Abstract
High availability in network services is crucial for effective large-scale distributed computing. While distributed denial-of-service (DDoS) attacks through massive packet flooding have baffled researchers for years, a new type of even more detrimental attack—shrew attacks (periodic intensive packet bursts with low average rate)—has recently been identified. Shrew attacks can significantly degrade well-behaved TCP sessions, repel potential new connections, and are very difficult to detect, not to mention defend against, due to its low average rate.
We propose a new stateful adaptive queue management technique called HAWK (Halting Anomaly with Weighted choKing) which works by judiciously identifying malicious shrew packet flows using a small flow table and dropping such packets decisively to halt the attack such that well-behaved TCP sessions can re-gain their bandwidth shares. Our NS-2 based extensive performance results indicate that HAWK is highly agile.
Manuscript accepted for presentation at ICCNMC 2005 in August 2005. This research was supported by an NSF ITR Research Grant under contract number ACI-0325409. Corresponding Author: Kai Hwang, Email: kaihwang@usc.edu, Fax: 213-740-4418.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
CERT/CC and FedCIRC, Advisory CA-2000-01 Denial-of-Service Developments, Carnegie Mellon Software Eng. Institute (January 2000)
Kuzmanovic, A., Knightly, E.W.: Low-Rate TCP-Targeted Denial of Service Attacks—The Shrew vs. the Mice and Elephants. In: Proceedings of ACM SIGCOMM 2003 (August 2003)
Pan, R., Prabhakar, B., Psounis, K.: CHOKe: A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation. In: INFOCOM 2000, April 2000, vol. 2, pp. 942–951 (2000)
Jain, M., Dovrolis, C.: End-to-End Available Bandwidth: Measurement Methodology, Dynamics, and Relation with TCP Throughput. In: Proceedings of ACM SIGCOMM 2002 (August 2002)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: Proceedings of 11th Word Wide Web Conference
Floyd, S., Jacobson, V.: Random Early Detection Gateways for Congestion Avoidance. IEEE/ACM Transactions on Networking 1(4), 397–413 (1993)
Specht, S.M., Lee, R.B.: Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In: Proceedings of the 17th Int’l Conf. Parallel and Distributed Comp. Systems, September 2004, pp. 536–543 (2004)
DETER and EMIST Projects, Cyber Defense Technology: Networking and Evaluation. Comm. ACM, 58–61 (March 2004), Also from DETER Website, http://www.isi.edu/deter/docs/acmpaper.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kwok, YK., Tripathi, R., Chen, Y., Hwang, K. (2005). HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks. In: Lu, X., Zhao, W. (eds) Networking and Mobile Computing. ICCNMC 2005. Lecture Notes in Computer Science, vol 3619. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11534310_46
Download citation
DOI: https://doi.org/10.1007/11534310_46
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28102-3
Online ISBN: 978-3-540-31868-2
eBook Packages: Computer ScienceComputer Science (R0)