Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

Defending Against Low-rate TCP Attack:Dynamic Detection and Protection

Prof. John C.S. LuiCSE Dept. CUHK

.2.

Outline

Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion

.3.

Introduction to the Low-rate TCP Attack

Common DoS attackConsume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected

Consume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected

Low-rate DoS attackAim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to

victim/router

Aim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to

victim/router

.4.

TCP Retransmission Mechanism

TCP congestion control

If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window

double the RTO

retransmit the packetIf succeed, enter slow start phase

else, exponential back off again

If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window

double the RTO

retransmit the packetIf succeed, enter slow start phase

else, exponential back off again

Calculation of RTO

In RFC 2988:

RTO=max(minRTO,SRTT+max(G,4RTTVAR))

Usually, RTO = minRTO when slow start

minRTO=1 second (recommended in RFC 2988)

In RFC 2988:

RTO=max(minRTO,SRTT+max(G,4RTTVAR))

Usually, RTO = minRTO when slow start

minRTO=1 second (recommended in RFC 2988)

.5.

Low-rate DoS Attack to TCP Flow A example of low-rate DoS attack

Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or

very low throughput.

Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or

very low throughput.

TCP

Avg BW= lR/T

.6.

What is the next?


.7.

T: Attack period

l: Length of burst

R: Rate of burst

N: Background noise

S: Time shift

T: Attack period

l: Length of burst

R: Rate of burst

N: Background noise

S: Time shift

l

Formal Description

Mathematical Description

N

R

T

S

.8.

Low-rate DoS Traffic Pattern The periodic burst may have different patterns:

Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)

Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)

General peaks with background noise

.9.

Low-rate DoS Traffic Pattern

Attack traffic is not easy to remain the same as the original at the victim router.Attack traffic between different period may not be the same, thus T, l, R may vary.

We need a “We need a “ROBUST ROBUST ” method ” method to identify all possible forms to identify all possible forms of attackof attack

.10.

Low-rate DoS Traffic Pattern Multiple distributed attack sources

Long Period combination

Small Burst combination

.11.

What is the next?


.12.

Dynamic DetectionOverall Idea of Dynamic Detection

.13.

Dynamic Detection

Traffic signature DetectionSmall average throughput => Throughput based IDS

No signature in packet => “per packet” approaches

Extract the essential signature of attack traffic

Small average throughput => Throughput based IDS

No signature in packet => “per packet” approaches

Extract the essential signature of attack traffic

X

X

√√

.15.

Pattern

match

Pattern

matchPattern

match

Pattern

matchExtract the

signature

Extract the

signatureExtract the

signature

Extract the

signatureFilter the

noise

Filter the

noiseFilter the

noise

Filter the

noiseSample

the traffic

Sample

the trafficSample

the traffic

Sample

the traffic

Algorithm of Detection

Sample the throughput of link interface at a

constant rate(The rate should be frequent enough but not over burden

system)

Each time of detection consists of a sequence of

sampled throughput(The length of sequence should also be properly adjusted)

Normalization is necessary

€

Normalized _Throughput =Instantaneous_ throughput

Maximum _ link _bandwidth

The background noise of samples need to be filtered

Background noise(UDP flows and other TCP flows that less sensitive to attack)

For simplicity, a threshold filter can be used.

Autocorrelation is adopted to extract the periodic signature of input signal.periodic input => special pattern of its autocorrelation.Autocorrelation can also mask the difference of time shift SUnbiased normalizationM: length of input sequencem: index of autocorrelation

n

mM

nnmx XX

mMmA ×

−= ∑

+−

=+

1

0

1)(

)min(),(1∑=

=K

kkwInputTemplateDTW

Similarity between the template and input should

be calculated.

We use Dynamic Time Warping (DTW).

(The detail algorithm of DTW is provided in the paper)

The smaller the DTW value is, the more similar

they are.

DTW values will clustered; threshold can be set to

distinguish them.

.16.

Robustness of Detection

DTW Value

0

5

10

15

20

25

30

35

40

0 2000 4000 6000 8000 10000 12000

　 SPSB RPSB SPGB RPGB

Max 34.88 35.66 34.08 34.69

Min 0 0.80 0.84 1.20

Mean 10.68 9.63 10.89 10.48

Stdv 7.83 6.86 6.77 5.26

Attack traffic simulations DTW values for low-rate attack

4 types of attack traffic:

Strictly Periodic Square Burst (SPSB),

Random Periodic Square Burst (RPSB),

Strictly Periodic General Burst (SPGB),

Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type

4 types of attack traffic:

Strictly Periodic Square Burst (SPSB),

Random Periodic Square Burst (RPSB),

Strictly Periodic General Burst (SPGB),

Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type

.17.


DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using

Gaussian model:

C+ Gaussian(0, N)Run more than 8000 simulations

DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using

Gaussian model:

C+ Gaussian(0, N)Run more than 8000 simulations

Max286.

53

Min113.

50

Mean236.

95

Stdv43.1

0

DTW values for Legitimate traffic

(Gaussian)

.18.

Attack flows V.S.

legitimate

(Gaussian) flows

Expect a

separation between

them.

Attack flows V.S.

legitimate

(Gaussian) flows

Expect a

separation between

them.


Probability distribution of DTW values

.19.


More accurate network traffic model

(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-

similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations

More accurate network traffic model

(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-

similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations

Max238.

16

Min28.0

1

Mean130.

73

Stdv51.4

4

DTW values for Legitimate traffic (Self-similar)

.20.

Attack flows V.S.

Self-similar flows

Small Overlap

(Around 30)

Attack flows V.S.

Self-similar flows

Small Overlap

(Around 30)

Robustness of DetectionProbability distribution of DTW values (Self-similar)

False Self-similar 141

Total Self-similar

11000

False Positive

1.28%

False Attack 378

Total Attack1149

2

False Negative

3.54%

.21.

What is the next?


.22.

Pushback detection Pushback to

outmost deployed router

distributed attackDeficit Round Robin (DRR)

Pushback detection Pushback to

outmost deployed router

distributed attackDeficit Round Robin (DRR)

Defense Mechanism

Router deployment

}Resource Management

.23.

Deficit Round Robin (DRR)

Defense Mechanism

1500

300

600 600

500

2000 1000

SecondRound

FirstRound

Head ofQueue

A

B

C

0

Quantum[i]=1000 bytes 1st Round

A’s counter : 1000

B’s counter : 200 (served twice)

C’s counter : 400

2nd Round

A’s counter: 500 (served)

B’s counter: 0

C’s counter: 800 (served)

Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.

Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.

.24.

Definitions in DRR algorithm

Fairness Analysis of DRR Algorithm

Backlogged:A port i is backlogged during an interval (t1; t2)

of a DRR execution if the queue for port i is never empty durin

g the interval.

Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that

fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).

Sent Packets: Let senti(t1; t2) be the total number of bytes se

nt on the output port i in the interval (t1; t2)

Backlogged:A port i is backlogged during an interval (t1; t2)

of a DRR execution if the queue for port i is never empty durin

g the interval.

Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that

fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).

Sent Packets: Let senti(t1; t2) be the total number of bytes se

nt on the output port i in the interval (t1; t2)

Fairness Measurement: Let Fairness Measurement

FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)

over all ports i,j that are backlogged in the interval (t1; t2).

Now we can define a service discipline to be fair if FM(t1; t2)

is bounded by a small constant.

Fairness Measurement: Let Fairness Measurement

FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)

over all ports i,j that are backlogged in the interval (t1; t2).

Now we can define a service discipline to be fair if FM(t1; t2)

is bounded by a small constant.

.25.

Lemmas of DRR Fairness


Lemma 1: For any port i ,during the execution of DRR

algorithm, the deficit_counter[i] is within the range [0;Max) at

the end of each round, where Max is the maximum size of all

possible packets.

0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero

■

Lemma 1: For any port i ,during the execution of DRR

algorithm, the deficit_counter[i] is within the range [0;Max) at

the end of each round, where Max is the maximum size of all

possible packets.

0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero

■

.26.

Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.

And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)

Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]

bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]

Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.

And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)

Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]

bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]

Lemmas of DRR Fairness

Summing this equation over m rounds of servicing of port i: We have:

senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]

Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.

■

Summing this equation over m rounds of servicing of port i: We have:

senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]

Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.

■


Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max

Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max

Lemma 2: During any period in which port i is backlogged

the number of bytes sent on the behalf of port i is roughly equal

to m×Quantum[i] ,specifically bounded as follows:

m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received

by port i during this interval.

Lemma 2: During any period in which port i is backlogged

the number of bytes sent on the behalf of port i is roughly equal

to m×Quantum[i] ,specifically bounded as follows:

m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received

by port i during this interval.

.27.

Theorem of DRR Fairness


Theorem 1: For an interval (t1; t2) in any execution of the

DRR service discipline

FM(t1; t2) ≤ 2×Max + Quantum;

where Quantum = Min(Quantum[i])

Theorem 1: For an interval (t1; t2) in any execution of the

DRR service discipline

FM(t1; t2) ≤ 2×Max + Quantum;

where Quantum = Min(Quantum[i])

Proof:

let m be the number of DRR execution rounds given to port i in interval (t1; t2),

let m’ be the number of DRR execution rounds given to port j in the same interval.

As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1

Proof:

let m be the number of DRR execution rounds given to port i in interval (t1; t2),

let m’ be the number of DRR execution rounds given to port j in the same interval.

As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1

From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)

Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)

From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)

Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)

Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj

≤ (m-m’) ×Quantum + Max/fi + Max/fj

≤ Quantum+2Max ■

Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj

≤ (m-m’) ×Quantum + Max/fi + Max/fj

≤ Quantum+2Max ■

.28.

Analytical Results for DRR Algorithm

Analysis of DRR Algorithm

Fairness: Using Golestani's fairness definition, difference in

the normalized bytes sent between ports within a certain interv

al (t1; t2) is bounded by a small constant.

Implementation Cost: DRR algorithm can be implemente

d with less work compared with other scheduling algorithm.

In general, the processing cost of DRR is O(1) per packet.

As a result, DRR can provide not only a fairness scheduling

method, but also work with a low implementation cost.

Fairness: Using Golestani's fairness definition, difference in

the normalized bytes sent between ports within a certain interv

al (t1; t2) is bounded by a small constant.

Implementation Cost: DRR algorithm can be implemente

d with less work compared with other scheduling algorithm.

In general, the processing cost of DRR is O(1) per packet.

As a result, DRR can provide not only a fairness scheduling

method, but also work with a low implementation cost.

.29.

What is the next?


.30.

In a Congested Droptail Router:1. N TCP flows go through

2. Droptail queue at output interface Dropping Function:

P: Drop Prob. xi: length of queue i; Qi: Size of queue i

Behavior of Queue Length: C: Capacity of the link

In a Congested Droptail Router:1. N TCP flows go through

2. Droptail queue at output interface Dropping Function:

P: Drop Prob. xi: length of queue i; Qi: Size of queue i

Behavior of Queue Length: C: Capacity of the link

Model of TCP on a Droptail Router

Fluid Model of TCP Flows

⎩⎨⎧

>≤

= )1(,1

,0)(

ii

iii

Qx

Qxxp

)2(1))]((1[)( )(

1

Ctxptdt

dxtxi

N

i

ii

i−−×=∑−

ρ

.31.

Throughput of TCP flow i:Wi(t) :Window Size

Ri(t) : Round Trip Time

Round Trip Time:

ai :Propagation delay

Throughput of TCP flow i:Wi(t) :Window Size

Ri(t) : Round Trip Time

Round Trip Time:

ai :Propagation delay



)3()(

)()(

tR

tWt

i

ii =ρ

)4()(

)(C

txatR

iii +=

.32.

Slow start/ Congestion Avoidance: Hi :threshold

Retransmission Time Out:

where u(n) is a unit step function:

q(W) denotes the Prob. of that loss is caused by timeout

Slow start/ Congestion Avoidance: Hi :threshold

Retransmission Time Out:

where u(n) is a unit step function:

q(W) denotes the Prob. of that loss is caused by timeout



)5())'((2

)())]'((1[)'()( ttxp

tWttxpttHtH i

iiii −+−−×−=

)6())](1([))(())'(())(()(

tTtutWqttxptTtdt

tdTiii

i+−××−×−=

)7(0,1

0,0)(

⎩⎨⎧

≥<

=i

ii

nn

nu

)8())(

3,1())((

tWMintWq

ii =

Finally, the behavior of TCP window size:

Overview of TCP droptail scheduling:

Numerical result of differential equations (1-9)

Finally, the behavior of TCP window size:

Overview of TCP droptail scheduling:

Numerical result of differential equations (1-9)

))'(()'(

)'()1)((

)9())'(()'(2

)'()](1[

)]1([])[1

][(

ttxpttR

ttWWWq

ttxpttR

ttWWWq

TtuHWuR

WHuR

W

dt

dW

ii

iii

ii

ii

iiii

iii

ii

i

−−−

−−

−−−×

−−

+−×−+−=

.33.

Modification based on the Droptail Model Different Queue Management may cause:

1. Change of the behavior of Queue Length

2. Change of the calculation of round trip time

Modification based on the Droptail Model Different Queue Management may cause:

1. Change of the behavior of Queue Length

2. Change of the calculation of round trip time

Model of TCP on a DRR Router


Behavior of Queue Length in DRR:

where τt : time length for each round

Behavior of Queue Length in DRR:

where τt : time length for each round

)10())(,(

1))]((1[)( )(t

iitxii

i txQuantumMintxpt

dt

dxi τρ −−×=

)11())(,(

C

txQuantumMinN

i

ii

t

∑=τ

Calculation of round trip time :

Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model

Calculation of round trip time :

Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model

)12()(

)(C

txNatR

iii

×+=

.34.

Attack with Single TCP Flow

(Droptail Router):Settings:

T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s

Attack starts 2s later


(Droptail Router):Settings:

T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s

Attack starts 2s later

Simulation of TCP fluid model


Droptail Queue

Attack

TCP

.35.


(DRR Router):Settings:

T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later



T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later



Attack

TCP

DRR Queues

.36.

Attack with Multiple TCP Flows

(Droptail Router):

Settings:

T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s


(Droptail Router):

Settings:

T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s



TCP1

Attack

TCP2

TCP3

TCP4

Droptail Queue

.37.



T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s



T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s



Attack

TCP1

DRR Queues

TCP2

TCP3

TCP4

.38.

What is the next?


.39.

Experiment of Defense Mechanism

Single TCP flow vs. single source attacker

Go through the

same router Link Capacity

5Mbp/s

Go through the


5Mbp/s

　 Drop Tail DRR

　 TCP (Kbps) Attack (Kbps) TCP (Kbps) Attack (Kbps)

Tahoe224.3

74.49

%1016.

5220.33

%3402.

0768.04

%780.3

915.61

%

Reno 26.300.53

%1022.

5520.45

%946.8

718.94

%1014.

9720.30

%

NewReno 23.62

0.47%

1022.04

20.44%

3690.32

73.81%

913.39

18.27%

.40.

Experiment of Defense Mechanism

Multiple TCP flows vs. single source attacker　 Drop Tail DRR

　 Throughput (Kbps)

% of link capacityThroughput (Kbps)

% of link capacity

Attack 928.76 18.58% 343.09 6.86%

TCP1 8.71 0.17% 965.91 19.32%

TCP2 210.77 4.22% 645.79 12.92%

TCP3 4.75 0.10% 629.15 12.58%

TCP4 11.09 0.22% 618.05 12.36%

TCP5 5.54 0.11% 468.3 9.37%

TCP6 267.82 5.36% 356.57 7.13%

TCP7 72.11 1.44% 293.97 5.88%

TCP8 3.17 0.06% 194.93 3.90%

TCP Sum

583.96 11.68% 4172.67 83.45%

Eight TCP flowsSingle low-rate

attackerGo through the


5Mbp/s

Eight TCP flowsSingle low-rate

attackerGo through the


5Mbp/s

.41.

Experiment of Defense MechanismNetwork model of attack vs. Multiple TCP flows 　 Drop Tail DRR on R6

DRR on R6,R4

DRR on R6,R4,R2

DRR on R6,R4,R2,R

1

　 ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps)

Attack 640.00 561.00 453.00 419.00 404.00

TCP1 386.00 358.00 311.00 314.00 778.00

TCP2 264.00 329.00 282.00 874.00 763.00

TCP3 324.00 251.00 1245.00 924.00 788.00

TCP4 425.00 1719.00 1154.00 966.00 765.00

Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00

4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may

run DRRLink capacity 5 Mb/s

4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may

run DRRLink capacity 5 Mb/s

.42.

What is the next?


.43.

Related Work & Conclusion

Related Work

Another solution to this attack:

Randomizing RTO 1. Intuitive solution

2. Widespread updates of end user software3. May reduce the performance of TCP

Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi

ents of adaptation.

2. Similar attack form

Another solution to this attack:

Randomizing RTO 1. Intuitive solution

2. Widespread updates of end user software3. May reduce the performance of TCP

Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi

ents of adaptation.

2. Similar attack form

Conclusions

Formal model to describe low-rate TCP attack.

Distributed detection mechanism using

Dynamic Time Wrapping

The push back mechanism

DRR approach protection and isolation

Formal model to describe low-rate TCP attack.

Distributed detection mechanism using

Dynamic Time Wrapping

The push back mechanism

DRR approach protection and isolation

.44.

Major References

HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Defending Against Low-rate TCP Attack: Dynamic Detection and Protection” IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, October, 2004.

HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Distributed Mechanism in Detecting and Defending Against Low-rate TCP Attack” Computer Networks Journal (Elsevier), July,2005.

.45.

Thank you for your attention!

Q & A

Date post:	26-Jan-2016
Category:	Documents
Upload:	malana
View:	39 times
Download:	0 times

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

Documents