skip to main content
research-article
Open Access

Fundamental Limits of Volume-based Network DoS Attacks

Authors Info & Claims
Published:17 December 2019Publication History
Skip Abstract Section

Abstract

Volume-based network denial-of-service (DoS) attacks refer to a class of cyber attacks where an adversary seeks to block user traffic from service by sending adversarial traffic that reduces the available user capacity. In this paper, we explore the fundamental limits of volume-based network DoS attacks by studying the minimum required rate of adversarial traffic and investigating optimal attack strategies. We start our analysis with single-hop networks where user traffic is routed to servers following the Join-the-Shortest-Queue (JSQ) rule. Given the service rates of servers and arrival rates of user traffic, we first characterize the feasibility region of the attack and show that the attack is feasible if and only if the rate of the adversarial traffic lies in the region. We then design an attack strategy that is (i).optimal: it guarantees the success of the attack whenever the adversarial traffic rate lies in the feasibility region and (ii).oblivious: it does not rely on knowledge of service rates or user traffic rates. Finally, we extend our results on the feasibility region of the attack and the optimal attack strategy to multi-hop networks that employ Back-pressure (Max-Weight) routing. At a higher level, this paper addresses a class of dual problems of stochastic network stability, i.e., how to optimally de-stabilize a network.

References

  1. urlhttps://www.msspalert.com/cybersecurity-research/kaspersky-lab-study-average-cost-of-enterprise-ddos-attack-totals-2m/Google ScholarGoogle Scholar
  2. urlhttps://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/Google ScholarGoogle Scholar
  3. T. Zargar, J. Joshi and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks”, in IEEE communications surveys & tutorials, Vol. 15, No. 4, pp. 2046--2069, 2013Google ScholarGoogle Scholar
  4. . Kolias, G. Kambourakis, A. Stavrou and J. Voas, “DDoS in the IoT: Mirai and other botnets”, in Computer, Vol. 50, No. 7, pp. 80--84, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  5. . Braga, E. de Souza Mota and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow”, in IEEE LCN, Vol. 10 pp. 408--415, 2010.Google ScholarGoogle Scholar
  6. . Compagno, M. Conti, P. Gasti and G. Tsudik, “Poseidon: Mitigating interest flooding DDoS attacks in named data networking”, in IEEE LCN, pp. 630--638, 2013.Google ScholarGoogle Scholar
  7. . Borodin, J. Kleinberg, P. Raghavan, M. Sudan and D. P. Williamson, “Adversarial queuing theory” in Journal of the ACM, Vol. 48, No. 1, pp. 13--38, 2001.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. . Gamarnik, “Stability of adaptive and nonadaptive packet routing policies in adversarial queueing networks” in SIAM Journal on Computing, Vol. 32, No. 2, pp. 371--385, 2003.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. . Goel, “Stability of networks and protocols in the adversarial queueing model for packet routing”, in Networks: An International Journal, Vol. 37, No. 4, pp.219--224, 2001.Google ScholarGoogle Scholar
  10. .J. Neely, “Stochastic network optimization with application to communication and queueing systems”, in Synthesis Lectures on Communication Networks, Vol. 3, No. 1, pp. 1--211, 2010.Google ScholarGoogle ScholarCross RefCross Ref
  11. . Gupta, M. H. Balter, K. Sigman and W. Whitt, “Analysis of join-the-shortest-queue routing for web server farms”, in Performance Evaluation, Vol. 64, No. 9--12, pp. 1062--1081, 2007.Google ScholarGoogle Scholar
  12. . Lu, Q. Xie, G. Kliot, A. Geller, J. R. Larus and A. Greenberg, “Join-Idle-Queue: A novel load balancing algorithm for dynamically scalable web services”, in Performance Evaluation, Vol. 68, no. 11, pp. 1056--1071, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. . K. Wood, “Deterministic network interdiction. Mathematical and Computer Modelling”, Vol. 17, No. 2, pp. 1--18, 1993Google ScholarGoogle Scholar
  14. . A. Phillips, “The network inhibition problem”, in Proc. of ACM STOC, pp. 776--785, 1993.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. . Fu and E. Modiano, “Network Interdiction Using Adversarial Traffic Flows”, in IEEE INFOCOM, pp. 1765--1773, 2019.Google ScholarGoogle Scholar
  16. . Wang and N. Shroff, “Security game with non-additive utilities and multiple attacker resources”, in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 1, No. 1, pp.13, 2017Google ScholarGoogle Scholar
  17. . H. Manshaei, Q. Zhu, T. Alpcan, T. Bacsar and J-P Hubaux, “Game theory meets network security and privacy”, in ACM Computing Surveys, Vol. 45, No. 3, pp. 25, 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. . Tassiulas and A. Ephremides, “Stability properties of constrained queueing systems and scheduling policies for maximum throughput in multihop radio networks”, in IEEE Conference on Decision and Control, pp. 2130--2132, 1990.Google ScholarGoogle Scholar
  19. . Liang and Modiano, “Network utility maximization in adversarial environments”, in IEEE INFOCOM, pp. 594--602, 2018.Google ScholarGoogle Scholar
  20. . Liang and E. Modiano, “Minimizing Queue Length Regret Under Adversarial Network Models”, in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 2, No. 1, pp.11, 2018.Google ScholarGoogle Scholar
  21. . S. Paschos and L. Tassiulas, “Sustainability of Service Provisioning Systems Under Stealth DoS Attacks”, in IEEE Trans. on Control of Network Systems, Vol. 4, No. 4, pp. 749--760, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  22. Shah and D. Wischik, “Fluid models of congestion collapse in overloaded switched networks,” in Queueing Systems, vol. 69, no. 2, pp: 121, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. . Shah and D. Wischik, “Switched networks with maximum weight policies: Fluid approximation and multiplicative state space collapse,” in The Annals of Applied Probability, Vol. 22, No. 1, pp. 70--127, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  24. . Fayolle, V. A. Malyshev and M. V. Men'shikov, “Topics in the constructive theory of countable Markov chains,” Cambridge university press, 199Google ScholarGoogle Scholar
  25. . Avrahami and Y. Azar, “Minimizing total flow time and total completion time with immediate dispatching,” in Algorithmica, Vol. 47, No. 3, pp. 253--268, 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. . Grosof, Z. Scully and M. Harchol-Balter, “Load Balancing Guardrails: Keeping Your Heavy Traffic on the Road to Low Response Times,” in Proc. of the ACM on Measurement and Analysis of Computing Systems, Vol. 3, No. 2, pp. 42, 2019.Google ScholarGoogle Scholar
  27. . Berger, M. Karsten and J. Schmitt, “On the relevance of adversarial queueing theory in practice,” in ACM SIGMETRICS Performance Evaluation Review, Vol. 42, No. 1, pp. 343--354, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. W. Tan, DM. Chiu, J. CS. Lui and D. KY. Yau, “A distributed throttling approach for handling high bandwidth aggregates,” in IEEE Trans. on Parallel and Distributed Systems, Vol. 18, No. 7, pp. 983--995, 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. . Georgiadis, L. Tassiulas, “Optimal overload response in sensor networks”, in IEEE Trans. on Information Theory, Vol. 52, No. 6, pp. 2684--2696, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. . K. Ahuja, T. L. Magnanti and J. B. Orlin, “Network flows”, 1988.Google ScholarGoogle Scholar

Index Terms

  1. Fundamental Limits of Volume-based Network DoS Attacks

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!