TY - JOUR
T1 - Low rate TCP denial-of-service attack detection at edge routers
AU - Shevtekar, Amey
AU - Anantharam, Karunakar
AU - Ansari, Nirwan
N1 - Funding Information:
Manuscript received August 16, 2004. The associate editor coordinating the review of this letter and approving it for publication was Dr. Chuan-Kun Wu. This work has been supported in part by the New Jersey Commission on Science and Technology via NJWINS. The authors are with the Advanced Networking Laboratory, ECE Dept., NJIT, Newark, NJ (e-mail: [email protected]). Digital Object Identifier 10.1109/LCOMM.2005.04008.
Copyright:
Copyright 2018 Elsevier B.V., All rights reserved.
PY - 2005/4
Y1 - 2005/4
N2 - Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.
AB - Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.
KW - DoS
KW - RTO
KW - RTT
KW - Router
KW - TCP
UR - http://www.scopus.com/inward/record.url?scp=17744370129&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=17744370129&partnerID=8YFLogxK
U2 - 10.1109/LCOMM.2005.1413635
DO - 10.1109/LCOMM.2005.1413635
M3 - Article
AN - SCOPUS:17744370129
SN - 1089-7798
VL - 9
SP - 363
EP - 365
JO - IEEE Communications Letters
JF - IEEE Communications Letters
IS - 4
ER -