Distributed mechanism in detecting and defending against the low-rate TCP attack

In this paper, we consider a distributed mechanism to detect and to defend against the low-rate TCP attack. The low-rate TCP attack is a recently discovered attack. In essence, it is a periodic short burst that exploits the homogeneity of the minimum retransmission timeout (RTO) of TCP flows and forces all affected TCP flows to backoff and enter the retransmission timeout state. When these affected TCP flows timeout and retransmit their packets, the low-rate attack will again send a short burst to force these affected TCP flows to enter RTO again. Therefore these affected TCP flows may be entitled to zero or very low transmission bandwidth. This sort of attack is difficult to identify due to a large family of attack patterns. We propose a distributed detection mechanism to identify the low-rate attack. In particular, we use the dynamic time warping approach to robustly and accurately identify the existence of the low-rate attack. Once the attack is detected, we use a fair resource allocation mechanism to schedule all packets so that (1) the number of affected TCP flows is minimized and, (2) provide sufficient resource protection to those affected TCP flows. Experiments are carried out to quantify the robustness and accuracy of the proposed distributed detection mechanism. In particular, one can achieve a very low false positive/negative when compare to legitimate Internet traffic. Our experiments also illustrate the the efficiency of the defense mechanism across different attack patterns and network topologies.

[1]  FloydSally,et al.  Simulation-based comparisons of Tahoe, Reno and SACK TCP , 1996 .

[2]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[3]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[4]  Jacek Ilow Parameter estimation in FARIMA processes with applications to network traffic modeling , 2000, Proceedings of the Tenth IEEE Workshop on Statistical Signal and Array Processing (Cat. No.00TH8496).

[5]  Mario Gerla,et al.  Defense against low-rate TCP-targeted denial-of-service attacks , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[6]  S. Jamaloddin Golestani,et al.  A self-clocked fair queueing scheme for broadband applications , 1994, Proceedings of INFOCOM '94 Conference on Computer Communications.

[7]  George Varghese,et al.  Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[8]  Eamonn Keogh Exact Indexing of Dynamic Time Warping , 2002, VLDB.

[9]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[10]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[11]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[12]  S. Chiba,et al.  Dynamic programming algorithm optimization for spoken word recognition , 1978 .

[13]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[14]  Paul E. McKenney,et al.  Stochastic fairness queueing , 1990, Proceedings. IEEE INFOCOM '90: Ninth Annual Joint Conference of the IEEE Computer and Communications Societies@m_The Multiple Facets of Integration.

[15]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[16]  Fei Xue,et al.  Traffic modeling based on FARIMA models , 1999, Engineering Solutions for the Next Millennium. 1999 IEEE Canadian Conference on Electrical and Computer Engineering (Cat. No.99TH8411).

[17]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[18]  Sally Floyd,et al.  Simulation-based comparisons of Tahoe, Reno and SACK TCP , 1996, CCRV.

[19]  Mark Handley,et al.  Congestion control for high bandwidth-delay product networks , 2002, SIGCOMM '02.

[20]  Vern Paxson,et al.  On estimating end-to-end network path properties , 2001, SIGCOMM LA '01.