Abstract
In this paper, we study the performance of timeout-based queue management practices in the context of flood denial-of-service (DoS) attacks on connection-oriented protocols, where server resources are depleted by uncompleted illegitimate requests generated by the attacker. This includes both crippling DoS attacks where services become unavailable and Quality of Service (QoS) degradation attacks. While these queue management strategies were not initially designed for DoS attack protection purposes, they do have the desirable side-effect or providing some protection against them, since illegitimate requests time out more often than legitimate ones. While this fact is intuitive and well-known, very few quantitative results have been published on the potential impact on DoS-attack resilience of various queue management strategies and the associated configuration parameters. We report on the relative performance of various queue strategies under a varying range of attack rates and parameter configurations. We hope that such results will provide usable configuration guidelines for end-server or network appliance queue hardening. The use of such optimisation techniques is complementary to the upstream deployment of other types of DoS-protection countermeasures, and will probably prove most useful in scenarios where some residual attack traffic still bypasses them.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Baras, J.: Modeling and simulation of telecommunication networks for control and management. In: Proc. Winter Simulation Conf. (2003)
Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A.D., Sklower, K.: Experience with DETER: A testbed for security research. In: TRIDENTCOM 2006. Proc. Int. Conf. on Testbeds & Research Infrastructures for the DEvelopment of NeTworks & COMmunities (2006)
Bernstein, D.: SYN cookies (2003), http://cr.yp.to/syncookies.html
Cao, J., Cleveland, W., Lin, D., Sun, D.: Internet traffic tends toward Poisson and independent as the load increases. In: Denison, D., Hansen, M., Holmes, C., Mallick, B., Yu, B. (eds.) Nonlinear estimation and Classification. LNCS, vol. 171, pp. 83–110. Springer, Heidelberg (2003)
Cheng, C.-M., Kung, H., Tan, K.-S.: Use of spectral analysis in defense against DoS attacks. In: Proc. IEEE Global Telecommunications Conf (GLOBECOM), pp. 2143–2148. IEEE Computer Society Press, Los Alamitos (2002)
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol. Version 1.1. RFC 4346 (April 2006), http://tools.ietf.org/html/rfc4346
Feng, W., Kaiser, E., Luu, A.: Design and implementation of network puzzles. In: Proc. Annual Joint Conf. of IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2372–2382. IEEE Computer Society Press, Los Alamitos (2005)
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing RFC 2267 (January 1998), http://tools.ietf.org/html/rfc2267
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol – HTTP/1.1. RFC 2616 (June 1999), http://tools.ietf.org/html/rfc2616#section-8
Gong, F.: Deciphering detection techniques: Part III denial of service detection. McAfee Network Security Technologies Group (January 2003), http://www.mcafee.com/us/local_content/white_papers/wp_ddt_dos.pdf
Hoang, X., Hu, J.: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proc. IEEE Int. Conf. on Networks (ICON), vol. 2, pp. 470–474. IEEE Computer Society Press, Los Alamitos (2004)
Juels, A., Brainard, J.: Client puzzles: A cryptographic defense against connection depletion. In: Proc. Network and Distributed System Security Symposium (NDSS) (1999)
Khan, S., Traoré, I.: Queue-based analysis of DoS attacks. In: Proc. IEEE Work. on Information Assurance and Security (WIAS), pp. 266–273. IEEE Computer Society Press, Los Alamitos (2005)
Lui, J.C., Misra, V., Rubenstein, D.: On the robustness of soft state protocols. In: Proc. IEEE Int. Conf. on Network Protocols (ICNP), pp. 50–60. IEEE Computer Society Press, Los Alamitos (2004)
Madan, B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.: Modeling and quantification of security attributes of software systems. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN), pp. 505–514 (2002)
Meadows, C.: A formal framework and evaluation method for network denial of service. In: Proc. IEEE Computer Security Foundations Work, IEEE Computer Society Press, Los Alamitos (1999)
Meadows, C.: A cost-based framework for analysis of denial of service networks. Journal of Computer Security 9(1/2), 143–164 (2001)
Microsoft Corporation. Security considerations for network attacks, http://www.microsoft.com/technet/security/topics/networksecurity/secdeny.mspx
Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms. Prentice-Hall, Englewood Cliffs (2004)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Mirkovic, J., Reiher, P., Fahmy, S., Thomas, R., Hussain, A., Schwab, S., Ko, C.: Measuring denial of service. In: Proc. ACM Work. on Quality of Protection (QoP), pp. 53–58. ACM Press, New York (2006)
Mirkovic, J., Robinson, M., Reiher, P.: Alliance formation for DDoS defense. In: Proc. New Security Paradigms Work (NSPW), pp. 11–18. ACM SIGSAC (2003)
Nuzman, C., Saniee, I., Sweldens, W., Weiss, A.: A compound model for TCP connection arrivals for LAN and WAN applications. Comput. Networks 40(3), 319–337 (2002)
Postel, J., Reynolds, J.: File transfer protocol (FTP). RFC 959 (October 1985), http://tools.ietf.org/html/rfc959
Robinson, M., Mirkovic, J., Michel, S., Schnaider, M., Reiher, P.: DefCOM: defensive cooperative overlay mesh. In: Proc. DARPA Information Survivability Conf. and Exposition, vol. 2, pp. 101–102 (2003)
Shakkottai, S., Srikant, R., Brownlee, N., Broido, A., Claffy, K.: The RTT distribution of TCP flows in the Internet and its impact on TCP-based flow control. Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (February 2004)
Varanasi, R., Phoha, V., Joshi, S.: IP-traceback based attacker tracking: A probabilistic technique for detecting Internet attacks using the concept of hidden markov models. In: Proc. IEEE Information Assurance Work, IEEE Computer Society Press, Los Alamitos (2004)
Zuquete, A.: Improving the functionality of SYN cookies. In: Proc. IFIP TC6/TC11 Joint Working Conf. on Communications and Multimedia Security, pp. 57–77 (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Boteanu, D., Fernandez, J.M., McHugh, J., Mullins, J. (2007). Queue Management as a DoS Counter-Measure?. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds) Information Security. ISC 2007. Lecture Notes in Computer Science, vol 4779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75496-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-75496-1_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75495-4
Online ISBN: 978-3-540-75496-1
eBook Packages: Computer ScienceComputer Science (R0)