A cost-based framework for analysis of denial of service in networks
Journal of Computer Security
A Formal Framework and Evaluation Method for Network Denial of Service
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security)
Proceedings of the 2nd ACM workshop on Quality of protection
Hi-index | 0.00 |
In this paper we experimentally analyse various dynamic timeout adjustment strategies in server queues as potential counter-measures against degradation of service attacks. Previous theoretical work studied the relative performance of both coarse-grained threshold-based timeout and fine-grained adjusment strategies where the timeout value is adjusted as the number of connections in the queue varies. In addition, two methods for removing timed-out connections were explored: the deterministic method where the expiry time is determined at connection arrival depending on the timeout value at that moment, and the deferred method where connections are continuously polled and flushed when the time-in-queue is larger than the current timeout value.We report on experiments performed on a lab network where these strategies were tested against various configuration and attack parameters. The experimental results confirm the conclusions previously obtained from mathematical modelling and simulation, i.e. that a) finer-grained dynamic adjustment performs better than coarse-grained or no adjustment, and b) that the deferred method performs better than the deterministic one. Furthermore, our implementation of these counter-measures is very efficient and transparent with respect to the servers and applications it tries to protect. It could therefore be easily integrated into existing OS and applications or implemented in separate network devices, either on dedicated machines or network appliances.