By Topic

Using transient behavior of TCP in mitigation of distributed denial of service attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Kalantari, M. ; Dept. of Electr. & Comput. Eng., Maryland Univ., College Park, MD, USA ; Gallicchio, K. ; Shayman, M.A.

Our work focuses on the problem of proactively detecting and mitigating stealthy distributed denial of service (DDoS) attacks that employ the TCP protocol. Such attacks are likely to consist of large numbers of short-duration flows using a large number of source IP addresses that are possibly spoofed. In our approach, each router maintains a partition (possibly dynamic) of active TCP flows into aggregates. Each aggregate is probed to estimate the proportion of attack traffic that it contains. Packets belonging to aggregates that contain significant amounts of attack traffic may be subject to aggressive drop policies to prevent denial of service at the intended victim(s). The probing technique exploits the presumption that attack sources do not conform to standard TCP congestion control. A router estimates the attack traffic for each aggregate by dropping a small number of packets from that aggregate and monitoring the transient response of the arrival rate of the aggregate. We derive a simple analytical formula for the expected response of an aggregate whose constituent flows all conform to TCP congestion control. By comparing the probed response to that predicted by the formula, a router can estimate the proportion of traffic in the aggregate that is nonconforming and hence presumed to belong to an attack. This approach may be implemented in a purely distributed manner at individual routers. Furthermore, since it does not depend on interactions between routers, incremental deployment is possible.

Published in:

Decision and Control, 2002, Proceedings of the 41st IEEE Conference on  (Volume:2 )

Date of Conference:

10-13 Dec. 2002