Defense against low-rate TCP-targeted denial-of-service attacks

被引:0
作者
Yang, G [1 ]
Gerla, M [1 ]
Sanadidi, MY [1 ]
机构
[1] Univ Calif Los Angeles, Dept Comp Sci, Los Angeles, CA 90095 USA
来源
ISCC2004: NINTH INTERNATIONAL SYMPOSIUM ON COMPUTERS AND COMMUNICATIONS, VOLS 1 AND 2, PROCEEDINGS | 2004年
关键词
denial-of-service; TCP; retransmission time-out; randomization;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Low-rate TCP-targeted Denial-of-Service (DoS) attacks aim at the fact that most operating systems in use today have a common base TCP Retransmission Timeout (RTO) of 1 sec. An attacker injects periodic bursts of packets to fill the bottleneck queue and forces TCP connections to timeout with near-zero throughput. This paper proposes randomization on TCP RTO as defense against such attacks. With RTO randomization, an attacker cannot predict the next TCP timeout and consequently cannot inject the burst at the exact instant. An analytic performance model on the throughput of randomized TCP is developed and validated. Simulation results show that randomization can effectively mitigate the impact of such DoS attacks while maintaining fairness and friendliness to other connections.
引用
收藏
页码:345 / 350
页数:6
相关论文
共 11 条
  • [1] ALLMAN M, 1999, P ACM SIGCOMM 1999 C
  • [2] [Anonymous], 2000, 2988 RFC
  • [3] Bertsekas D. P., 1991, Data Networks, V2nd
  • [4] *CERT, CA199621 CERT
  • [5] *CERT COOR CTR, DEN SERV ATT
  • [6] Random Early Detection Gateways for Congestion Avoidance
    Floyd, Sally
    Jacobson, Van
    [J]. IEEE-ACM TRANSACTIONS ON NETWORKING, 1993, 1 (04) : 397 - 413
  • [7] KARN P, 1987, P ACM SIGCOMM 1987 A
  • [8] KUROSE JF, 2002, COMPUTER NETWORKING
  • [9] KUZMANOVIC A, 2003, P ACM SIGCOMM 2003 K
  • [10] MAHAJAN R, 2001, P IEEE ICNP 2001 RIV
12