International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014
Study of Low Rate Denial of Service (LDoS)
attacks on Random Early Detection (RED)
Prashant Viradiya1, Divyarajsinh Vaghela2 and Dharmesh Dhangar3
1
Lecturer, Computer Science & Engineering, Parul Institute of Engineering & Technology,Vadodara,India.
2
Assistant Professor, Computer Science & Engineering, Parul Institute of Engineering & Technology,Vadodara,India.
3
Assistant Professor, Computer Science & Engineering, Parul Institute of Engineering & Technology,Vadodara,India.
Abstract
RED Active Queue Management is designed to avoid
congestion by controlling the average queue size. However a
malicious flow cannot be identified. And it enables potential
network-layer attacks, e.g. the flooding Denial-of-Service
(DoS) attack and the low-rate DoS attack. LDoS attack is very
difficult to identify because the average rate of packet sending
will be very low. This is achieved by sending large amount of
packets for a very short duration and repeating this process in
regular intervals. This paper analyzes the effect of LDoS
attack on RED and compares the existing prevention
methods.
Keywords:- Random Early Detection Queue, Low Rate
Denial of Service Attack, TCP, Retransmission timeout
1.Introduction
In wired networks, if the packet transmission rate crosses
the capacity of links, congestion will arise. To tackle the
congestion packet loss, researchers have implemented
several Active Queue Management Schemes like RED,
Blue and SFQ. RED is very much sensitive to its
parameters like min_threshold and max_threshold. If the
average queue size is less than min_threshold, no drop
will occur. If it is greater than max_threshold, it will drop
all packets and if it is in between max and min thresholds,
packets will be probabilistically dropped. Another
advantage of RED is that it prevents TCP Global
Synchronization. TCP Global synchronization occurs
when all senders need to reduce their packet sending rate
concurrently during congestion. Since
2. SURVEY ON LOW RATE DENIAL OF
SERVICE ATTACK (LDOS)
LDoS attack is a variation of DoS attack in which high
rate of data is pushed to network for very short period of
time and this process repeats over intervals which
corresponds to the retransmission time out period of TCP.
Thus by properly exploiting TCP’s RTO, this attack
reduces the TCP throughput to near zero. The behavior of
LDoS attack can be compared to a square wave which
contains on off pulses. ON corresponds to the attacking
period and OFF corresponds to the period where attacker
remains silent. Thus if we track, average rate of packet
sending for detecting the attack, we cannot distinguish
between a legitimate user and LDoS attacker. If we
compare the rate of packet sending at a particular time
slot to identify an attacker, some normal senders which
send occasional burst packets are also being categorized as
Volume 3, Issue 6, November-December 2014
ISSN 2278-6856
attackers. Thus it is very difficult to identify an LDoS
attack. LDoS attack is also called Shrew attack [1] or
sledgehammer attack [2]. (Shrew is a small mouse like
mammal but has a long-snout and venom which is able to
kill larger animals). (Sledge hammer can exert more force
compared to other hammers and the force is distributed
over large area).
Fig.1:Ldos attack stream
As shown in Fig.1, represents the attack period,
represents the attack burst width, and represents the
attack burst rate. The LDoS attack exploits TCP’s slow-
time-scale dynamics of retransmission time-out (RTO)
mechanisms to reduce TCP throughput [r6]. Basically, an
attacker can cause a TCP flow to repeatedly enter a RTO
state by sending high-rate ( ), but short-duration bursts
( ), and repeating periodically at slower RTO time-
scales ( ). The TCP throughput at the attacked node will
be significantly reduced while the attacker will have low
average rate making it difficult to be detected.
3. IDEA BEHIND LDOS ATTACK
LDoS attacks are initiated at proper time gaps. This
interval is chosen such that it coincides with the
retransmission time out (RTO) period of TCP. According
to Karn’s Algorithm, initially as a part of its window
adjustment mechanism TCP send 1MSS packet by setting
its RTO as 1ms.If the packet is delivered within this RTO
period TCP doubles its packet size and halves its RTO
time and the process continues. But if the packet is not
delivered within that RTO, it doubles its RTO value and
try again to deliver the packet. In case of LDoS attack
what happens is that attacker will initiate an attack at 1ms
thus producing congestion; so TCP cannot deliver the
packets, it doubles its RTO value and sends the packet
again. Knowing this attacker will initiate the attack at
2ms. Again the TCP packets get dropped. Similarly
proceeding TCP goes on increasing its RTO value without
Page 33
 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014
being able to deliver a single packet. Thus the throughput
of TCP is reduced to near zero due to LDoS attack[3].
Problems Associated with LDoS Attack:
According to Aleksandar Kuzmanovic and Edward W.
Knightly[4] the main threats put forward by LDoS are as
follows:
• Low-rate DoS attacks degrade the performance of
both short and long lived TCP traffic.
• IF RTT of packets are low then effect of attack is
more.
• Low-rate periodic packets can be very harmful to
short-RTT TCP traffic.
• Both network-routers an end-point-based mechanism
can only reduce, but not eliminate the attack.
LDoS attack disrupts internet routing: Ying Zhang et
al. showed that LDoS attack can disrupt Internet routing
[5]. According to them low-rate TCP targeted DoS attacks
have a significant effect on the Border Gateway Protocol
(BGP). BGP is the critical infrastructure for
communication reachability information across the global
Internet. But if LDoS attack occurs, then BGP routing
sessions can be reset leading to delay in routing. This will
in turn effect routing stability and network reachability.
• LDoS Attacking Application Servers: GabrielMaci´a-
Fern´andez et al, studied how LDoS attack effects
Application Servers [6]. The LDoS attack tries to
consume the resources of the target server with only
low-rate traffic so that most of the server protection
mechanisms are bypassed.
• LDoS Attack on Monoprocess Servers: Vulnerability
in monoprocess or mono threaded servers due to
LDoS attack is studied in [7].Low rate feature makes
the attack less vulnerable to detection by current
Intrusion Detection Systems, which usually expect
high rate traffic. If intruder can get knowledge about
cycle time of server he can accurately build the attack.
This attack threatens the application level by making
the server engaged with serving intruder requests.
4. EXISTING METHODS TO PROTECT
RED FROM LDOS ATTACK
Researchers have proposed some methods to protect RED
from LDoS attack, among which some of them use partial
state flow analysis where as others use per flow analysis.
Per-flow scheduling mechanisms provide max-min
fairness but are more complex, keeping track of all flows
going through the router. Robust Red (RRED): RRED
introduced in [13] is considered as a variant of RED that
can effectively throttle LDoS attack. It adds a LDoS
packet detection and filtering mechanism before RED
block to filter out all attacking packets before they feed to
RED. An incoming packet from flow is suspected to be an
attacking packet if it arrives within a short-range after a
packet from f that is dropped by the detection and filter
block or after a packet from any flow that is dropped by
the RED block. Hence it uses per-flow analysis to detect
attack. Robust RED with Testing: Additional to the
detection and filtering mechanism of RRED a testing
phase [9] is added. In the testing phase, buffer space of the
Volume 3, Issue 6, November-December 2014
ISSN 2278-6856
incoming flow is considered. It has been proved that,
variation in buffer size has an impact on LDoS attacks [8].
Larger the buffer size gives out higher probability in
detecting the LDoS attacks. The proposed testing scheme
is that within a time out of the flow, the buffer size must
come back to size L, which is an optimum size considered
else it is suspected that the attacking packets are not
filtered out and again the detection process is carried out.
5. PREFERENTIAL DROPPING RED (RED-
PD)
RED-PD proposes partial flow-based mechanism that
combines simplicity and protection by keeping state for
just the high-bandwidth flows. RED-PD [10] uses the
packet drop history at the router to detect high-bandwidth
flows in times of congestion and preferentially drop
packets from these flows. Flows are identified when their
arrival rate is more than the target bandwidth T.
Probabilistically implementing dropping on these
monitored flows their bandwidth is kept below T at times
of congestion. RED-PD is successful in detecting Denial
of Service attacks, but cannot prevent LDoS attack.
CHOKe: CHOose and Keep for responsive flows and
CHOose and Kill for Unresponsive Flows aims to
approximate max-min fairness for the flows that pass
through the congested router. When a packet arrives at a
congested router, CHOKe draws a packet random from the
FIFO queue, and compares it within coming packet. If
they both belong to the same flow they both are dropped,
else the randomly chosen packet is kept intact and the
arriving packet is allowed in to the RED queue with a
probability depending on the level of congestion[11].
RED-FT: RED with Flow Trust (RED-FT) using
networks flow characteristics to ensure the legitimate
users’ communications and the fairness of the queue as
much as possible. In other words, It introduce the
networks flow trust as an important decision-making
factor of AQM and improve the robustness of previous
algorithms. A router monitors network flows and
calculates flows trust values, which are used for the
relevant queue management. Malicious flows would be
with lower trust values while legitimate flows would be
with higher ones[12].
RRED-PD: ROBUST PREFERENTIAL DROPPING
RED removes LDoS attack from initially identified high
bandwidth consuming flows. By using partial flow
analysis we are able to prevent the attack[s].It is
combination of Robust Red (RRED) and Preferential
Dropping RED (RED-PD).In this method to detect LDoS
attack only partial flow analysis is needed because by
using RED-PD, a max-min fairness of bandwidth is
obtained among different flows, and only the high
bandwidth consuming flows need to be monitored[14].
Page 34
 International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014
6. CONCLUSION
This paper surveys and compares various Existing
Methods available to protect RED from LDoS attack. It
also highlights the issues present in currently available
LDoS detection mechanisms. Preferential Dropping RED
(RED-PD) was introduced in which the high bandwidth
consuming flows are identified and monitored. But it
failed to prevent LDoS attacks. Robust RED algorithm
and RED-FT to counter LDoS attacks but the drawback of
this methods are that it is following a per flow scheduling
mechanism which are more complex, maintaining state
for all flows going through the router.
REFERENCES
[1] Clark, David D.; Wroclawski, John (July 1997). “An
Approach to Service Allocation in the Internet”,
IETF, 2011.
[2] H. Sakoe and H. Chiba.“Dynamic programming
algorithmoptimization for spoken word recognition”,
IEEE Trans.AcousticsSpeech, and Signal Proc.,
26(1), Feb. 1978.
[3] C. Zhang, J. Yin, Z. Cai, et al., “RRED: robust RED
algorithm to counter low-rate denial-of-service
attacks,” IEEE Commun. Lett., vol. 14, no. 5, pp.
489–491, 2010.
[4] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-
targeted denial of service attacks and counter
strategies,” IEEE/ACM Trans. Netw., vol. 14,no. 4,
pp. 683–696, 2006.
[5] Ying Zhang, Z. Morley Mao, Jia Wang,” Low-Rate
TCP-Targeted DoS Attack Disrupts Internet
Routing”, National Science Foundation,2010.
[6] Gabriel Maci´a-Fern´andez, Jes´us E. D´ıaz-Verdejo,
Pedro Garc´ıa-Teodoro,and Francisco de Toro-Negro
,” LoRDAS: A Low-RateDoS Attack against
Application Servers”, Dpt. of Signal
Volume 3, Issue 6, November-December 2014
ISSN 2278-6856
Theory,Telematics and Communications - University
of Granada.
[7] Gabriel Maci´a-Fern´andez, Jes´us E. D´ıaz-Verdejo,
and Pedro Garc´ıa-Teodoro, “Low Rate DoS Attack to
Monoprocess Servers” Dpt. of Signal Theory,
Telematics and Communications -University of
Granada,2006.
[8] SandeepSarat and Andreas Terz, “On the Effect of
Router Buffer Sizes on Low-Rate Denial of Service
Attacks”, IEEE Computer Society (2005).
[9] KarthikVelayudhan.A and .A.Arunmozhi,”Disruption
of Low-rate DoS Attacks using Modified RED
algorithm”, International Conference on Computing
and Control Engineering (ICCCE 2012), 12 & 13
April, 2012.
[10] RatulMahajan and Sally Floyd AT&T Center for
Internet Research at ICSc I (ACIRI),” Controlling
High Bandwidth Flows at the Congested Router”, In
Proceedings of IEEE ICNP 2001, Riverside,CA, Nov.
2001.
[11] R. Pan, B. Prabhakar, and K. Psounis, “CHOKe — a
stateless active queue management scheme for
approximating fair bandwidth allocation,” in Proc.
INFOCOM’00, Mar. 2000, pp. 942–951.
[12] Xianliang Jiang, Jiangang Yang, Guang Jin, and
Wei Wei ”RED-FT: A Scalable Random Early
Detection Scheme with Flow Trust against DoS
Attacks” IEEE COMMUNICATIONS LETTERS,
VOL. 17, NO. 5, MAY 2013.
[13] Zhang C W, Yin J P, Cai Z P, et al. RRED: robust
RED algorithm to counter low-rate denial-of-service
attacks, IEEE Communications Letters. 2010,
14:489−491
[14] Lija Mohan, Bijesh M. G, Jyothish K. John,Survey of
Low rate Denial of Service (LDoS) attack on RED
And its Counter Strategies, 978-1-4673-1344-5/12
©2012 IEEE.
Page 35