Title :
A novel scheme based on dropped-packet information to restrict pulsing denial-of-service attacks
Author :
Iwanari, Yuki ; Asaka, Takuya ; Takahashi, Tatsuro
Author_Institution :
Grad. Sch. of Inf., Kyoto Univ., Yoshida, Japan
Abstract :
Pulsing denial-of-service (PDoS) attacks pose a serious problem on the Internet. The attacker periodically sends high-rate traffic over a short period. As a result, because packets are dropped from legitimate TCP flows, they are forced to degrade their throughput. A problem with conventional methods is that bursty short-lived TCP flows may be mistaken for PDoS attacks and their throughput will be decreased. This paper proposes a scheme for queue management to restrict PDoS attacks to overcome this problem. In the proposed method, malicious flows are first identified by using dropped-packet information and then the packet-in-buffer count of malicious flows is limited. This leads legitimate TCP flows to secure their throughput, and even mistaken bursty TCP flows can obtain some throughput. In addition, we evaluated what effect two thresholds in the proposed method, such as the dropped-packet and the packet-in-buffer thresholds, had on throughput and established a policy to set these two thresholds.
Keywords :
Internet; computer network management; computer network security; queueing theory; transport protocols; Internet; dropped-packet information; high-rate traffic; pulsing denial-of-service attacks; queue management; Bandwidth; Computer crime; Degradation; Informatics; Internet; Personal communication networks; Safety; Throughput; Traffic control; Web server;
Conference_Titel :
Information and Telecommunication Technologies (APSITT), 2010 8th Asia-Pacific Symposium on
Conference_Location :
Kuching
Print_ISBN :
978-1-4244-6413-5
Electronic_ISBN :
978-4-88552-244-4
