DoS attack countermeasures in NGN using private security policy

This paper proposes countermeasures against denial of service (DoS) attacks on the Next Generation Network (NGN). Applying a private security policy to IP packets flowing from the Internet into the NGN, the IP packets are checked and abnormal packets for DoS attacks are detected at edge routers on the NGN exit-side. An DoS attack notification is sent back from the edge routers to the entrance-side edge routers, which mark matching IP packets and send them around a loop added to their route. The feature of our method is that attack packets are delayed rather than just discarded to avoid the loss of normal packets misrecognized as attack packets by letting the end user decide their normality. This is acceptable because DoS attack packets are usually meaningless rather than dangerous. Our method eliminates attack-induced congestion and restores service provision. Its effectiveness was verified by network simulations.