A new mechanism for improving robustness of TCP against pulsing denial-of-service attacks

In this paper, we propose a new mechanism to combat pulsing Denial-of-Service (DoS) attacks. Pulsing DoS attacks can seriously degrade the throughput of legitimate TCP flows in a stealthy manner. The attacker send periodic short bursts of traffic (i.e. pulses) to cause packet losses of TCP flows. For improving robustness of TCP against the attacks, we propose to use adaptive bandwidth estimation mechanism in TCP congestion control process. The performance of the proposed method is evaluated through simulations, and is compared with the other TCP variants. From the simulation results, we verified that the proposed method can effectively mitigate the effect of pulsing DoS attacks.

[1]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2003, IEEE/ACM Transactions on Networking.

[2]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[3]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[4]  Vern Paxson,et al.  On estimating end-to-end network path properties , 2001, SIGCOMM LA '01.

[5]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[6]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  David K. Y. Yau,et al.  Defending against low-rate TCP attacks: dynamic detection and protection , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[8]  Sally Floyd,et al.  TCP Selective Acknowledgement Options , 1996 .

[9]  Kai Hwang,et al.  HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks , 2005, ICCNMC.

[10]  Ren Wang,et al.  Efficiency/friendliness tradeoffs in TCP Westwood , 2002, Proceedings ISCC 2002 Seventh International Symposium on Computers and Communications.

[11]  Vern Paxson,et al.  On estimating end-to-end network path properties , 2001, SIGCOMM LA '01.

[12]  Ren Wang,et al.  TCP westwood: Bandwidth estimation for enhanced transport over wireless links , 2001, MobiCom '01.

[13]  Mario Gerla,et al.  Defense against low-rate TCP-targeted denial-of-service attacks , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[14]  Sally Floyd,et al.  Increasing TCP's Initial Window , 1998, RFC.

[15]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[16]  Kai Hwang,et al.  Filtering of shrew DDoS attacks in frequency domain , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[17]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[18]  Wenhao Huang,et al.  Proceedings of the 5th WSEAS international conference on Applied computer science , 2006 .

[19]  Andreas Terzis,et al.  On the effect of router buffer sizes on low-rate denial of service attacks , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[20]  Nirwan Ansari,et al.  Low rate TCP denial-of-service attack detection at edge routers , 2005, IEEE Communications Letters.