RSFB: a Resilient Stochastic Fair Blue algorithm against spoofing DDoS attacks Changwang Zhang*, Jianping Yin, and Zhiping Cai School of Computer Science, National University of Defense Technology, Changsha, Hunan, China * E-mail: [email protected]

Abstract— The existing Active Queue Management (AQM) algorithms, including the fairness-aimed ones, are notably vulnerable to spoofing DDoS attacks. We propose a Resilient Stochastic Fair Blue (RSFB) algorithm against spoofing DDoS attacks. The basic idea behind RSFB is to record the responsive normal TCP flows and rescue their dropped packets. Simulations and analysis show that the RSFB algorithm is highly robust and can fully preserve the TCP throughput in the presence of spoofing DDoS attacks.1

I.

INTRODUCTION

In order to combat congestion and improve network performance, quite a few Active Queue Management (AQM) algorithms such as Random Early Detection (RED) [1] and its variants are proposed in the past decades. And many recently proposed AQM algorithms, such as Stochastic Fair Blue (SFB) [2] and RED with Preferential Dropping (RED-PD) [3], detect and rate-limit non-responsive flows to enforce fairness amongst different flows. However, as demonstrated by our analysis and simulations that the existing AQM algorithms, including the fairness-aimed ones, are rather vulnerable to spoofing Distributed Denial-of-Service (DDoS) attacks. Spoofing DDoS attacks are among the hardest ones to detect and track in DDoS attacks, which haven been indentified as a major thread to today’s Internet services. The focus of this paper is on building a resilient AQM algorithm against spoofing DDoS attacks. And we achieve this by proposing the Resilient SFB (RSFB) algorithm, which improves the SFB algorithm. Simulations and analysis demonstrate that the RSFB algorithm is highly robust and can fully preserve the TCP throughput in the presence of spoofing DDoS attacks. The rest of this paper is organized as follows. Section II describes the RSFB algorithm in detail. Section III presents performance evaluation, followed by conclusions in Section IV. II.

RESILIENT SFB (RSFB)

A.

Overview of SFB SFB is an AQM algorithm for enforcing fairness among a large number of flows, which detects and rate-limits nonresponsive flows [2]. SFB keeps a marking probability pm for 1

This work is supported in part by the National Natural Science Foundation of China (No.60603062 and No.60903040) and Natural Science Foundation of Hunan Province (06JJ3035).

each incoming flow. At the same time an updating algorithm was proposed for pm to i) make the non-responsive flow quickly drives its pm to 1; and to ii) make the responsive flow keeps its pm around 0. Thus, non-responsive flows are detected for their high pm, and SFB rate-limits them by dropping their packets. Additionally, SFB employs Bloom Filters to record and update the state information of flows, which include the pm of flows. This technical makes SFB a scalable means to enforce fairness amongst flows using an extremely small amount of state and buffer space. However, the Bloom filters technical also has its innate drawbacks. The state information of responsive flows could be polluted by non-responsive flows in the Bloom filters. SFB would collapse under spoofing DDoS attacks, which is demonstrated by our analysis and simulations. Thus, we propose the Resilient SFB (RSFB) algorithm against spoofing DDoS attacks. B.

RSFB Fig. 1 depicts the basic architecture of RSFB. RSFB consist of a normal SFB block and an extra Benign Flow Queue (BFQ) block. The basic idea behind RSFB is to keep the responsive normal TCP flows in the BFQ and rescue their dropped packets.

Fig. 1. Architecture of Resilient SFB (RSFB)

Fig. 2 shows the RSFB algorithm in detail, in which pkt denotes an incoming packet, f is pkt’s corresponding flow, and PQ represents the packet queue in the SFB algorithm. The RSFB algorithm is packet driven. When an incoming packet is arrived at the router, it is firstly fed to the SFB block and then we use extra two steps to post-process the packet. In step 1, we update the Benign Flow Queue (BFQ). BFQ is a modified FIFO queue, of which the Delete operation can delete any element in the queue rather than the head one and the Insert operation can only insert an element at the tail of the queue. The flows with pm equals 0 are considered as

ISCIT 2009

benign flows and further inserted into the BFQ. In step 2, we rescue dropped packets from benign flows. After detecting a dropped packet pkt from a benign flow, we strive to insert it back to the packet queue (PQ). If PQ is not full, we simply insert pkt into PQ. And if PQ is full, we try to drop a packet from non-benign flows and then insert pkt into PQ.

bytes and source address spoofed. The size of the BFQ in RSFB is empirically set as 50 flows. And the other parameters of the AQM algorithms are all NS-2 default values. Let Ra denotes the attack traffic rate of each attacker. We vary Ra from 0 Mpbs to 0.5 Mbps to perform a set of experiments.

SFB is N

Is

's corresponding flow

Step 1: Update the BFQ

of equals 0? Y Is

N

in BFQ?

Fig. 3. Experimental topology

Y Is BFQ full? N

BFQ.Delete the flow at the head of the BFQ

BFQ.Insert

N

N

Does SFB drop Y Is

Y

Step 2: ? Rescue dropped packets from benign flows

in BFQ? Y

Y

Is there a from nonbenign flows in PQ?

N

Is PQ full? N PQ.Insert

Y PQ.Delete and Drop

End

Fig. 2. Flow diagram of Resilient SFB (RSFB)

The observation which drives RSFB is that spoofing DDoS attacks quickly drive pm to a high value (bigger than 0) for all the flows that SFB maintains in Bloom Filters. Recall that we only insert those flows whose pm equals 0 into the BFQ. When a spoofing DDoS attack is attacking, there is hardly any new flow whose pm equals 0 and then can be inserted into the BFQ. The above facts help us to isolate the BFQ from spoofing DDoS attack flows. Thus our algorithm is effective in rescuing benign flows and can significantly improve the performance of TCP when the router is under a spoofing DDoS attack. III.

PERFORMANCE EVALUATION

In this section, we use NS-2 simulator [4] to conduct a set of simulations to evaluate the performance of the proposed RSFB algorithm in the presence of spoofing DDoS attacks. Several other AQM algorithms include RED [1], RED-PD [3], SFB [2] (with code provided by [5]), and DropTail are used in the comparison. Fig. 3 shows the experimental topology. The queue size of the bottleneck link is 50 packets. AQM algorithms are used on the bottleneck queue, and other queues use DropTail. A TCP (Newreno) based FTP flow with packet size of 1000 bytes is generated from each user (User 1 to User 30). Spoofing DDoS traffic is generated from Attacker 1 to Attacker 20 by sending UDP packets with packet size of 50

The experimental results are shown in Fig. 4. The results show that the RSFB algorithm is highly robust and can fully preserve the TCP throughput in the presence of spoofing DDoS attacks. The results also confirm that the existing AQM algorithms, including the fairness-aimed ones (SFB and REDPD), are notably vulnerable to spoofing DDoS attacks. Especially, the RED-PD algorithm failed to finish the simulations when Ra>0.25, because it can not handle so much flows generated by spoofing DDoS attacks. TCP throughput under attack (Mbps)

BFQ.Delete

5 DropTail RED RED-PD SFB RSFB

4 3 2 1 0 0

0.1 0.2 0.3 0.4 Ra: spoofing DDoS traffic rate (Mbps)

0.5

Fig. 4. TCP throughput under spoofing DDoS attacks

IV. CONCLUSIONS We have proposed a Resilient SFB (RSFB) against spoofing DDoS attacks in this paper. Simulations and analysis show that the RSFB algorithm (i) is highly robust, and (ii) can fully preserve the TCP throughput under spoofing DDoS attacks. REFERENCES [1] S. Floyd and V. Jacobson, Random early detection gateways for congestion avoidance, IEEE/ACM Transactions on Networking, vol. 1, pp. 397-413, 1993. [2] F. Wu-Chang, D. D. Kandlur, D. Saha, and K. G. Shin, Stochastic fair blue: a queue management algorithm for enforcing fairness, in Proceedings of IEEE INFOCOM, 2001. [3] R. Mahajan, S. Floyd, and D. Wetherall, Controlling highbandwidth flows at the congested router, in Proceedings of IEEE International Conference on Network Protocols (ICNP), 2001. [4] S. McCanne and S. Floyd, The Network Simulator - ns-2, in http://www.isi.edu/nsnam/ns/, 2008. [5] Contributed Code Nsnam, in http://nsnam.isi.edu/nsnam/index.php/Contributed_Code, 2009.

RSFB: a Resilient Stochastic Fair Blue algorithm ...

indentified as a major thread to today's Internet services. The focus of this ... the Insert operation can only insert an element at the tail of the queue. The flows with ...
Download PDF
358KB Sizes 0 Downloads 174 Views
Report

Recommend Documents

A Cultural Algorithm for POMDPs from Stochastic Inventory Control
CURL pseudo-code. CURL(S,P,pc,pm,α,λ,pl):. ( create population of size P evaluate population using S samples initialise the Q(s, a) while not(termination ...
STOCHASTIC ALGORITHM FOR PARAMETER ...
of using some “SAEM-like” algorithm to approximate the MAP estimator in the general. Bayesian ... Each image taken from a database is supposed to be gen-.
A Fair Adaptive Data Rate Algorithm for LoRaWAN
Abstract. LoRaWAN exhibits several characteristics that can lead to an unfair distribution of the Data Extracted Rate (DER) among nodes. Firstly, the capture effect leads to a strong sig- nal suppressing a weaker signal at the gateway and secondly, t
An Error-Resilient Arithmetic Coding Algorithm for ...
Now, the technologies for transmission of 3D models face an ..... We test the MAP decoding algorithm in a wireless. 3G network. Take the david model in [16] as ...
Stochastic modeling and fair valuation of drawdown ...
Oct 14, 2013 - drawdown process. In other words, the investor's cancellation strategy and valuation of the contract will depend not only on current value of the underlying asset, but also its distance from the historical maximum. Applying the theory
Generalized Stochastic simulation algorithm for Artificial ...
Artificial chemistries (AC) are useful tools and a simple shortcut for the ... should be large and have a huge number of reactions. Sec- ..... Note that if X = Y i.e bi- molecular .... update the data structure that keeps track of the graph for only
Stochastic cell transmission model (SCTM) A stochastic dynamic ...
Stochastic cell transmission model (SCTM) A stochastic ... model for traffic state surveillance and assignment.pdf. Stochastic cell transmission model (SCTM) A ...
A Resilient, Untethered Soft Robot
robot to carry the miniature air compressors, battery, valves, and controller needed for autonomous ...... Hamdani S, Longuet C, Perrin D, Lopez-cuesta J-M, Ga-.
the matching-minimization algorithm, the inca algorithm and a ...
trix and ID ∈ D×D the identity matrix. Note that the operator vec{·} is simply rearranging the parameters by stacking together the columns of the matrix. For voice ...
pdf-0973\bloody-valentine-a-blue-bloods-book-blue ...
Try one of the apps below to open or edit this item. pdf-0973\bloody-valentine-a-blue-bloods-book-blue-bloods-novel-by-melissa-de-la-cruz.pdf.
a stochastic approach to thermodiffusion
Valckenierstraat 65, 1018 XE Amsterdam, The Netherlands. **. Laboratoire Cassiope ..... perature, IBM J. Res. Dev, vol. 32, p. 107, 1988. Kippenhahn R. Weigert A., Stellar Structure and Evo- lution, 1st Ed., Appenzeller I., Harwit M., Kippen- hahn R.
A Relativistic Stochastic Process - Semantic Scholar
Aug 18, 2005 - be a valuable and widely used tool in astro-, plasma and nuclear physics. Still, it was not clear why the application of the so-called Chapman-Enskog approach [4] on this perfectly relativistic equation in the attempt to derive an appr
IMAGE RESTORATION USING A STOCHASTIC ...
A successful class of such algorithms is first-order proxi- mal optimization ...... parallel-sum type monotone operators,” Set-Valued and Variational. Analysis, vol.
A stochastic path tracer implementation - GitHub
Computing the ray direction in specular surfaces (mirrors). Law of reflection . Fresnel equation (Schlick Approx.) R(θ) ≈ R0 + (1 − R0)(1 − cos(θ))5. Direction of ...
A dynamic stochastic general equilibrium model for a small open ...
the current account balance and the real exchange rate. ... a number of real frictions, such as habit formation in consumption, investment adjustment costs ...... also define the following equations: Real imports. (. ) m t t t t m Q c im. = +. (A30).
INTEGRO-DIFFERENTIAL STOCHASTIC RESONANCE
Communicated by Nigel Stocks. A new class of stochastic resonator (SRT) and Stochastic Resonance (SR) phenomena are described. The new SRT consist of ...
Towards More Resilient Communities - Sapienza
The event aims to foster worldwide connections and cooperation among academics ... Foundation (Professor). Gaetano Manfredi Italian Network of Earthquake Engng ... Score-Card-Reality Check: Testing the KIT. Resilience Assessment ...
LADWP Seismically Resilient Pipe Network
Apr 21, 2015 - Communication Systems. • Water System. • Announced December 8, 2014. • LADWP Summary Report. • Water System Seismic Resilience and ...
Security of a Leakage-Resilient Protocol for Key ...
T agc, T ags,T agsk Pre-determined distinct values, e.g., T agc = (IDC ||IDS||00), ..... Resilient Security Architecture for Mobile IPv6 in Wireless Overlay Networks.
Demonstration and Field Trial of a Scalable Resilient ...
supporting broadband multimedia services. ... Every access TDM tree distributes a wavelength channel to the single-fibre single-wavelength colourless. ONUs. Three of them are based on RSOA, in simple TO-CAN package, modulated at 2.5 Gbps with ... The
Resilient Cities - Urban Response Portal
improvements, or engineering interventions. Give special ... Ensure that resiliency strategies prioritize market-based responses, striving to achieve sustainable.
pdf-1595\designing-resilient-cities-a-guide-to-good ...
... apps below to open or edit this item. pdf-1595\designing-resilient-cities-a-guide-to-good-pra ... -103-by-d-rachel-lombardi-joanne-leach-chris-rogers.pdf.