Low rate TCP denial-of-service attack detection at edge routers

Amey Shevtekar; Karunakar Anantharam; Nirwan Ansari

doi:10.1109/LCOMM.2005.1413635

Low rate TCP denial-of-service attack detection at edge routers

Amey Shevtekar, Karunakar Anantharam, Nirwan Ansari

Electrical and Computer Engineering

Research output: Contribution to journal › Article › peer-review

91 Scopus citations

Abstract

Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.

Original language	English (US)
Pages (from-to)	363-365
Number of pages	3
Journal	IEEE Communications Letters
Volume	9
Issue number	4
DOIs	https://doi.org/10.1109/LCOMM.2005.1413635
State	Published - Apr 2005

All Science Journal Classification (ASJC) codes

Modeling and Simulation
Computer Science Applications
Electrical and Electronic Engineering

Keywords

DoS
RTO
RTT
Router
TCP

Access to Document

10.1109/LCOMM.2005.1413635

Cite this

@article{a4956d166cde48db93089b7e7ec63cfe,

title = "Low rate TCP denial-of-service attack detection at edge routers",

abstract = "Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.",

keywords = "DoS, RTO, RTT, Router, TCP",

author = "Amey Shevtekar and Karunakar Anantharam and Nirwan Ansari",

note = "Funding Information: Manuscript received August 16, 2004. The associate editor coordinating the review of this letter and approving it for publication was Dr. Chuan-Kun Wu. This work has been supported in part by the New Jersey Commission on Science and Technology via NJWINS. The authors are with the Advanced Networking Laboratory, ECE Dept., NJIT, Newark, NJ (e-mail: ansari@njit.edu). Digital Object Identifier 10.1109/LCOMM.2005.04008. Copyright: Copyright 2018 Elsevier B.V., All rights reserved.",

year = "2005",

month = apr,

doi = "10.1109/LCOMM.2005.1413635",

language = "English (US)",

volume = "9",

pages = "363--365",

journal = "IEEE Communications Letters",

issn = "1089-7798",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "4",

}

TY - JOUR

T1 - Low rate TCP denial-of-service attack detection at edge routers

AU - Shevtekar, Amey

AU - Anantharam, Karunakar

AU - Ansari, Nirwan

N1 - Funding Information: Manuscript received August 16, 2004. The associate editor coordinating the review of this letter and approving it for publication was Dr. Chuan-Kun Wu. This work has been supported in part by the New Jersey Commission on Science and Technology via NJWINS. The authors are with the Advanced Networking Laboratory, ECE Dept., NJIT, Newark, NJ (e-mail: ansari@njit.edu). Digital Object Identifier 10.1109/LCOMM.2005.04008. Copyright: Copyright 2018 Elsevier B.V., All rights reserved.

PY - 2005/4

Y1 - 2005/4

N2 - Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.

AB - Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.

KW - DoS

KW - RTO

KW - RTT

KW - Router

KW - TCP

UR - http://www.scopus.com/inward/record.url?scp=17744370129&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=17744370129&partnerID=8YFLogxK

U2 - 10.1109/LCOMM.2005.1413635

DO - 10.1109/LCOMM.2005.1413635

M3 - Article

AN - SCOPUS:17744370129

SN - 1089-7798

VL - 9

SP - 363

EP - 365

JO - IEEE Communications Letters

JF - IEEE Communications Letters

IS - 4

ER -

Low rate TCP denial-of-service attack detection at edge routers

Abstract

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this