Distributed mechanism in detecting and defending against the low-rate TCP attack

Authors:
Haibin Sun;John C. S. Lui;David K. Y. Yau
Affiliations:
Department of Computer Science and Engineering, The Chinese University of Hong Kong, Shatin, NT, Hong Kong;Department of Computer Science and Engineering, The Chinese University of Hong Kong, Shatin, NT, Hong Kong;Department of Computer Science, Purdue University
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2006

Citing 14
Cited 9

On the self-similar nature of Ethernet traffic (extended version)

IEEE/ACM Transactions on Networking (TON)
Efficient fair queueing using deficit round-robin

IEEE/ACM Transactions on Networking (TON)
Simulation-based comparisons of Tahoe, Reno and SACK TCP

ACM SIGCOMM Computer Communication Review
Self-similarity in World Wide Web traffic: evidence and possible causes

IEEE/ACM Transactions on Networking (TON)
On estimating end-to-end network path properties

Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Congestion control for high bandwidth-delay product networks

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Controlling High-Bandwidth Flows at the Congested Router

ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles

IEEE/ACM Transactions on Networking (TON)
Defense against low-rate TCP-targeted denial-of-service attacks

ISCC '04 Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC"04) - Volume 02
Exact indexing of dynamic time warping

VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases

Evaluation of a low-rate DoS attack against iterative servers

Computer Networks: The International Journal of Computer and Telecommunications Networking
Power to the people: securing the internet one edge at a time

Proceedings of the 2007 workshop on Large scale attack defense
Secretly monopolizing the CPU without superuser privileges

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Detecting pulsing denial-of-service attacks with nondeterministic attack intervals

EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
On remote exploitation of TCP sender for low-rate flooding denial-of-service attack

IEEE Communications Letters
LDoS attack in ad-hoc network

WONS'09 Proceedings of the Sixth international conference on Wireless On-Demand Network Systems and Services
Defense techniques for low-rate DoS attacks against application servers

Computer Networks: The International Journal of Computer and Telecommunications Networking
Analysis of traffic correlation attacks on router queues

Computer Networks: The International Journal of Computer and Telecommunications Networking
Identity attack and anonymity protection for P2P-VoD systems

Proceedings of the Nineteenth International Workshop on Quality of Service

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we consider a distributed mechanism to detect and to defend against the low-rate TCP attack. The low-rate TCP attack is a recently discovered attack. In essence, it is a periodic short burst that exploits the homogeneity of the minimum retransmission timeout (RTO) of TCP flows and forces all affected TCP flows to backoff and enter the retransmission timeout state. When these affected TCP flows timeout and retransmit their packets, the low-rate attack will again send a short burst to force these affected TCP flows to enter RTO again. Therefore these affected TCP flows may be entitled to zero or very low transmission bandwidth. This sort of attack is difficult to identify due to a large family of attack patterns. We propose a distributed detection mechanism to identify the low-rate attack. In particular, we use the dynamic time warping approach to robustly and accurately identify the existence of the low-rate attack. Once the attack is detected, we use a fair resource allocation mechanism to schedule all packets so that (1) the number of affected TCP flows is minimized and, (2) provide sufficient resource protection to those affected TCP flows. Experiments are carried out to quantify the robustness and accuracy of the proposed distributed detection mechanism. In particular, one can achieve a very low false positive/negative when compare to legitimate Internet traffic. Our experiments also illustrate the the efficiency of the defense mechanism across different attack patterns and network topologies.