Article: A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks Journal: International Journal of Autonomous and Adaptive Communications Systems (IJAACS) 2016 Vol.9 No.1/2 pp.149 - 163 Abstract: Although the existing robust random early detection (RRED) algorithm can preserve normal TCP throughput under various low-rate distributed denial-of-service (LDDoS) attacks, it fails to maintain the fairness among TCP flows and counter large-scale LDDoS attacks or address-spoofing LDDoS attacks. In contemporary network, it is much easier to launch UDP-based LDDoS attacks that achieve severer attack effect with much lower effort than to launch TCP-based attacks. Based on this observation, this paper proposes fair robust random early detection (FRRED) algorithm, a TCP-friendly AQM algorithm to improve the performance in terms of throughput and fairness. The key idea of FRRED algorithm is the 'protocol-based hash partitioning' that segregates the records of UDP and TCP flows maintained in a counting bloom filter which is space-efficient and well-designed. Theoretical analysis and simulation results show that FRRED algorithm can effectively preserve TCP throughput and significantly improve fairness among TCP flows to mitigate various LDDoS attacks. Inderscience Publishers - linking academia, business and industry through research

Title: A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks

Authors: Jiarun Lin; Changwang Zhang; Zhiping Cai; Qiang Liu; Jianping Yin

Addresses: School of Computer, National University of Defense Technology, Changsha, Hunan, 410073, China ' School of Computer, National University of Defense Technology, Changsha, Hunan, 410073, China ' School of Computer, National University of Defense Technology, Changsha, Hunan, 410073, China ' School of Computer, National University of Defense Technology, Changsha, Hunan, 410073, China ' State Key Laboratory of High Performance Computing, National University of Defense Technology, Changsha, Hunan, 410073, China

Abstract: Although the existing robust random early detection (RRED) algorithm can preserve normal TCP throughput under various low-rate distributed denial-of-service (LDDoS) attacks, it fails to maintain the fairness among TCP flows and counter large-scale LDDoS attacks or address-spoofing LDDoS attacks. In contemporary network, it is much easier to launch UDP-based LDDoS attacks that achieve severer attack effect with much lower effort than to launch TCP-based attacks. Based on this observation, this paper proposes fair robust random early detection (FRRED) algorithm, a TCP-friendly AQM algorithm to improve the performance in terms of throughput and fairness. The key idea of FRRED algorithm is the 'protocol-based hash partitioning' that segregates the records of UDP and TCP flows maintained in a counting bloom filter which is space-efficient and well-designed. Theoretical analysis and simulation results show that FRRED algorithm can effectively preserve TCP throughput and significantly improve fairness among TCP flows to mitigate various LDDoS attacks.

Keywords: LDDoS attacks; low-rate DDoS; distributed DoS; denial of service; TCP flows; transmission control protocol; active queue management; AQM; robustness; fairness; throughput; performance evaluation; address spoofing; robust random early detection; RRED; hash partitioning; simulation; network security; user datagram protocol; UDP flows.

DOI: 10.1504/IJAACS.2016.075391

International Journal of Autonomous and Adaptive Communications Systems, 2016 Vol.9 No.1/2, pp.149 - 163

Received: 11 Sep 2013
Accepted: 11 Oct 2013
Published online: 19 Mar 2016 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks

Keep up-to-date