8. Security Considerations
The document is about traffic security: how to identify and eject traffic that does not comply with non-queue-building behaviour required for a shared LL queue.
8.1. Resource Exhaustion Attacks
QProt is designed to fail gracefully when traffic attempts to exhaust processing or flow-state resources. Non-queue-building flows should remain less likely to be sanctioned than queue-building flows, but attacks can increase incorrect sanctioning.
To exhaust flow-state buckets, an attacker can keep many long-running attack flows active. With ATTEMPTS=2 and NBUCKETS=32, about 94 attack flows can raise the probability to 99% that an arriving flow has to share the dregs bucket. If coupled marking probability reaches 100%, each attack flow needs at least the aging rate, 4 Mb/s by default, so 100 flows imply more than 100 * 4 Mb/s = 400 Mb/s attack force.
Increasing NBUCKETS mitigates state exhaustion. Whole-flow redirection of persistent offenders could mitigate both state exhaustion and processing exhaustion, but it is outside the current DOCSIS QProt algorithm.
Discarding whole offending flows is not recommended because attackers might redirect discard toward innocent flows, amplifying reordering into deletion.