NetFence attempts to prevent DoS attacks by modifying the network to allow it to be slightly more intelligent. The routers gain the ability to inspect and police sender traffic as well as perform some security operations in an effort to minimize the effect of DoS attacks. This is another violation of the end-to-end principle that seems to be beneficial. In fact, it begs the question of whether DoS is a direct consequence of the end-to-end principle.
DoS relies on using a large number of hosts to bombard the target with constant requests. If the end-to-end principle is to be followed, then the responsibility for handling this attack must be placed entirely on the target of the attack. Since this involves inspecting and deciding what to do with a large amount of data, it seems the right approach would be a distributed/parallelized approach. The natural way to accomplish this is with an approach like NetFence; we have to violate the end-to-end principle in order to be able to handle this attack very well. Again, it seems that end-to-end is a useful simplification, but a sometimes dangerous and obsolete one.
No comments:
Post a Comment