Flow level detection and filtering of low-rate DDoS

Authors:
Changwang Zhang;Zhiping Cai;Weifeng Chen;Xiapu Luo;Jianping Yin
Affiliations:
School of Computer Science, National University of Defense Technology, Changsha, China and Department of Computer Science, University College London, Gower Street, London WC1E 6BT, United Kingdom;School of Computer Science, National University of Defense Technology, Changsha, China;Department of Math & Computer Science, California University of Pennsylvania, USA;Computing Department, Hong Kong Polytechnic University, China;School of Computer Science, National University of Defense Technology, Changsha, China
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2012

Citing 35
Cited 0

Random early detection gateways for congestion avoidance

IEEE/ACM Transactions on Networking (TON)
Dynamics of random early detection

SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Promoting the use of end-to-end congestion control in the Internet

IEEE/ACM Transactions on Networking (TON)
Modeling TCP Reno performance: a simple model and its empirical validation

IEEE/ACM Transactions on Networking (TON)
Modeling TCP behavior in a differentiated services network

IEEE/ACM Transactions on Networking (TON)
The BLUE active queue management algorithms

IEEE/ACM Transactions on Networking (TON)
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Gigascope: a stream database for network applications

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Controlling High-Bandwidth Flows at the Congested Router

ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
An empirical evaluation of wide-area internet bottlenecks

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Estimating loss rates with TCP

ACM SIGMETRICS Performance Evaluation Review
DDoS attacks and defense mechanisms: classification and state-of-the-art

Computer Networks: The International Journal of Computer and Telecommunications Networking
An adaptive virtual queue (AVQ) algorithm for active queue management

IEEE/ACM Transactions on Networking (TON)
Data streaming algorithms for efficient and accurate estimation of flow size distribution

Proceedings of the joint international conference on Measurement and modeling of computer systems
Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Defending Against Low-Rate TCP Attacks: Dynamic Detection and Protection

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Performance Analysis of TCP/AQM Under Denial-of-Service Attacks

MASCOTS '05 Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems
Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing

ICNICONSMCL '06 Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies
Survey of network-based defense mechanisms countering the DoS and DDoS problems

ACM Computing Surveys (CSUR)
Low-rate TCP-targeted denial of service attacks and counter strategies

IEEE/ACM Transactions on Networking (TON)
Evaluation of a low-rate DoS attack against iterative servers

Computer Networks: The International Journal of Computer and Telecommunications Networking
Collaborative detection and filtering of shrew DDoS attacks using spectral analysis

Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
A router-based technique to mitigate reduction of quality (RoQ) attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
On the state of IP spoofing defense

ACM Transactions on Internet Technology (TOIT)
On the detection of signaling DoS attacks on 3G/WiMax wireless networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting pulsing denial-of-service attacks with nondeterministic attack intervals

EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
Mathematical model for low-rate DoS attacks against application servers

IEEE Transactions on Information Forensics and Security
RRED: robust RED algorithm to counter low-rate denial-of-service attacks

IEEE Communications Letters
Protection Against Denial of Service Attacks

The Computer Journal
Defense techniques for low-rate DoS attacks against application servers

Computer Networks: The International Journal of Computer and Telecommunications Networking
A novel mechanism to defend against low-rate denial-of-service attacks

ISI'06 Proceedings of the 4th IEEE international conference on Intelligence and Security Informatics
The taming of the shrew: mitigating low-rate TCP-targeted attack

IEEE Transactions on Network and Service Management
Defending against flooding-based distributed denial-of-service attacks: a tutorial

IEEE Communications Magazine
Packet-level traffic measurements from the Sprint IP backbone

IEEE Network: The Magazine of Global Internetworking
Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics

IEEE Transactions on Information Forensics and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP's congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric - Congestion Participation Rate (CPR) - and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach - one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.