skip to main content
article

Low-rate TCP-targeted denial of service attacks and counter strategies

Published: 01 August 2006 Publication History

Abstract

Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission timeout mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized timeout mechanisms to thwart such low-rate DoS attacks.

References

[1]
{1} M. Allman, S. Floyd, and C. Partridge, "Increasing TCP's initial window," Internet RFC 2414, 1998.
[2]
{2} M. Allman and V. Paxson, "On estimating end-to-end network path properties," in ACM SIGCOMM, Vancouver, BC, Canada, Sep. 1999, pp. 263-274.
[3]
{3} F. Anjum and L. Tassiulas, "Fair bandwidth sharing among adaptive and non-adaptive flows in the Internet," in Proc. IEEE INFOCOM, New York, NY, Mar. 1999, pp. 1412-1420.
[4]
{4} R. L. Carter and M. E. Crovella, "Measuring bottleneck link speed in packet-switched networks," Perform. Eval., vol. 27, no. 28, pp. 297-318, 1996.
[5]
{5} A. Demers, S. Keshav, and S. Shenker, "Analysis and simulation of a fair queueing algorithm," J. Internetworking: Res. Exp., vol. 1, pp. 3-26, Sep. 1990.
[6]
{6} C. Dovrolis, P. Ramanathan, and D. Moore, "What do packet dispersion techniques measure?," in Proc. IEEE INFOCOM, Anchorage, AK, Apr. 2001, pp. 905-914.
[7]
{7} F. Ertemalp, D. Chiriton, and A. Bechtolsheim, "Using dynamic buffer limiting to protect against belligerent flows in high-speed networks," in Proc. IEEE ICNP, Riverside, CA, Nov. 2001, pp. 230-240.
[8]
{8} C. Estan and G. Varghese, "New directions in traffic measurement and accounting," in Proc. ACM SIGCOMM, Pittsburgh, PA, Aug. 2002, pp. 323-336.
[9]
{9} K. Fall and S. Floyd, "Simulation-based comparison of Tahoe, Reno and SACK TCP," ACM Comput. Commun. Rev., vol. 5, no. 3, pp. 5-21, Jul. 1996.
[10]
{10} A. Feldmann, A. Gilbert, P. Huang, and W. Willinger, "Dynamics of IP traffic: A study of the role of variability and the impact of control," in Proc. ACM SIGCOMM, Vancouver, BC, Canada, Sep. 1999, pp. 301-313.
[11]
{11} W. Feng, D. Kandlur, D. Saha, and K. Shin, "Stochastic fair BLUE: A queue management algorithm for enforcing fairness," in Proc. IEEE INFOCOM, Anchorage, AK, Jun. 2001, pp. 1520-1529.
[12]
{12} S. Floyd and V. Jacobson, "On traffic phase effects in packet-switched gateways," J. Internetworking: Res. Exp., vol. 3, no. 3, pp. 115-156, Sep. 1992.
[13]
{13} S. Floyd and V. Jacobson, "Random early detection gateways for congestion avoidance," IEEE/ACM Trans. Netw., vol. 1, no. 4, pp. 397-413, Aug. 1993.
[14]
{14} S. Floyd and E. Kohler, "Internet research needs better models," in Proc. HOTNETS, Princeton, NJ, Oct. 2002, pp. 29-34.
[15]
{15} S. Floyd, J. Madhavi, M. Mathis, and M. Podolsky, "An extension to the selective acknowledgement (SACK) option for TCP," Internet RFC 2883, 2000.
[16]
{16} J. Hoe, "Improving the start-up behavior of a congestion control scheme for TCP," in Proc. ACM SIGCOMM, Stanford, CA, Aug. 1996, pp. 270-280.
[17]
{17} V. Jacobson, "Congestion avoidance and control," ACM Comput. Commun. Rev., vol. 18, no. 4, pp. 314-329, Aug. 1988.
[18]
{18} V. Jacobson, "Pathchar: A tool to infer characteristics of Internet paths," 1997 {Online}. Available: ftp://ftp.ee.lbl.gov/pathchar/
[19]
{19} M. Jain and C. Dovrolis, "End-to-end available bandwidth: Measurement methodology, dynamics, and relation with TCP throughput," in Proc. ACM SIGCOMM, Pittsburgh, PA, Aug. 2002, pp. 295-308.
[20]
{20} H. Jiang and C. Dovrolis, "Passive estimation of TCP round-trip times," ACM Comput. Commun. Rev., vol. 32, no. 3, pp. 5-21, Jul. 2002.
[21]
{21} P. Karn and C. Partridge, "Improving round-trip time estimates in reliable transport protocol," ACM Trans. Comput. Syst., vol. 9, no. 4, pp. 364-373, Nov. 1991.
[22]
{22} A. Kuzmanovic and E. Knightly, "Low-rate TCP-targeted denial of service attacks (the shrew versus the mice and elephants)," in Proc. ACM SIGCOMM, Karlsruhe, Germany, Aug. 2003, pp. 75-86.
[23]
{23} K. Lai and M. Baker, "Measuring link bandwidths using a deterministic model of packet delay," in Proc. ACM SIGCOMM, Stockholm, Sweden, Aug. 2000, pp. 283-294.
[24]
{24} D. Lin and R. Morris, "Dynamics of random early detection," in Proc. ACM SIGCOMM, Cannes, France, Sep. 1997, pp. 127-137.
[25]
{25} J. Liu and M. Crovella, "Using loss pairs to discover network properties," in Proc. IEEE/ACM SIGCOMM Internet Measurement Workshop , San Francisco, CA, Nov. 2001, pp. 127-138.
[26]
{26} R. Mahajan, S. Floyd, and D. Wetherall, "Controlling high-bandwidth flows at the congested router," in Proc. IEEE ICNP, Riverside, CA, Nov. 2001, pp. 192-201.
[27]
{27} T. J. Ott, T. V. Lakshman, and L. Wong, "SRED: stabilized RED," in Proc. IEEE INFOCOM, New York, NY, Mar. 1999, pp. 1346-1355.
[28]
{28} R. Pain, B. Prabhakar, and K. Psounis, "CHOKe, a stateless active queue management scheme for approximating fair bandwidth allocation," in Proc. IEEE INFOCOM, Tel Aviv, Israel, Mar. 2000, pp. 942-951.
[29]
{29} A. Pasztor and D. Veitch, "High precision active probing for Internet measurement," in Proc. INET, Stockholm, Sweden, 2001.
[30]
{30} A. Pasztor and D. Veitch, "The packet size dependence of packet pair like methods," in Proc. IWQoS, Miami, FL, May 2002, pp. 204-213.
[31]
{31} V. Paxson, "End-to-end Internet packet dynamics," IEEE/ACM Trans. Netw., vol. 7, no. 3, pp. 277-292, Jun. 1999.
[32]
{32} V. Paxson and M. Allman, "Computing TCP's retransmission timer," Internet RFC 2988, Nov. 2000.
[33]
{33} A. Rangarajan and A. Acharya, "ERUF: Early regulation of unresponsive best-effort traffic," in Proc. IEEE ICNP, Toronto, Canada, Oct. 1999, pp. 117-126.
[34]
{34} A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, "Hash-based IP traceback," in Proc. ACM SIGCOMM, San Diego, CA, Aug. 2001, pp. 3-14.
[35]
{35} L. Zhang, S. Shenker, and D. Clark, "Observation on the dynamics of a congestion control algorithm: The effects of two-way traffic," in Proc. ACM SIGCOMM, Zurich, Switzerland, Sep. 1991, pp. 133-147.

Cited By

View all
  • (2022)Low-rate Denial of Service attack detection method based on time-frequency characteristicsJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-022-00308-311:1Online publication date: 30-Aug-2022
  • (2022)Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control MechanismComputer Security – ESORICS 202210.1007/978-3-031-17140-6_23(467-487)Online publication date: 26-Sep-2022
  • (2022)A hybrid deep learning model based low‐rate DoS attack detection method for software defined networkTransactions on Emerging Telecommunications Technologies10.1002/ett.444333:5Online publication date: 27-May-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking
IEEE/ACM Transactions on Networking  Volume 14, Issue 4
August 2006
251 pages

Publisher

IEEE Press

Publication History

Published: 01 August 2006
Published in TON Volume 14, Issue 4

Author Tags

  1. TCP
  2. denial of service
  3. retransmission timeout

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)1
Reflects downloads up to 09 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Low-rate Denial of Service attack detection method based on time-frequency characteristicsJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-022-00308-311:1Online publication date: 30-Aug-2022
  • (2022)Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control MechanismComputer Security – ESORICS 202210.1007/978-3-031-17140-6_23(467-487)Online publication date: 26-Sep-2022
  • (2022)A hybrid deep learning model based low‐rate DoS attack detection method for software defined networkTransactions on Emerging Telecommunications Technologies10.1002/ett.444333:5Online publication date: 27-May-2022
  • (2021)Deterrence of Intelligent DDoS via Multi-Hop Traffic DivergenceProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484737(923-939)Online publication date: 12-Nov-2021
  • (2021)Realtime Robust Malicious Traffic Detection via Frequency Domain AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484585(3431-3446)Online publication date: 12-Nov-2021
  • (2021)Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUICJournal of Cryptology10.1007/s00145-021-09389-w34:3Online publication date: 1-Jul-2021
  • (2020)Detection and classification of slow DoS attacks targeting network serversProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3409198(1-7)Online publication date: 25-Aug-2020
  • (2019)The crosspath attackProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361341(19-36)Online publication date: 14-Aug-2019
  • (2019)Modeling of low-rate DDoS-attacksProceedings of the 12th International Conference on Security of Information and Networks10.1145/3357613.3357638(1-4)Online publication date: 12-Sep-2019
  • (2019)Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUICComputer Security – ESORICS 201910.1007/978-3-030-29959-0_20(404-426)Online publication date: 23-Sep-2019
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media