Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals

This paper addresses the important problem of detecting pulsing denial of service (PDoS) attacks which send a sequence of attack pulses to reduce TCP throughput. Unlike previous works which focused on a restricted form of attacks, we consider a very broad class of attacks. In particular, our attack model admits any attack interval between two adjacent pulses, whether deterministic or not. It also includes the traditional flooding-based attacks as a limiting case (i.e., zero attack interval). Our main contribution is Vanguard, a new anomaly-based detection scheme for this class of PDoS attacks. The Vanguard detection is based on three traffic anomalies induced by the attacks, and it detects them using a CUSUM algorithm. We have prototyped Vanguard and evaluated it on a testbed. The experiment results show that Vanguard is more effective than the previous methods that are based on other traffic anomalies (after a transformation using wavelet transform, Fourier transform, and autocorrelation) and detection algorithms (e.g., dynamic time warping).

[1]  Roch Guérin,et al.  On the robustness of router-based denial-of-service (DoS) defense systems , 2005, CCRV.

[2]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[3]  Nirwan Ansari,et al.  Low rate TCP denial-of-service attack detection at edge routers , 2005, IEEE Communications Letters.

[4]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[5]  Kai Hwang,et al.  HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks , 2005, ICCNMC.

[6]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[7]  Luigi Rizzo,et al.  Dummynet: a simple approach to the evaluation of network protocols , 1997, CCRV.

[8]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[9]  Shivkumar Kalyanaraman,et al.  Uncooperative congestion control , 2004, SIGMETRICS '04/Performance '04.

[10]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[11]  Magdy A. Bayoumi,et al.  Discrete Wavelet Transform: Architectures, Design and Performance Issues , 2003, J. VLSI Signal Process..

[12]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[13]  Kai Hwang,et al.  Filtering of shrew DDoS attacks in frequency domain , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[14]  Marcel Worring,et al.  Content-Based Image Retrieval at the End of the Early Years , 2000, IEEE Trans. Pattern Anal. Mach. Intell..

[15]  M. A. McMahan The Berkeley accelerator space effects facility (BASE) - A new mission for the 88-inch cyclotron at LBNL , 2005 .

[16]  David K. Y. Yau,et al.  Distributed mechanism in detecting and defending against the low-rate TCP attack , 2006, Comput. Networks.

[17]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[18]  Markus A. Stricker,et al.  Similarity of color images , 1995, Electronic Imaging.

[19]  Jyh-Shing Roger Jang,et al.  A General Framework of Progressive Filtering and Its Application to Query by Singing/Humming , 2008, IEEE Transactions on Audio, Speech, and Language Processing.

[20]  David K. Y. Yau,et al.  Defending against low-rate TCP attacks: dynamic detection and protection , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[21]  B. E. Brodsky,et al.  Non-Parametric Statistical Diagnosis: Problems and Methods , 2000 .