On a Mathematical Model for Low-Rate Shrew DDoS

The shrew distributed denial of service (DDoS) attack is very detrimental for many applications, since it can throttle TCP flows to a small fraction of their ideal rate at very low attack cost. Earlier works mainly focused on empirical studies of defending against the shrew DDoS, and very few of them provided analytic results about the attack itself. In this paper, we propose a mathematical model for estimating attack effect of this stealthy type of DDoS. By originally capturing the adjustment behaviors of victim TCPs congestion window, our model can comprehensively evaluate the combined impact of attack pattern (i.e., how the attack is configured) and network environment on attack effect (the existing models failed to consider the impact of network environment). Henceforth, our model has higher accuracy over a wider range of network environments. The relative error of our model remains around 10% for most attack patterns and network environments, whereas the relative error of the benchmark model in previous works has a mean value of 69.57%, and it could be more than 180% in some cases. More importantly, our model reveals some novel properties of the shrew attack from the interaction between attack pattern and network environment, such as the minimum cost formula to launch a successful attack, and the maximum effect formula of a shrew attack. With them, we are able to find out how to adaptively tune the attack parameters (e.g., the DoS burst length) to improve its attack effect in a given network environment, and how to reconfigure the network resource (e.g., the bottleneck buffer size) to mitigate the shrew DDoS with a given attack pattern. Finally, based on our theoretical results, we put forward a simple strategy to defend the shrew attack. The simulation results indicate that this strategy can remarkably increase TCP throughput by nearly half of the bottleneck bandwidth (and can be higher) for general attack patterns.

[1]  Guido Appenzeller,et al.  Sizing router buffers , 2004, SIGCOMM '04.

[2]  Sally Floyd,et al.  The NewReno Modification to TCP's Fast Recovery Algorithm , 2004, RFC.

[3]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[5]  Xiapu Luo,et al.  Modeling the Vulnerability of Feedback-Control Based Internet Services to Low-Rate DoS Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[6]  Seungjoon Lee,et al.  The Taming of the Shrew: Mitigating Low-Rate TCP-Targeted Attack , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems.

[7]  Xiapu Luo,et al.  Performance analysis of TCP/AQM under denial-of-service attacks , 2005, 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems.

[8]  Zhou Su,et al.  An optimized design of reconfigurable PSD accelerator for online shrew DDoS attacks detection , 2013, 2013 Proceedings IEEE INFOCOM.

[9]  Mina Guirguis,et al.  On the Impact of Low-Rate Attacks , 2006, 2006 IEEE International Conference on Communications.

[10]  Andreas Terzis,et al.  On the effect of router buffer sizes on low-rate denial of service attacks , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[11]  Bo Zhang,et al.  Measurement-Based Analysis, Modeling, and Synthesis of the Internet Delay Space , 2006, IEEE/ACM Transactions on Networking.

[12]  Anat Bremler-Barr,et al.  Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks , 2013, IEEE Transactions on Computers.

[13]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[14]  V. Anil Kumar,et al.  On remote exploitation of TCP sender for low-rate flooding denial-of-service attack , 2009, IEEE Communications Letters.

[15]  Ying Zhang,et al.  Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing , 2007, NDSS.

[16]  Cheng Song,et al.  High performance TCP in ANSNET , 1994, CCRV.

[17]  Roch Guérin,et al.  On the robustness of router-based denial-of-service (DoS) defense systems , 2005, CCRV.

[18]  Alexandre Proutière,et al.  Statistical bandwidth sharing: a study of congestion at flow level , 2001, SIGCOMM.

[19]  H. Jonathan Chao,et al.  RateGuard: A Robust Distributed Denial of Service (DDoS) Defense System , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[20]  Kai Hwang,et al.  Spectral Analysis of TCP Flows for Defense Against Reduction-of-Quality Attacks , 2007, 2007 IEEE International Conference on Communications.

[21]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[22]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[23]  Kevin Fall,et al.  TCP/IP Illustrated: The Protocols v. 1 , 2009 .

[24]  Ibrahim Matta,et al.  The effect of router buffer size on HighSpeed TCP performance , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[25]  Vern Paxson,et al.  On estimating end-to-end network path properties , 2001, SIGCOMM LA '01.