Research On Defense Mechanism Of Low-rate Denial-of-Service Attacks

With the development of computer network and communication technology, network security problems spring up, also. An important class of security problems is denial of service attack. In denial of service attacks, attackers use many kinds of methods to break the network services or cause the reduction of their qualities, and make the legitimate users of the network uncomfortable, sometimes even destroy the network infrastructures. The denial of service attack may bring threats to the economies and cause a lot of negative influerence to the society. Denial of service attacks appear very variant, a large part of them are high traffic based attack methods, which are easy to detect and defend using intrusion detection system (IDS) and AQMs now. Low-rate denial of service (LrDoS) attack is a novel type of denial of service attack which appears recently. Different from other high traffic based denial of service attacks, LrDoS attack has very low mean traffic, and so it is hard to detect and defend it by the IDS and AQMs. The appearance of the LrDoS attack will cause much more threats to the network security. The researchers have payed attention to the defense of this type of attacks.LrDoS attack makes use of the constant lower limit of the retransmission timeout mechanism in the TCP congestion control. The LrDoS attacker(s) cost little and gain much to the reduction of the TCP throughput on the target links, the attack may cause the congestion window of the TCP sender stay at a very low level, sometimes even continuous timeout to the TCP senders. Compared with high traffic denial of service attacks, LrDoS attack persisits for a shorter time and has a lower mean traffic. Using traffic matching method to detect the attack traffic might have false alert frequently. The broadly used AQMs such as RED, RED-PD and CHOKe cannot filter the LrDoS attack traffic effectively. So it is a serious problem to the most broadly used TCP protocol.This dissertation analyzes the principle of the LrDoS attack and the essential origin of its influence to the network performance, uses network simulation and practice experiments to analyze the performance of some different congestion control protocols such as TCP Reno, TCP Newreno and FAST TCP facing LrDoS attack. The results of the analysis and experiments show that the essential success reason of the LrDoS attack is the imbalance between TCP protocol and UDP protocol, and also the asymmetry between the time scale of TCP retransmission timeout and attacker's cost. And conclude some ideas for defending the LrDoS attack through the feature of the AQM which can beat LrDoS attack.Secondly, this dissertation anlayzes the entire network performance when facing LrDoS attack, it also anlayzes the variation of TCP sender's congestion window with LrDoS attack on the link using the theory of semi-markov chain.After that, in order to defend the LrDoS attack, two dynamic adjusting strategies of the retransmission timeout timer, which do little change on the IP header of ACK packets, are designed to improve TCP's data transmission performance facing LrDoS attack. Experiments show that the strategies can greatly improve the TCP's performance; they won't reduce the network performance when there is no LrDoS attack.Finally, designs a congestion control protocol which can adjust the congestion window according to the congestion situation of the network. It can preserve the congestion window during the congestion caused by high UDP traffic and continue the transmission after the LrDoS attack with the congestion window which it preserves. So it can avoid the TCP senders from being effected by the LrDoS attack. Result of simulation shows that it can mitigate the influence of the LrDoS attack.