Article

Free access

Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Authors:

Aleksandar Kuzmanovic and

Edward W. KnightlyAuthors Info & Claims

SIGCOMM '03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications

August 2003

Pages 75 - 86

https://doi.org/10.1145/863955.863966

Published: 25 August 2003 Publication History

Abstract

Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission time-out mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized time-out mechanisms to thwart such low-rate DoS attacks.

References

[1]

M. Allman and V. Paxson. On estimating end-to-end network path properties. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999.

Digital Library

[2]

F. Anjum and L. Tassiulas. Fair bandwidth sharing among adaptive and non-adaptive flows in the Internet. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.

[3]

R. L. Carter and M. E. Crovella. Measuring bottleneck link speed in packet-switched networks. Performence Evaluation, 27(28):297--318, 1996.

Digital Library

[4]

C. Dovrolis, P. Ramanathan, and D. Moore. What do packet dispersion techniques measure? In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, April 2001.

[5]

F. Ertemalp, D. Chiriton, and A. Bechtolsheim. Using dynamic buffer limiting to protect against belligerent flows in high-speed networks. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001.

Digital Library

[6]

C. Estan and G. Varghese. New directions in traffic measurement and accounting. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002.

Digital Library

[7]

K. Fall and S. Floyd. Simulation-based comparison of Tahoe, Reno and SACK TCP. ACM Computer Comm. Review, 5(3):5--21, July 1996.

Digital Library

[8]

A. Feldmann, A. C. Gilbert, P. Huang, and W. Willinger. Dynamics of IP traffic: A study of the role of variability and the impact of control. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999.

Digital Library

[9]

W. Feng, D. Kandlur, D. Saha, and K. Shin. Stochastic fair BLUE: A queue management algorithm for enforcing fairness. In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, June 2001.

[10]

S. Floyd and V. Jacobson. On traffic phase effects in packet-switched gateways. Internetworking: Research and Experience, 3(3):115--156, September 1992.

[11]

S. Floyd and V. Jacobson. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking, 1(4):397--413, 1993.

Digital Library

[12]

S. Floyd and E. Kohler. Internet research needs better models. In Proceedings of HOTNETS '02, Princeton, New Jersey, October 2002.

[13]

S. Floyd, J. Madhavi, M. Mathis, and M. Podolsky. An extension to the selective acknowledgement (SACK) option for TCP, July 2000. Internet RFC 2883.

Digital Library

[14]

J. Hoe. Improving the start-up behavior of a congestion control scheme for TCP. In Proceedings of ACM SIGCOMM '96, Stanford University, CA, August 1996.

Digital Library

[15]

V. Jacobson. Congestion avoidance and control. ACM Computer Comm. Review, 18(4):314--329, Aug. 1988.

Digital Library

[16]

V. Jacobson. Pathchar: A tool to infer characteristics of Internet paths. ftp://ftp.ee.lbl.gov/pathchar/, Apr. 1997.

[17]

M. Jain and C. Dovrolis. End-to-end available bandwidth: Measurement methodology, dynamics, and relation with TCP throughput. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002.

Digital Library

[18]

H. Jiang and C. Dovrolis. Passive estimation of TCP round-trip times. ACM Computer Comm. Review, 32(3):5--21, July 2002.

Digital Library

[19]

K. Lai and M. Baker. Measuring link bandwidths using a deterministic model of packet delay. In Proceedings of ACM SIGCOMM '00, Stockholm, Sweden, August 2000.

Digital Library

[20]

D. Lin and R. Morris. Dynamics of Random Early Detection. In Proceedings of ACM SIGCOMM '97, Cannes, France, September 1997.

Digital Library

[21]

J. Liu and M. Crovella. Using loss pairs to discover network properties. In Proceedings of IEEE/ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, Nov. 2001.

Digital Library

[22]

R. Mahajan, S. Floyd, and D. Wetherall. Controlling high-bandwidth flows at the congested router. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001.

Digital Library

[23]

T. J. Ott, T. V. Lakshman, and L. Wong. SRED: Stabilized RED. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.

[24]

R. Pain, B. Prabhakar, and K. Psounis. CHOKe, a stateless active queue management scheme for approximating fair bandwidth allocation. In Proceedings of IEEE INFOCOM '00, Tel Aviv, Israel, March 2000.

[25]

A. Pasztor and D. Veitch. High precision active probing for Internet measurement. In Proceedings of INET '01, Stockholm, Sweden, 2001.

[26]

A. Pasztor and D. Veitch. The packet size dependence of packet pair like methods. In Proceedings of IWQoS '02, Miami, FL, May 2002.

[27]

V. Paxson. End-to-end Internet packet dynamics. IEEE/ACM Transactions on Networking, 7(3):277--292, June 1999.

Digital Library

[28]

V. Paxson and M. Allman. Computing TCP's retransmission timer, November 2000. Internet RFC 2988.

Digital Library

[29]

A. Rangarajan and A. Acharya. ERUF: Early regulation of unresponsive best-effort traffic. In Proceedings of IEEE ICNP '99, Toronto, CA, October 1999.

Digital Library

[30]

A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proceedings of ACM SIGCOMM '01, San Diego, CA, August 2001.

Digital Library

[31]

L. Zhang, S. Shenker, and D. Clark. Observation on the dynamics of a congestion control algorithm: The effects of two-way traffic. In Proceedings of ACM SIGCOMM'91, Zurich, Switzerland, September 1991.

Digital Library

Cited By

Chen XLiu HHuang QZhang DZhou HWu CLiu X(2024)Toward Scalable and Low-Cost Traffic Testing for Evaluating DDoS Defense SolutionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.328144932:1(191-206)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3281449
Drinić DČiča Z(2024)Survey on Low-Rate DDoS Attacks, Detection and Defense2024 23rd International Symposium INFOTEH-JAHORINA (INFOTEH)10.1109/INFOTEH60418.2024.10496020(1-6)Online publication date: 20-Mar-2024
https://doi.org/10.1109/INFOTEH60418.2024.10496020
Bocu RIavich M(2024)Enhanced detection of low-rate DDoS attack patterns using machine learning modelsJournal of Network and Computer Applications10.1016/j.jnca.2024.103903227(103903)Online publication date: Jul-2024
https://doi.org/10.1016/j.jnca.2024.103903
Show More Cited By

Index Terms

Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
1. Networks
  1. Network protocols

Recommendations

Low-rate TCP-targeted denial of service attacks and counter strategies

Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation ...
Read More
Defense against low-rate TCP-targeted denial-of-service attacks
ISCC '04: Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC"04) - Volume 02

Low-rate TCP-targeted denial-of-service (DoS) attacks aim at the fact that most operating systems in use today have a common base TCP retransmission timeout (RTO) of 1 sec. An attacker injects periodic bursts of packets to fill the bottleneck queue and ...
Read More
Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications

August 2003

432 pages

ISBN:1581137354

DOI:10.1145/863955

General Chairs:
Anja Feldmann
TU Munich
,
Martina Zitterbart
University of Karlsruhe
,
Program Chairs:
Jon Crowcroft
University of Cambridge
,
David Wetherall
University of Washington

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGCOMM03

Sponsor:

SIGCOMM03: Applications, Technologies, Architectures, and Protocols for Computer Communications

August 25 - 29, 2003

Karlsruhe, Germany

Acceptance Rates

SIGCOMM '03 Paper Acceptance Rate 34 of 319 submissions, 11%;

Overall Acceptance Rate 554 of 3,547 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

193
Total Citations
View Citations
3,613
Total Downloads

Downloads (Last 12 months)532
Downloads (Last 6 weeks)57

Other Metrics

View Author Metrics

Citations

Cited By

Chen XLiu HHuang QZhang DZhou HWu CLiu X(2024)Toward Scalable and Low-Cost Traffic Testing for Evaluating DDoS Defense SolutionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.328144932:1(191-206)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3281449
Drinić DČiča Z(2024)Survey on Low-Rate DDoS Attacks, Detection and Defense2024 23rd International Symposium INFOTEH-JAHORINA (INFOTEH)10.1109/INFOTEH60418.2024.10496020(1-6)Online publication date: 20-Mar-2024
https://doi.org/10.1109/INFOTEH60418.2024.10496020
Bocu RIavich M(2024)Enhanced detection of low-rate DDoS attack patterns using machine learning modelsJournal of Network and Computer Applications10.1016/j.jnca.2024.103903227(103903)Online publication date: Jul-2024
https://doi.org/10.1016/j.jnca.2024.103903
Guo RChen JWang YMu KLiu BLi XZhang CDuan HWu JCalandrino JTroncoso C(2023)Temporal CDN-convex lensProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620583(6185-6202)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620583
Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Liu YSun DZhang RLi W(2023)A Method for Detecting LDoS Attacks in SDWSN Based on Compressed Hilbert–Huang Transform and Convolutional Neural NetworksSensors10.3390/s2310474523:10(4745)Online publication date: 14-May-2023
https://doi.org/10.3390/s23104745
Liao LMa XZhao CLi ZChao H(2023)FEAROL: Aging Flow Entries Based on Local Staircase Randomized Response for Secure SDN Flow TablesApplied Sciences10.3390/app1305298513:5(2985)Online publication date: 25-Feb-2023
https://doi.org/10.3390/app13052985
Hisasue RKawauchiya AInamura HIshida S(2023)Experimental Evaluation of LDoS Attacks on QUIC2023 Fourteenth International Conference on Mobile Computing and Ubiquitous Network (ICMU)10.23919/ICMU58504.2023.10412213(1-4)Online publication date: 29-Nov-2023
https://doi.org/10.23919/ICMU58504.2023.10412213
Okada SAkashi KMiyamoto DSekiya YTakase HNakamura H(2023)Memory-saving LDoS Attacker Detection Algorithms in Zigbee NetworkJournal of Information Processing10.2197/ipsjjip.31.53731(537-549)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.537
Wu ZWang YZhang AXiong JXie M(2023)QoS-Dependent Event-Triggered Control for UAVs on Cognitive Radio Networks Subject to Deception AttacksIEEE Transactions on Vehicular Technology10.1109/TVT.2023.327132672:9(11389-11400)Online publication date: Sep-2023
https://doi.org/10.1109/TVT.2023.3271326
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents