Abstract
Volume-based network denial-of-service (DoS) attacks refer to a class of cyber attacks where an adversary seeks to block user traffic from service by sending adversarial traffic that reduces the available user capacity. In this paper, we explore the fundamental limits of volume-based network DoS attacks by studying the minimum required rate of adversarial traffic and investigating optimal attack strategies. We start our analysis with single-hop networks where user traffic is routed to servers following the Join-the-Shortest-Queue (JSQ) rule. Given the service rates of servers and arrival rates of user traffic, we first characterize the feasibility region of the attack and show that the attack is feasible if and only if the rate of the adversarial traffic lies in the region. We then design an attack strategy that is (i).optimal: it guarantees the success of the attack whenever the adversarial traffic rate lies in the feasibility region and (ii).oblivious: it does not rely on knowledge of service rates or user traffic rates. Finally, we extend our results on the feasibility region of the attack and the optimal attack strategy to multi-hop networks that employ Back-pressure (Max-Weight) routing. At a higher level, this paper addresses a class of dual problems of stochastic network stability, i.e., how to optimally de-stabilize a network.
- urlhttps://www.msspalert.com/cybersecurity-research/kaspersky-lab-study-average-cost-of-enterprise-ddos-attack-totals-2m/Google Scholar
- urlhttps://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/Google Scholar
- T. Zargar, J. Joshi and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks”, in IEEE communications surveys & tutorials, Vol. 15, No. 4, pp. 2046--2069, 2013Google Scholar
- . Kolias, G. Kambourakis, A. Stavrou and J. Voas, “DDoS in the IoT: Mirai and other botnets”, in Computer, Vol. 50, No. 7, pp. 80--84, 2017.Google Scholar
Cross Ref
- . Braga, E. de Souza Mota and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow”, in IEEE LCN, Vol. 10 pp. 408--415, 2010.Google Scholar
- . Compagno, M. Conti, P. Gasti and G. Tsudik, “Poseidon: Mitigating interest flooding DDoS attacks in named data networking”, in IEEE LCN, pp. 630--638, 2013.Google Scholar
- . Borodin, J. Kleinberg, P. Raghavan, M. Sudan and D. P. Williamson, “Adversarial queuing theory” in Journal of the ACM, Vol. 48, No. 1, pp. 13--38, 2001.Google Scholar
Digital Library
- . Gamarnik, “Stability of adaptive and nonadaptive packet routing policies in adversarial queueing networks” in SIAM Journal on Computing, Vol. 32, No. 2, pp. 371--385, 2003.Google Scholar
Digital Library
- . Goel, “Stability of networks and protocols in the adversarial queueing model for packet routing”, in Networks: An International Journal, Vol. 37, No. 4, pp.219--224, 2001.Google Scholar
- .J. Neely, “Stochastic network optimization with application to communication and queueing systems”, in Synthesis Lectures on Communication Networks, Vol. 3, No. 1, pp. 1--211, 2010.Google Scholar
Cross Ref
- . Gupta, M. H. Balter, K. Sigman and W. Whitt, “Analysis of join-the-shortest-queue routing for web server farms”, in Performance Evaluation, Vol. 64, No. 9--12, pp. 1062--1081, 2007.Google Scholar
- . Lu, Q. Xie, G. Kliot, A. Geller, J. R. Larus and A. Greenberg, “Join-Idle-Queue: A novel load balancing algorithm for dynamically scalable web services”, in Performance Evaluation, Vol. 68, no. 11, pp. 1056--1071, 2011.Google Scholar
Digital Library
- . K. Wood, “Deterministic network interdiction. Mathematical and Computer Modelling”, Vol. 17, No. 2, pp. 1--18, 1993Google Scholar
- . A. Phillips, “The network inhibition problem”, in Proc. of ACM STOC, pp. 776--785, 1993.Google Scholar
Digital Library
- . Fu and E. Modiano, “Network Interdiction Using Adversarial Traffic Flows”, in IEEE INFOCOM, pp. 1765--1773, 2019.Google Scholar
- . Wang and N. Shroff, “Security game with non-additive utilities and multiple attacker resources”, in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 1, No. 1, pp.13, 2017Google Scholar
- . H. Manshaei, Q. Zhu, T. Alpcan, T. Bacsar and J-P Hubaux, “Game theory meets network security and privacy”, in ACM Computing Surveys, Vol. 45, No. 3, pp. 25, 2013.Google Scholar
Digital Library
- . Tassiulas and A. Ephremides, “Stability properties of constrained queueing systems and scheduling policies for maximum throughput in multihop radio networks”, in IEEE Conference on Decision and Control, pp. 2130--2132, 1990.Google Scholar
- . Liang and Modiano, “Network utility maximization in adversarial environments”, in IEEE INFOCOM, pp. 594--602, 2018.Google Scholar
- . Liang and E. Modiano, “Minimizing Queue Length Regret Under Adversarial Network Models”, in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 2, No. 1, pp.11, 2018.Google Scholar
- . S. Paschos and L. Tassiulas, “Sustainability of Service Provisioning Systems Under Stealth DoS Attacks”, in IEEE Trans. on Control of Network Systems, Vol. 4, No. 4, pp. 749--760, 2017.Google Scholar
Cross Ref
- Shah and D. Wischik, “Fluid models of congestion collapse in overloaded switched networks,” in Queueing Systems, vol. 69, no. 2, pp: 121, 2011.Google Scholar
Digital Library
- . Shah and D. Wischik, “Switched networks with maximum weight policies: Fluid approximation and multiplicative state space collapse,” in The Annals of Applied Probability, Vol. 22, No. 1, pp. 70--127, 2012.Google Scholar
Cross Ref
- . Fayolle, V. A. Malyshev and M. V. Men'shikov, “Topics in the constructive theory of countable Markov chains,” Cambridge university press, 199Google Scholar
- . Avrahami and Y. Azar, “Minimizing total flow time and total completion time with immediate dispatching,” in Algorithmica, Vol. 47, No. 3, pp. 253--268, 2007.Google Scholar
Digital Library
- . Grosof, Z. Scully and M. Harchol-Balter, “Load Balancing Guardrails: Keeping Your Heavy Traffic on the Road to Low Response Times,” in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 3, No. 2, pp. 42, 2019.Google Scholar
- . Berger, M. Karsten and J. Schmitt, “On the relevance of adversarial queueing theory in practice,” in ACM SIGMETRICS Performance Evaluation Review, Vol. 42, No. 1, pp. 343--354, 2014.Google Scholar
Digital Library
- W. Tan, DM. Chiu, J. CS. Lui and D. KY. Yau, “A distributed throttling approach for handling high bandwidth aggregates,” in IEEE Trans. on Parallel and Distributed Systems, Vol. 18, No. 7, pp. 983--995, 2007.Google Scholar
Digital Library
- . Georgiadis, L. Tassiulas, “Optimal overload response in sensor networks”, in IEEE Trans. on Information Theory, Vol. 52, No. 6, pp. 2684--2696, 2006.Google Scholar
Digital Library
- . K. Ahuja, T. L. Magnanti and J. B. Orlin, “Network flows”, 1988.Google Scholar
Index Terms
Fundamental Limits of Volume-based Network DoS Attacks
Recommendations
Fundamental Limits of Volume-based Network DoS Attacks
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer SystemsVolume-based network denial-of-service (DoS) attacks refer to a class of cyber attacks where an adversary seeks to block user traffic from service by sending adversarial traffic that reduces the available user capacity. In this paper, we explore the ...
Fundamental Limits of Volume-based Network DoS Attacks
Volume-based network denial-of-service (DoS) attacks refer to a class of cyber attacks where an adversary seeks to block user traffic from service by sending adversarial traffic that reduces the available user capacity. In this paper, we explore the ...
Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks
ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud ComputingSeveral overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server ...






Comments