The DRR-based approach of defending against LDoS

The low-rate denial of service (LDoS) attack is known as a low-rate TCP attack with essentially a periodic short burst, which exploits the homogeneity of the minimum retransmission timeout (RTO) of TCP flows and forces all affected TCP flows to back off and enter the retransmission timeout state. LDoS attack is new threat to Internet and ISP service. This paper adopts the deficit round robin (DRR) algorithm to defend against LDoS attack. DRR algorithm provides bandwidth allocation and protection between flows to improve the throughput of all the TCP flow. Experiments on single low-rate attack on single TCP flow and multiple TCP flows show that DRR has an expected effect on resisting LDoS attack.

[1]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[2]  T. Yoshida,et al.  A note on fair queueing and best-effort service in the Internet , 1999, 1999 Internet Workshop. IWS99. (Cat. No.99EX385).

[3]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[4]  John B. Nagle,et al.  On Packet Switches with Infinite Storage , 1987, IEEE Trans. Commun..

[5]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, TNET.

[6]  R. Shreedhar,et al.  Efficient Fair Queuing Using Deficit Round - , 1997 .

[7]  Dimitris Papadias,et al.  Vertical dimensioning: A novel DRR implementation for efficient fair queueing , 2008, Comput. Commun..

[8]  Abhay Parekh,et al.  A generalized processor sharing approach to flow control in integrated services networks: the multiple node case , 1994, TNET.

[9]  Eitan Altman,et al.  Analysis of TCP Vegas and TCP Reno , 2000, Telecommun. Syst..

[10]  Mario Gerla,et al.  Defense against low-rate TCP-targeted denial-of-service attacks , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[11]  S. Jamaloddin Golestani,et al.  A self-clocked fair queueing scheme for broadband applications , 1994, Proceedings of INFOCOM '94 Conference on Computer Communications.