (that announce their call holding times as well as their call initiation times upon arrival) and non-BA calls (that do not announce their holding times). It is possible to share resources without allowing any calls in progress to be interrupted, but in order to achieve a more efficient use of resources, we think that it may be desirable to occasionally allow a call in progress to be interrupted. (In practice, it may be possible to substitute service degradation, such as bit dropping or coarser encoding of video, for interruption.) Thus, we propose an admission control algorithm in which a call is admitted if an approximate interrupt probability (computed in real time) i...

Most of the QoS routing schemes proposed so far require periodic exchange of QoS state information among routers, imposing both communication overhead on the network and processing overhead on core routers. Furthermore, stale QoS state information causes the performance of these QoS routing schemes to degrade drastically. In order to circumvent these problems, we focus on localized QoS routing schemes where the edge routers make routing decisions using only local information and thus reducing the overhead at core routers. We first describe virtual capacity based routing (vcr), a theoretical scheme based on the notion of virtual capacity of a route. We then propose proportional sticky routing, an easily realizable approximation of vcr and analyze its performance. We demonstrate through extensive simulations that adaptive proportional routing is indeed a viable alternative to the global QoS routing approach.

Abstract—We propose an architecture called secure overlay services (SOS) that proactively prevents denial of service (DoS) attacks, geared toward supporting emergency services, or similar types of communication. The architecture uses a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by: 1) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic and 2) introducing randomness and anonymity into the forwarding architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOSprotected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels. Our performance measurements using a prototype implementation indicate an increase in end-to-end latency by a factor of two for the general case, and an average heal time of less than 10 s. Index Terms—Access control, denial of service (DoS) attacks, overlay networks, packet filtering, peer-to-peer (P2P) networks. I.

This paper studies alternative ways to manage a multi-server system such as a telephone call center. Three alternatives can be described succinctly by: (i) blocking, (ii) reneging and (iii) balk-ing. The first alternative – blocking – is to have no provision for waiting. The second alternative is to allow waiting, but neither inform customers about anticipated delays nor provide state infor-mation to allow arriving customers to predict delays. The second alternative tends to yield higher server utilizations. The first alternative tends to reduce to the second, without the first-come first-served service discipline, when customers can easily retry, as with automatic redialers in telephone access. The third alternative is to both allow waiting and inform customers about anticipated delays. The third alternative tends to cause balking when all servers are busy (abandonment upon arrival) instead of reneging (abandonment after waiting). Birth-and-death process models are pro-posed to describe the performance with each alternative. Algorithms are developed to compute the conditional distributions of the time to receive service and the time to renege given each outcome. Algorithms are also developed to help the service provider predict customer waiting times before beginning service, given estimated service-time distributions and the elapsed service times of the customers in service. Better predictions may be obtained by classifying customers and thereby obtaining better estimates of their service-time distributions.