A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks

Although the existing robust random early detection RRED algorithm can preserve normal TCP throughput under various low-rate distributed denial-of-service LDDoS attacks, it fails to maintain the fairness among TCP flows and counter large-scale LDDoS attacks or address-spoofing LDDoS attacks. In contemporary network, it is much easier to launch UDP-based LDDoS attacks that achieve severer attack effect with much lower effort than to launch TCP-based attacks. Based on this observation, this paper proposes fair robust random early detection FRRED algorithm, a TCP-friendly AQM algorithm to improve the performance in terms of throughput and fairness. The key idea of FRRED algorithm is the 'protocol-based hash partitioning' that segregates the records of UDP and TCP flows maintained in a counting bloom filter which is space-efficient and well-designed. Theoretical analysis and simulation results show that FRRED algorithm can effectively preserve TCP throughput and significantly improve fairness among TCP flows to mitigate various LDDoS attacks.

[1]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[2]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[3]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[4]  Raj Jain,et al.  A Quantitative Measure Of Fairness And Discrimination For Resource Allocation In Shared Computer Systems , 1998, ArXiv.

[5]  Nirwan Ansari,et al.  Low rate TCP denial-of-service attack detection at edge routers , 2005, IEEE Communications Letters.

[6]  Kang G. Shin,et al.  Stochastic fair blue: a queue management algorithm for enforcing fairness , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[7]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, TNET.

[8]  Seungjoon Lee,et al.  The Taming of the Shrew: Mitigating Low-Rate TCP-Targeted Attack , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems.

[9]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[10]  Jing Zhang,et al.  Robustness of RED in Mitigating LDoS Attack , 2011, KSII Trans. Internet Inf. Syst..

[11]  Sandeep K. Gupta,et al.  TCP vs. TCP: a systematic study of adverse impact of short-lived TCP flows on long-lived TCP flows , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[12]  Weifeng Chen,et al.  RRED: robust RED algorithm to counter low-rate denial-of-service attacks , 2010, IEEE Communications Letters.

[13]  Jiannong Cao,et al.  A Distributed TCAM Coprocessor Architecture for Integrated Longest Prefix Matching, Policy Filtering, and Content Filtering , 2013, IEEE Transactions on Computers.

[14]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[15]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.