ABSTRACT
Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission time-out mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized time-out mechanisms to thwart such low-rate DoS attacks.
- M. Allman and V. Paxson. On estimating end-to-end network path properties. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999. Google ScholarDigital Library
- F. Anjum and L. Tassiulas. Fair bandwidth sharing among adaptive and non-adaptive flows in the Internet. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.Google ScholarCross Ref
- R. L. Carter and M. E. Crovella. Measuring bottleneck link speed in packet-switched networks. Performence Evaluation, 27(28):297--318, 1996. Google ScholarDigital Library
- C. Dovrolis, P. Ramanathan, and D. Moore. What do packet dispersion techniques measure? In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, April 2001.Google ScholarCross Ref
- F. Ertemalp, D. Chiriton, and A. Bechtolsheim. Using dynamic buffer limiting to protect against belligerent flows in high-speed networks. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001. Google ScholarDigital Library
- C. Estan and G. Varghese. New directions in traffic measurement and accounting. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002. Google ScholarDigital Library
- K. Fall and S. Floyd. Simulation-based comparison of Tahoe, Reno and SACK TCP. ACM Computer Comm. Review, 5(3):5--21, July 1996. Google ScholarDigital Library
- A. Feldmann, A. C. Gilbert, P. Huang, and W. Willinger. Dynamics of IP traffic: A study of the role of variability and the impact of control. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999. Google ScholarDigital Library
- W. Feng, D. Kandlur, D. Saha, and K. Shin. Stochastic fair BLUE: A queue management algorithm for enforcing fairness. In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, June 2001.Google Scholar
- S. Floyd and V. Jacobson. On traffic phase effects in packet-switched gateways. Internetworking: Research and Experience, 3(3):115--156, September 1992.Google Scholar
- S. Floyd and V. Jacobson. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking, 1(4):397--413, 1993. Google ScholarDigital Library
- S. Floyd and E. Kohler. Internet research needs better models. In Proceedings of HOTNETS '02, Princeton, New Jersey, October 2002.Google Scholar
- S. Floyd, J. Madhavi, M. Mathis, and M. Podolsky. An extension to the selective acknowledgement (SACK) option for TCP, July 2000. Internet RFC 2883. Google ScholarDigital Library
- J. Hoe. Improving the start-up behavior of a congestion control scheme for TCP. In Proceedings of ACM SIGCOMM '96, Stanford University, CA, August 1996. Google ScholarDigital Library
- V. Jacobson. Congestion avoidance and control. ACM Computer Comm. Review, 18(4):314--329, Aug. 1988. Google ScholarDigital Library
- V. Jacobson. Pathchar: A tool to infer characteristics of Internet paths. ftp://ftp.ee.lbl.gov/pathchar/, Apr. 1997.Google Scholar
- M. Jain and C. Dovrolis. End-to-end available bandwidth: Measurement methodology, dynamics, and relation with TCP throughput. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002. Google ScholarDigital Library
- H. Jiang and C. Dovrolis. Passive estimation of TCP round-trip times. ACM Computer Comm. Review, 32(3):5--21, July 2002. Google ScholarDigital Library
- K. Lai and M. Baker. Measuring link bandwidths using a deterministic model of packet delay. In Proceedings of ACM SIGCOMM '00, Stockholm, Sweden, August 2000. Google ScholarDigital Library
- D. Lin and R. Morris. Dynamics of Random Early Detection. In Proceedings of ACM SIGCOMM '97, Cannes, France, September 1997. Google ScholarDigital Library
- J. Liu and M. Crovella. Using loss pairs to discover network properties. In Proceedings of IEEE/ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, Nov. 2001. Google ScholarDigital Library
- R. Mahajan, S. Floyd, and D. Wetherall. Controlling high-bandwidth flows at the congested router. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001. Google ScholarDigital Library
- T. J. Ott, T. V. Lakshman, and L. Wong. SRED: Stabilized RED. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.Google ScholarCross Ref
- R. Pain, B. Prabhakar, and K. Psounis. CHOKe, a stateless active queue management scheme for approximating fair bandwidth allocation. In Proceedings of IEEE INFOCOM '00, Tel Aviv, Israel, March 2000.Google Scholar
- A. Pasztor and D. Veitch. High precision active probing for Internet measurement. In Proceedings of INET '01, Stockholm, Sweden, 2001.Google Scholar
- A. Pasztor and D. Veitch. The packet size dependence of packet pair like methods. In Proceedings of IWQoS '02, Miami, FL, May 2002.Google ScholarCross Ref
- V. Paxson. End-to-end Internet packet dynamics. IEEE/ACM Transactions on Networking, 7(3):277--292, June 1999. Google ScholarDigital Library
- V. Paxson and M. Allman. Computing TCP's retransmission timer, November 2000. Internet RFC 2988. Google ScholarDigital Library
- A. Rangarajan and A. Acharya. ERUF: Early regulation of unresponsive best-effort traffic. In Proceedings of IEEE ICNP '99, Toronto, CA, October 1999. Google ScholarDigital Library
- A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proceedings of ACM SIGCOMM '01, San Diego, CA, August 2001. Google ScholarDigital Library
- L. Zhang, S. Shenker, and D. Clark. Observation on the dynamics of a congestion control algorithm: The effects of two-way traffic. In Proceedings of ACM SIGCOMM'91, Zurich, Switzerland, September 1991. Google ScholarDigital Library
Index Terms
- Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
Recommendations
Low-rate TCP-targeted denial of service attacks and counter strategies
Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation ...
Defense against low-rate TCP-targeted denial-of-service attacks
ISCC '04: Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC"04) - Volume 02Low-rate TCP-targeted denial-of-service (DoS) attacks aim at the fact that most operating systems in use today have a common base TCP retransmission timeout (RTO) of 1 sec. An attacker injects periodic bursts of packets to fill the bottleneck queue and ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Comments