Abstract
The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach – one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.
Highlights
Distributed Denial-of-Service (DDoS) attacks [1] have been identified as a major threat to today’s Internet services
Being a new kind of DDoS attacks, TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) [2] attacks are more efficient in terms of causing damage to legitimate flows and more difficult to detect when compared to traditional flooding-based DDoS attacks
Based on the definition and assumption above, we describe an LDDoS attack using four parameters ðn; g; m; rÞ, where n is the total number of flows in the attack, g is the number of attack flow groups, and m is the number of members in an LDDoS flow group
Summary
Distributed Denial-of-Service (DDoS) attacks [1] have been identified as a major threat to today’s Internet services. In this paper we propose a novel metric ‘‘Congestion Participation Rate’’ (CPR) to identify. The CPR-based approach exploits the fact that LDDoS flows actively induce network congestion whereas normal TCP flows actively avoid network congestion. Our contributions are summarized as follows: We propose a novel metric – Congestion Participation Rate (CPR) to identify LDDoS flows by measuring the intention of network flows to congest the network. The CPR-based approach is an originality innovation that can effectively identify LDDoS in a per-flow basis in large-scale LDDoS attacks as far as we are concerned. It is worth noting that the CPR-based approach is designed to distinguish between normal TCP flows and LDDoS flows.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
