Denial of Service
attacks are presenting an increasing threat
to the global internetworking infrastructure. Hosts with the
divergent or malicious interests can readily subvert the
protocols and infrastructure that Internet depends on. While
TCP's congestion control algorithm is highly robust to diverse
network conditions, its implicit assumption of end-system
cooperation results in a well-known vulnerability by high-rate
non-responsive flows. However, little is known about low-rate
denial of service attacks. We have discovered that low-rate
attacks can be as harmful as the high-rate ones, yet even more
dangerous due to the fact that they are difficult for routers and
counter-DoS mechanisms to detect.
In particular,
the low-rate attack (named the shrew
attack) consists of short, maliciously-chosen-duration bursts of
packets that repeat with a fixed, maliciously chosen,
slow-time-scale frequency. This traffic pattern is carefully
designed to exploit TCP's deterministic retransmission timeout
mechanism. When multiplexed with TCP cross-traffic, such pattern
is able to throttle TCP flows to a small fraction of their ideal
rate while transmitting at sufficiently low average rate to elude
detection. Moreover, we demonstrated the ubiquity of the attacks
by launching limited-scale attacks in parts of the Internet.
阅读(1214) | 评论(0) | 转发(0) |