In a network stack Denial-of-Service (DoS) attack, numerous network packets flood the packet queues on a computer system, rendering the processing software on that machine (the "network stack") incapable of processing normal traffic. (This is not the same as a network bandwidth attack, in which copious packets overwhelm the capabilities of the data lines in and out of the computer.) We propose to extend the operating system (OS)-level protection of PitBull Foundation to defend against network stack attacks by assigning certain packets a Security Label (SL) with network priority. A packet with the specified SL would be guaranteed priority in the network stack, thereby allowing a remote administrator to access and recover a system even during a CPU DoS attack. Recovery during attack is key to survivability. Anticipated Benefits/Commercial Applications: An administrator would be able to access a computer, either at the computer or over a network, even during a network stack DoS attack. The administrator could then take actions to recover the system and keep it operational.
Keywords: network stack, TCP/IP, software security , denial of service, information assurance
