Mitigating congestion-based denial of service attacks with active queue management

Abstract

Denial of service (DoS) attacks are currently one of the biggest risks any organization connected to the Internet can face. Hence, the congestion handling techniques at its edge router(s), such as active queue management (AQM) schemes must consider possibilities of such attacks. Ideally, an AQM scheme should (a) ensure that each network flow gets its fair share of bandwidth, and (b) identify attack flows so that corrective actions (e.g. drop flooding traffic) can be explicitly taken against them to further mitigate the DoS attacks. This paper presents a proof-of-concept work on devising such an AQM scheme, which we name Deterministic Fair Sharing (DFS). Most of the existing AQM schemes do not achieve the above goals or have a significant room for improvement. DFS uses the concept of weighted fair share (wfs) which allows it to dynamically self-adjust the router buffer usage based on the current level of congestion, while assuring fairness among flows and aiding in identifying the malicious ones. We demonstrate the performance of DFS via extensive simulation and compare against other existing AQM techniques.