A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks

Abstract

Although the existing robust random early detection RRED algorithm can preserve normal TCP throughput under various low-rate distributed denial-of-service LDDoS attacks, it fails to maintain the fairness among TCP flows and counter large-scale LDDoS attacks or address-spoofing LDDoS attacks. In contemporary network, it is much easier to launch UDP-based LDDoS attacks that achieve severer attack effect with much lower effort than to launch TCP-based attacks. Based on this observation, this paper proposes fair robust random early detection FRRED algorithm, a TCP-friendly AQM algorithm to improve the performance in terms of throughput and fairness. The key idea of FRRED algorithm is the 'protocol-based hash partitioning' that segregates the records of UDP and TCP flows maintained in a counting bloom filter which is space-efficient and well-designed. Theoretical analysis and simulation results show that FRRED algorithm can effectively preserve TCP throughput and significantly improve fairness among TCP flows to mitigate various LDDoS attacks.