The full-buffer Shrew (FB-Shrew) denial of service (DoS) attack is a variant of the classic Shrew attack that exploits the congestion control mechanism of transmission control protocol (TCP). Here, an attacker sends a high-rate burst of attack packets only after the router buffer is filled with TCP packets, causing the router to drop legitimate packets, and forcing the retransmission of TCP packets. As such, an FB-Shrew attack can cause maximum damage with minimum resources. In this paper, we challenge an assumption of constant round trip time adopted in the original FB-Shrew model. As a result, this model fails to achieve its expected attack effect. In response, we analyze the TCP congestion window and queue behaviors to develop two low-high burst models for maximizing the potency of the FB-Shrew attack. Model 1 is designed to achieve the attack effect expected of the original model. Then, the attack potency of Model 1 is enhanced by simply adjusting the starting time of the attack burst to form Model 2. Mode 1 only exploits the retransmission timeout (RTO) mechanism. Model 2 takes advantage of both the RTO mechanism and the fast retransmission mechanism. In this way, Model 2 further slows down the growth of the congestion window and extends the attack period. A combination of theoretical analyses and simulations are adopted to first validate the proper functioning and effectiveness of the two models for a standard network configuration, and then we assess their attack performances with variations in different network parameters. Our performance assessment demonstrates that one attack unit of Model 2 damages almost twice the number of TCP units as one attack unit of Model 1, which represents an increase in attack potency of nearly 200 percent. The present study provides an expanded basis to explore FB-Shrew attack patterns that may be utilized by attackers. Moreover, the damage that could be inflicted by such attack and the extent to which defense strategies are capable of mitigating the attack's impact could be assessed more precisely by defenders.
Read full abstract