System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks

摘要

An approach provides a communication network that supports one or more network-based Virtual Private Networks (VPNs) to resist Denial of Service (DoS) attacks. A first boundary router is configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link. A second boundary router is coupled to a public network. The access network connects to the first boundary router, and wherein the first boundary router and the second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN.

主权项

1. A system comprising:
a Differentiated Services (Diffserv)-enabled Internet Protocol (IP) Virtual Private Network (VPN) network, including at least a first boundary router; an IP public network, including at least a second boundary router; a plurality of Customer Local Area Networks (LANs), the LANs each including one or more hosts that function as a transmitter and/or receiver of packets communicated over one or both of the Diffserv-enabled VPN network and IP public network; a plurality of access networks, each access network coupled, via a Customer Premise Equipment (CPE) edge router and a physical access link, to a respective LAN; wherein the access network has a first logical connection to the at least first boundary router in the Diffserv-enabled VPN network and a separate, second logical connection to the at least second boundary router in the IP public network to prevent denial of service attacks on the physical access link originating from sources outside the VPN, the CPE edge router routing only packets with IP address prefixes belonging to the IP VPN via the Diffserv-enabled IP VPN network and routing all other traffic via the IP public network.