Skip to Main Content
We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic.