A comprehensive study of queue management as a DoS counter-measure

The purpose of a denial of service (DoS) attack is to render a network service unavailable for legitimate users. We address the problem of DoS attacks on connection-oriented protocols where the attacker tries to deplete the server connection by initiating communication with the server and then abandoning the communication. The most exploited attack in this category is the SYN-flood attack but other attacks using the same approach in stateful communication protocols also fall into this category. Our goals are twofold: first, to develop a mathematical model allowing us to analyse the trade-off between the attacker and the defender resources and second, to offer prevention mechanisms that can be used to defend against this category of attacks. We model the server queue of connections using Markov chains to establish a relationship between the server capacity, the attack rate and the impact on the service level. We analyse two methods of adjusting the timeout, threshold and linear, and we couple them with three policies of assigning the timeout to connections: the deterministic policy, the deferred policy and the utopian Poisson policy. First, theoretical modelling confirms that for any given strategy, there exists a linear trade-off between attack rate and targeted server queue size. However, the ratio that needs to be kept between them in order to maintain a similar level of quality of service differs between strategies; in that sense some are better than others. In particular, theoretical modelling also indicates that the linear deferred timeout strategy is very similar in performance to the linear Poisson timeout strategy, which in turn outperforms all the other dynamic timeout strategies. The dynamic timeout strategies always outperform the classical fixed timeout method. Our model is very general and can be used to capture the behaviour of the server queue during connection depletion attacks at various levels in the TCP protocol stack. We confirm the theoretical findings using stochastic simulations and network experiments of SYN-flood attacks. We also show how the model can be used when analysing a TCP connection establishment flood or a ticket reservation flood. The protection strategies we suggest are robust to changes in the attack model and our implementation is very efficient and transparent with respect to the server and applications it tries to protect. The strategies could therefore be easily integrated into existing operating systems and applications, or implemented in separate network devices.