Skip to main content
SpringerLink
Log in

Queue Management as a DoS Counter-Measure?

  • Conference paper
Book cover Information Security (ISC 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4779))

Included in the following conference series:

Abstract

In this paper, we study the performance of timeout-based queue management practices in the context of flood denial-of-service (DoS) attacks on connection-oriented protocols, where server resources are depleted by uncompleted illegitimate requests generated by the attacker. This includes both crippling DoS attacks where services become unavailable and Quality of Service (QoS) degradation attacks. While these queue management strategies were not initially designed for DoS attack protection purposes, they do have the desirable side-effect or providing some protection against them, since illegitimate requests time out more often than legitimate ones. While this fact is intuitive and well-known, very few quantitative results have been published on the potential impact on DoS-attack resilience of various queue management strategies and the associated configuration parameters. We report on the relative performance of various queue strategies under a varying range of attack rates and parameter configurations. We hope that such results will provide usable configuration guidelines for end-server or network appliance queue hardening. The use of such optimisation techniques is complementary to the upstream deployment of other types of DoS-protection countermeasures, and will probably prove most useful in scenarios where some residual attack traffic still bypasses them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Baras, J.: Modeling and simulation of telecommunication networks for control and management. In: Proc. Winter Simulation Conf. (2003)

    Google Scholar 

  2. Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A.D., Sklower, K.: Experience with DETER: A testbed for security research. In: TRIDENTCOM 2006. Proc. Int. Conf. on Testbeds & Research Infrastructures for the DEvelopment of NeTworks & COMmunities (2006)

    Google Scholar 

  3. Bernstein, D.: SYN cookies (2003), http://cr.yp.to/syncookies.html

  4. Cao, J., Cleveland, W., Lin, D., Sun, D.: Internet traffic tends toward Poisson and independent as the load increases. In: Denison, D., Hansen, M., Holmes, C., Mallick, B., Yu, B. (eds.) Nonlinear estimation and Classification. LNCS, vol. 171, pp. 83–110. Springer, Heidelberg (2003)

    Google Scholar 

  5. Cheng, C.-M., Kung, H., Tan, K.-S.: Use of spectral analysis in defense against DoS attacks. In: Proc. IEEE Global Telecommunications Conf (GLOBECOM), pp. 2143–2148. IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  6. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol. Version 1.1. RFC 4346 (April 2006), http://tools.ietf.org/html/rfc4346

  7. Feng, W., Kaiser, E., Luu, A.: Design and implementation of network puzzles. In: Proc. Annual Joint Conf. of IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2372–2382. IEEE Computer Society Press, Los Alamitos (2005)

    Chapter  Google Scholar 

  8. Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing RFC 2267 (January 1998), http://tools.ietf.org/html/rfc2267

  9. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol – HTTP/1.1. RFC 2616 (June 1999), http://tools.ietf.org/html/rfc2616#section-8

  10. Gong, F.: Deciphering detection techniques: Part III denial of service detection. McAfee Network Security Technologies Group (January 2003), http://www.mcafee.com/us/local_content/white_papers/wp_ddt_dos.pdf

  11. Hoang, X., Hu, J.: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proc. IEEE Int. Conf. on Networks (ICON), vol. 2, pp. 470–474. IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  12. Juels, A., Brainard, J.: Client puzzles: A cryptographic defense against connection depletion. In: Proc. Network and Distributed System Security Symposium (NDSS) (1999)

    Google Scholar 

  13. Khan, S., Traoré, I.: Queue-based analysis of DoS attacks. In: Proc. IEEE Work. on Information Assurance and Security (WIAS), pp. 266–273. IEEE Computer Society Press, Los Alamitos (2005)

    Chapter  Google Scholar 

  14. Lui, J.C., Misra, V., Rubenstein, D.: On the robustness of soft state protocols. In: Proc. IEEE Int. Conf. on Network Protocols (ICNP), pp. 50–60. IEEE Computer Society Press, Los Alamitos (2004)

    Chapter  Google Scholar 

  15. Madan, B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.: Modeling and quantification of security attributes of software systems. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN), pp. 505–514 (2002)

    Google Scholar 

  16. Meadows, C.: A formal framework and evaluation method for network denial of service. In: Proc. IEEE Computer Security Foundations Work, IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  17. Meadows, C.: A cost-based framework for analysis of denial of service networks. Journal of Computer Security 9(1/2), 143–164 (2001)

    Google Scholar 

  18. Microsoft Corporation. Security considerations for network attacks, http://www.microsoft.com/technet/security/topics/networksecurity/secdeny.mspx

  19. Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms. Prentice-Hall, Englewood Cliffs (2004)

    Google Scholar 

  20. Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)

    Article  Google Scholar 

  21. Mirkovic, J., Reiher, P., Fahmy, S., Thomas, R., Hussain, A., Schwab, S., Ko, C.: Measuring denial of service. In: Proc. ACM Work. on Quality of Protection (QoP), pp. 53–58. ACM Press, New York (2006)

    Chapter  Google Scholar 

  22. Mirkovic, J., Robinson, M., Reiher, P.: Alliance formation for DDoS defense. In: Proc. New Security Paradigms Work (NSPW), pp. 11–18. ACM SIGSAC (2003)

    Google Scholar 

  23. Nuzman, C., Saniee, I., Sweldens, W., Weiss, A.: A compound model for TCP connection arrivals for LAN and WAN applications. Comput. Networks 40(3), 319–337 (2002)

    Article  Google Scholar 

  24. Postel, J., Reynolds, J.: File transfer protocol (FTP). RFC 959 (October 1985), http://tools.ietf.org/html/rfc959

  25. Robinson, M., Mirkovic, J., Michel, S., Schnaider, M., Reiher, P.: DefCOM: defensive cooperative overlay mesh. In: Proc. DARPA Information Survivability Conf. and Exposition, vol. 2, pp. 101–102 (2003)

    Google Scholar 

  26. Shakkottai, S., Srikant, R., Brownlee, N., Broido, A., Claffy, K.: The RTT distribution of TCP flows in the Internet and its impact on TCP-based flow control. Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (February 2004)

    Google Scholar 

  27. Varanasi, R., Phoha, V., Joshi, S.: IP-traceback based attacker tracking: A probabilistic technique for detecting Internet attacks using the concept of hidden markov models. In: Proc. IEEE Information Assurance Work, IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  28. Zuquete, A.: Improving the functionality of SYN cookies. In: Proc. IFIP TC6/TC11 Joint Working Conf. on Communications and Multimedia Security, pp. 57–77 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. École Polytechnique de Montréal,  

    Daniel Boteanu, José M. Fernandez & John Mullins

  2. Dalhousie University,  

    John McHugh

Authors
  1. Daniel Boteanu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. José M. Fernandez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John McHugh
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Mullins
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Juan A. Garay Arjen K. Lenstra Masahiro Mambo René Peralta

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Boteanu, D., Fernandez, J.M., McHugh, J., Mullins, J. (2007). Queue Management as a DoS Counter-Measure?. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds) Information Security. ISC 2007. Lecture Notes in Computer Science, vol 4779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75496-1_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75496-1_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75495-4

  • Online ISBN: 978-3-540-75496-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation