skip to main content
10.1145/863955.863966acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
Article
Free access

Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Published: 25 August 2003 Publication History
  • Get Citation Alerts
  • Abstract

    Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission time-out mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized time-out mechanisms to thwart such low-rate DoS attacks.

    References

    [1]
    M. Allman and V. Paxson. On estimating end-to-end network path properties. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999.
    [2]
    F. Anjum and L. Tassiulas. Fair bandwidth sharing among adaptive and non-adaptive flows in the Internet. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.
    [3]
    R. L. Carter and M. E. Crovella. Measuring bottleneck link speed in packet-switched networks. Performence Evaluation, 27(28):297--318, 1996.
    [4]
    C. Dovrolis, P. Ramanathan, and D. Moore. What do packet dispersion techniques measure? In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, April 2001.
    [5]
    F. Ertemalp, D. Chiriton, and A. Bechtolsheim. Using dynamic buffer limiting to protect against belligerent flows in high-speed networks. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001.
    [6]
    C. Estan and G. Varghese. New directions in traffic measurement and accounting. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002.
    [7]
    K. Fall and S. Floyd. Simulation-based comparison of Tahoe, Reno and SACK TCP. ACM Computer Comm. Review, 5(3):5--21, July 1996.
    [8]
    A. Feldmann, A. C. Gilbert, P. Huang, and W. Willinger. Dynamics of IP traffic: A study of the role of variability and the impact of control. In Proceedings of ACM SIGCOMM '99, Vancouver, British Columbia, September 1999.
    [9]
    W. Feng, D. Kandlur, D. Saha, and K. Shin. Stochastic fair BLUE: A queue management algorithm for enforcing fairness. In Proceedings of IEEE INFOCOM '01, Anchorage, Alaska, June 2001.
    [10]
    S. Floyd and V. Jacobson. On traffic phase effects in packet-switched gateways. Internetworking: Research and Experience, 3(3):115--156, September 1992.
    [11]
    S. Floyd and V. Jacobson. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking, 1(4):397--413, 1993.
    [12]
    S. Floyd and E. Kohler. Internet research needs better models. In Proceedings of HOTNETS '02, Princeton, New Jersey, October 2002.
    [13]
    S. Floyd, J. Madhavi, M. Mathis, and M. Podolsky. An extension to the selective acknowledgement (SACK) option for TCP, July 2000. Internet RFC 2883.
    [14]
    J. Hoe. Improving the start-up behavior of a congestion control scheme for TCP. In Proceedings of ACM SIGCOMM '96, Stanford University, CA, August 1996.
    [15]
    V. Jacobson. Congestion avoidance and control. ACM Computer Comm. Review, 18(4):314--329, Aug. 1988.
    [16]
    V. Jacobson. Pathchar: A tool to infer characteristics of Internet paths. ftp://ftp.ee.lbl.gov/pathchar/, Apr. 1997.
    [17]
    M. Jain and C. Dovrolis. End-to-end available bandwidth: Measurement methodology, dynamics, and relation with TCP throughput. In Proceedings of ACM SIGCOMM '02, Pittsburgh, PA, Aug. 2002.
    [18]
    H. Jiang and C. Dovrolis. Passive estimation of TCP round-trip times. ACM Computer Comm. Review, 32(3):5--21, July 2002.
    [19]
    K. Lai and M. Baker. Measuring link bandwidths using a deterministic model of packet delay. In Proceedings of ACM SIGCOMM '00, Stockholm, Sweden, August 2000.
    [20]
    D. Lin and R. Morris. Dynamics of Random Early Detection. In Proceedings of ACM SIGCOMM '97, Cannes, France, September 1997.
    [21]
    J. Liu and M. Crovella. Using loss pairs to discover network properties. In Proceedings of IEEE/ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, Nov. 2001.
    [22]
    R. Mahajan, S. Floyd, and D. Wetherall. Controlling high-bandwidth flows at the congested router. In Proceedings of IEEE ICNP '01, Riverside, CA, November 2001.
    [23]
    T. J. Ott, T. V. Lakshman, and L. Wong. SRED: Stabilized RED. In Proceedings of IEEE INFOCOM '99, New York, NY, March 1999.
    [24]
    R. Pain, B. Prabhakar, and K. Psounis. CHOKe, a stateless active queue management scheme for approximating fair bandwidth allocation. In Proceedings of IEEE INFOCOM '00, Tel Aviv, Israel, March 2000.
    [25]
    A. Pasztor and D. Veitch. High precision active probing for Internet measurement. In Proceedings of INET '01, Stockholm, Sweden, 2001.
    [26]
    A. Pasztor and D. Veitch. The packet size dependence of packet pair like methods. In Proceedings of IWQoS '02, Miami, FL, May 2002.
    [27]
    V. Paxson. End-to-end Internet packet dynamics. IEEE/ACM Transactions on Networking, 7(3):277--292, June 1999.
    [28]
    V. Paxson and M. Allman. Computing TCP's retransmission timer, November 2000. Internet RFC 2988.
    [29]
    A. Rangarajan and A. Acharya. ERUF: Early regulation of unresponsive best-effort traffic. In Proceedings of IEEE ICNP '99, Toronto, CA, October 1999.
    [30]
    A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proceedings of ACM SIGCOMM '01, San Diego, CA, August 2001.
    [31]
    L. Zhang, S. Shenker, and D. Clark. Observation on the dynamics of a congestion control algorithm: The effects of two-way traffic. In Proceedings of ACM SIGCOMM'91, Zurich, Switzerland, September 1991.

    Cited By

    View all
    • (2024)Toward Scalable and Low-Cost Traffic Testing for Evaluating DDoS Defense SolutionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.328144932:1(191-206)Online publication date: Feb-2024
    • (2024)Survey on Low-Rate DDoS Attacks, Detection and Defense2024 23rd International Symposium INFOTEH-JAHORINA (INFOTEH)10.1109/INFOTEH60418.2024.10496020(1-6)Online publication date: 20-Mar-2024
    • (2024)Enhanced detection of low-rate DDoS attack patterns using machine learning modelsJournal of Network and Computer Applications10.1016/j.jnca.2024.103903227(103903)Online publication date: Jul-2024
    • Show More Cited By

    Index Terms

    1. Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      SIGCOMM '03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
      August 2003
      432 pages
      ISBN:1581137354
      DOI:10.1145/863955
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 25 August 2003

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. TCP
      2. denial of service
      3. retransmission timeout

      Qualifiers

      • Article

      Conference

      SIGCOMM03
      Sponsor:

      Acceptance Rates

      SIGCOMM '03 Paper Acceptance Rate 34 of 319 submissions, 11%;
      Overall Acceptance Rate 554 of 3,547 submissions, 16%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)532
      • Downloads (Last 6 weeks)57

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Toward Scalable and Low-Cost Traffic Testing for Evaluating DDoS Defense SolutionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.328144932:1(191-206)Online publication date: Feb-2024
      • (2024)Survey on Low-Rate DDoS Attacks, Detection and Defense2024 23rd International Symposium INFOTEH-JAHORINA (INFOTEH)10.1109/INFOTEH60418.2024.10496020(1-6)Online publication date: 20-Mar-2024
      • (2024)Enhanced detection of low-rate DDoS attack patterns using machine learning modelsJournal of Network and Computer Applications10.1016/j.jnca.2024.103903227(103903)Online publication date: Jul-2024
      • (2023)Temporal CDN-convex lensProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620583(6185-6202)Online publication date: 9-Aug-2023
      • (2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
      • (2023)A Method for Detecting LDoS Attacks in SDWSN Based on Compressed Hilbert–Huang Transform and Convolutional Neural NetworksSensors10.3390/s2310474523:10(4745)Online publication date: 14-May-2023
      • (2023)FEAROL: Aging Flow Entries Based on Local Staircase Randomized Response for Secure SDN Flow TablesApplied Sciences10.3390/app1305298513:5(2985)Online publication date: 25-Feb-2023
      • (2023)Experimental Evaluation of LDoS Attacks on QUIC2023 Fourteenth International Conference on Mobile Computing and Ubiquitous Network (ICMU)10.23919/ICMU58504.2023.10412213(1-4)Online publication date: 29-Nov-2023
      • (2023)Memory-saving LDoS Attacker Detection Algorithms in Zigbee NetworkJournal of Information Processing10.2197/ipsjjip.31.53731(537-549)Online publication date: 2023
      • (2023)QoS-Dependent Event-Triggered Control for UAVs on Cognitive Radio Networks Subject to Deception AttacksIEEE Transactions on Vehicular Technology10.1109/TVT.2023.327132672:9(11389-11400)Online publication date: Sep-2023
      • Show More Cited By

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Get Access

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media