HAWK: halting anomalies with weighted choking to rescue well-behaved TCP sessions from shrew DDoS attacks

Authors:
Yu-Kwong Kwok;Rohit Tripathi;Yu Chen;Kai Hwang
Affiliations:
University of Southern California, Los Angeles, CA;University of Southern California, Los Angeles, CA;University of Southern California, Los Angeles, CA;University of Southern California, Los Angeles, CA
Venue:
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Year:
2005

Citing 5
Cited 5

Random early detection gateways for congestion avoidance

IEEE/ACM Transactions on Networking (TON)
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites

Proceedings of the 11th international conference on World Wide Web
End-to-end available bandwidth: measurement methodology, dynamics, and relation with TCP throughput

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Cyber defense technology networking and evaluation

Communications of the ACM - Homeland security

A router-based technique to mitigate reduction of quality (RoQ) attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting pulsing denial-of-service attacks with nondeterministic attack intervals

EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
A new mechanism for improving robustness of TCP against pulsing denial-of-service attacks

ACOS'06 Proceedings of the 5th WSEAS international conference on Applied computer science
Survey of low rate DoS attack detection mechanisms

Proceedings of the International Conference & Workshop on Emerging Trends in Technology
Chaos-based detection of LDoS attacks

Journal of Systems and Software

Quantified Score

Hi-index	0.00

Visualization

Abstract

High availability in network services is crucial for effective large-scale distributed computing. While distributed denial-of-service (DDoS) attacks through massive packet flooding have baffled researchers for years, a new type of even more detrimental attack—shrew attacks (periodic intensive packet bursts with low average rate)—has recently been identified. Shrew attacks can significantly degrade well-behaved TCP sessions, repel potential new connections, and are very difficult to detect, not to mention defend against, due to its low average rate. We propose a new stateful adaptive queue management technique called HAWK (Halting Anomaly with Weighted choKing) which works by judiciously identifying malicious shrew packet flows using a small flow table and dropping such packets decisively to halt the attack such that well-behaved TCP sessions can re-gain their bandwidth shares. Our NS-2 based extensive performance results indicate that HAWK is highly agile.