Using transient behavior of TCP in mitigation of distributed denial of service attacks

Our work focuses on the problem of proactively detecting and mitigating stealthy distributed denial of service (DDoS) attacks that employ the TCP protocol. Such attacks are likely to consist of large numbers of short-duration flows using a large number of source IP addresses that are possibly spoofe...

Full description

Saved in:
Bibliographic Details
Published inProceedings of the 41st IEEE Conference on Decision and Control, 2002 Vol. 2; pp. 1422 - 1427 vol.2
Main Authors Kalantari, M., Gallicchio, K., Shayman, M.A.
Format Conference Proceeding
LanguageEnglish
Published IEEE 2002
Subjects
Aggregates
Communication system traffic control
Computer crime
Educational institutions
Filters
Monitoring
Protocols
TCPIP
Transient response
Web and internet services
Online AccessGet full text
ISBN0780375165
9780780375161
ISSN0191-2216
DOI10.1109/CDC.2002.1184718

Cover

More Information
Summary:Our work focuses on the problem of proactively detecting and mitigating stealthy distributed denial of service (DDoS) attacks that employ the TCP protocol. Such attacks are likely to consist of large numbers of short-duration flows using a large number of source IP addresses that are possibly spoofed. In our approach, each router maintains a partition (possibly dynamic) of active TCP flows into aggregates. Each aggregate is probed to estimate the proportion of attack traffic that it contains. Packets belonging to aggregates that contain significant amounts of attack traffic may be subject to aggressive drop policies to prevent denial of service at the intended victim(s). The probing technique exploits the presumption that attack sources do not conform to standard TCP congestion control. A router estimates the attack traffic for each aggregate by dropping a small number of packets from that aggregate and monitoring the transient response of the arrival rate of the aggregate. We derive a simple analytical formula for the expected response of an aggregate whose constituent flows all conform to TCP congestion control. By comparing the probed response to that predicted by the formula, a router can estimate the proportion of traffic in the aggregate that is nonconforming and hence presumed to belong to an attack. This approach may be implemented in a purely distributed manner at individual routers. Furthermore, since it does not depend on interactions between routers, incremental deployment is possible.
ISBN:0780375165
9780780375161
ISSN:0191-2216
DOI:10.1109/CDC.2002.1184718