Performance analysis of TCP/AQM under denial-of-service attacks

The interaction between TCP and various active queue management (AQM) algorithms has been extensively analyzed for the last few years. However, the analysis usually assumed that routers and TCP flows are not under any network attacks. In this paper, we investigate how the performance of TCP flows is affected by denial-of-service (DoS) attacks under the drop tail and various AQM schemes. In particular, we consider two types of DoS attacks-the traditional flooding-based DoS (FDDoS) attacks and the recently proposed pulsing DoS (PDoS) attacks. Both analytical and simulation results support that the PDoS attacks are more effective than the FDDoS attacks under the same average attack rate. Moreover, the drop tail surprisingly outperforms the RED-like AQMs when the router is under a PDoS attack, whereas the RED-like AQMs perform better under a severe FDDoS attack. On the other hand, the Adaptive Virtual Queue algorithm can retain a higher TCP throughput during PDoS attacks as compared with the RED-like AQMs.

[1]  Donald F. Towsley,et al.  Modeling TCP throughput: a simple model and its empirical validation , 1998, SIGCOMM '98.

[2]  Mathieu Robin,et al.  Performance evaluation of fairness-oriented active queue management schemes , 2004, The IEEE Computer Society's 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004. (MASCOTS 2004). Proceedings..

[3]  Matthew Mathis,et al.  The macroscopic behavior of the TCP congestion avoidance algorithm , 1997, CCRV.

[4]  R. Srikant,et al.  Analysis and design of an adaptive virtual queue (AVQ) algorithm for active queue management , 2001, SIGCOMM '01.

[5]  David K. Y. Yau,et al.  Defending against low-rate TCP attacks: dynamic detection and protection , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[6]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[7]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[8]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[9]  Gaston H. Gonnet,et al.  On the LambertW function , 1996, Adv. Comput. Math..

[10]  Thomas Bonald,et al.  Statistical bandwidth sharing: a study of congestion at flow level , 2001, SIGCOMM.

[11]  B. Barden Recommendations on queue management and congestion avoidance in the Internet , 1998 .

[12]  Stefan Savage,et al.  Modeling TCP latency , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Xiapu Luo,et al.  Vanguard: A New Detection Scheme for a Class of TCP-targeted Denial-of-Service Attacks , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[14]  Steven H. Low,et al.  REM: active queue management , 2001, IEEE Network.

[15]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[16]  Rayadurgam Srikant,et al.  The Mathematics of Internet Congestion Control (Systems and Control: Foundations and Applications) , 2004 .

[17]  Xiapu Luo,et al.  Optimizing the pulsing denial-of-service attacks , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[18]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[19]  R. Srikant,et al.  An adaptive virtual queue (AVQ) algorithm for active queue management , 2004, IEEE/ACM Transactions on Networking.

[20]  Rayadurgam Srikant,et al.  Controlling the Internet: a survey and some new results , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[21]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[22]  Chunming Qiao,et al.  Advances in internet congestion control , 2003, IEEE Communications Surveys & Tutorials.

[23]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[24]  Vern Paxson,et al.  Computing TCP's Retransmission Timer , 2000, RFC.

[25]  Donald F. Towsley,et al.  On designing improved controllers for AQM routers supporting TCP flows , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[26]  Rayadurgam Srikant,et al.  The Mathematics of Internet Congestion Control , 2003 .

[27]  A.L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).