Mitigating congestion based DoS attacks with an enhanced AQM technique

Denial of Service (DoS) attacks are currently one of the biggest risks any organization connected to the Internet can face. Hence, the congestion handling techniques at the edge router(s), such as Active Queue Management (AQM) schemes must take into account such attacks. Ideally, an AQM scheme should (a) ensure that each network flow gets its fair share of bandwidth, and (b) identify attack flows so that corrective actions (e.g. drop flooding traffic) can be explicitly taken against them to further mitigate the DoS attacks. This paper presents a proof-of-concept work on devising such an AQM scheme, which we name Deterministic Fair Sharing (DFS). Most of the existing AQM schemes do not achieve the above goals or have significant room for improvement. DFS uses the concept of weighted fair share (wfs) that allows it to dynamically self-adjust the router buffer usage based on the current level of congestion, while aiding in identifying malicious flows. By using multiple data structures (a comprehensive repository and a cache) for keeping state of legitimate and malicious flows, DFS is able to optimize its runtime performance (e.g. higher bandwidth flows being handled by the cache). We demonstrate the performance advantage of DFS via extensive simulation while comparing against other existing AQM techniques.

[1]  Visvasuresh Victor Govindaswamy,et al.  RECHOKe: A Scheme for Detection, Control and Punishment of Malicious Flows in IP Networks , 2007, GLOBECOM.

[2]  Weifeng Chen,et al.  RRED: robust RED algorithm to counter low-rate denial-of-service attacks , 2010, IEEE Communications Letters.

[3]  Zhen Zhou,et al.  Stochastic RED and Its Applications , 2007, 2007 IEEE International Conference on Communications.

[4]  Kang G. Shin,et al.  A self-configuring RED gateway , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[6]  Sally Floyd,et al.  TCP and explicit congestion notification , 1994, CCRV.

[7]  Kang G. Shin,et al.  The BLUE active queue management algorithms , 2002, TNET.

[8]  Paul E. McKenney,et al.  Stochastic fairness queueing , 1990, Proceedings. IEEE INFOCOM '90: Ninth Annual Joint Conference of the IEEE Computer and Communications Societies@m_The Multiple Facets of Integration.

[9]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[10]  Pablo Ameigeiras,et al.  Selective packet dropping for VoIP and TCP flows , 2011, Telecommun. Syst..

[11]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[12]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[13]  Sankardas Roy,et al.  Mitigating congestion-based denial of service attacks with active queue management , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[14]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[15]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[16]  Rajeev Shorey,et al.  XCHOKe: malicious source control for congestion avoidance at Internet gateways , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[17]  Robert Tappan Morris,et al.  Dynamics of random early detection , 1997, SIGCOMM '97.

[18]  Guido Appenzeller,et al.  Sizing router buffers , 2004, SIGCOMM '04.

[19]  R. Srikant,et al.  An adaptive virtual queue (AVQ) algorithm for active queue management , 2004, IEEE/ACM Transactions on Networking.

[20]  Sun-Yuan Hsieh,et al.  A Classified Multisuffix Trie for IP Lookup and Update , 2012, IEEE Transactions on Computers.

[21]  Kang G. Shin,et al.  Stochastic fair blue: a queue management algorithm for enforcing fairness , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[22]  Yutaka Takahashi,et al.  A queue management algorithm for fair bandwidth allocation , 2007, Comput. Commun..

[23]  F G4HIKJL,et al.  A B-Tree Dynamic Router-Table Design , 2005 .

[24]  Steven H. Low,et al.  REM: active queue management , 2001, IEEE Netw..

[25]  Donald F. Towsley,et al.  On designing improved controllers for AQM routers supporting TCP flows , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[26]  Siu-Ping Chan,et al.  Multimedia streaming gateway with jitter detection , 2005, IEEE Transactions on Multimedia.

[27]  Kang G. Shin,et al.  Techniques for Eliminating Packet Loss in Congested TCP/IP Networks , 1997 .

[28]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[29]  R. Jain Throughput fairness index : An explanation , 1999 .

[30]  Sally Floyd,et al.  Adaptive RED: An Algorithm for Increasing the Robustness of RED's Active Queue Management , 2001 .

[31]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[32]  Robert Cole,et al.  Computer Communications , 1982, Springer New York.

[33]  Scott Shenker,et al.  Core-stateless fair queueing: a scalable architecture to approximate fair bandwidth allocations in high-speed networks , 2003, TNET.

[34]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[35]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[36]  Marcel Dischinger,et al.  Characterizing residential broadband networks , 2007, IMC '07.

[37]  Sartaj Sahni,et al.  Efficient Construction of Pipelined Multibit-Trie Router-Tables , 2007, IEEE Transactions on Computers.

[38]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.