A Novel Mechanism to Defend Against Low-Rate Denial-of-Service Attacks

  • Wei Wei
  • Yabo Dong
  • Dongming Lu
  • Guang Jin
  • Honglan Lao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)


Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.


Round Trip Time Power Spectrum Density Traffic Class Edge Router Burst Length 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kuzmanovic, A., Knightly, E.: Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice and elephants). In: Proceedings of ACM SIGCOMM 2003 (August 2003)Google Scholar
  2. 2.
    Postel, J.: Transmission control protocol. Internet RFC 793 (September 1981)Google Scholar
  3. 3.
    Jacobson, V.: Congestion avoidance and control. Computer Communication Review 18(4), 314–329 (1988)CrossRefGoogle Scholar
  4. 4.
    Allman, M., Paxson, V.: On estimating end-to-end network path properties. Computer Communication Review 29(4), 263–274 (1999)CrossRefGoogle Scholar
  5. 5.
    Sarat, S., Terzis, A.: On the effect of router buffer sizes on low-rate denial of service attacks. In: Proceedings of 14th International Conference on Computer Communications and Networks (ICCCN 2005), pp. 281–286 (October 2005)Google Scholar
  6. 6.
    Tsao, J., Efstathopoulos, P.: Low-rate TCP-targeted denial of service attack defense. Advanced Computer Networks (2003)Google Scholar
  7. 7.
    Yang, G., Gerla, M., Sanadidi, M.P.: Defense against low-rate TCP targeted denial-of-service attacks. In: Proceedings of 9th International Symposium on Computers and Communications (ISCC 2004), vol. 1, pp. 345–350 (2004)Google Scholar
  8. 8.
    Shevtekar, A., Karunakar, A., Ansari, N.: Low rate TCP denial-of-service attack detection at edge routers. IEEE Communications Letters 9(4), 363–365 (2005)Google Scholar
  9. 9.
    Luo, X., Chang, R.K.C.: On a new class of pulsing denial-of-service attacks and the defense. In: Proceedings of Network and Distributed System Security Symposium, NDSS 2005 (February 2005)Google Scholar
  10. 10.
    Chen, Y., Kwok, Y.K., Hwang, K.: Filtering shrew DDoS attacks using a new frequency-domain approach. In: Proceedings of 1st IEEE LCN Workshop on Network Security, WoNS 2005 (June 2005)Google Scholar
  11. 11.
    Sun, H., Lui, J.C.S., Yau, D.K.Y.: Defending against low-rate TCP attacks: dynamic detection and protection. In: Proceedings of 12th IEEE International Conference on Network Protocols (ICNP 2004), pp. 196–205 (2004)Google Scholar
  12. 12.
    Hussain, A., Heidemann, J., Papadopoulos, C.: Distinguishing between single and multi-source attacks using signal processing. Computer Networks 46(4), 479–503 (2004)CrossRefGoogle Scholar
  13. 13.
    Cheng, C.M., Tan, K.S., Kung, H.T.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE Global Telecommunications Conference (Globecom 2002), vol. 3, pp. 2143–2148 (2002)Google Scholar
  14. 14.
    Jin, G., Yang, J.: Deterministic Packet Marking based on Redundant Decomposition for IP Traceback. IEEE Communications Letters 10(3), 204–206 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Wei Wei
    • 1
  • Yabo Dong
    • 1
  • Dongming Lu
    • 1
  • Guang Jin
    • 1
    • 2
  • Honglan Lao
    • 3
  1. 1.College of Computer Science and TechnologyZhejiang UniversityHangzhouP.R. China
  2. 2.College of Information Science and EngineeringNingbo UniversityNingboP.R. China
  3. 3.Department of Electrical EngineeringUniversity of Southern CaliforniaLos AngelesUSA

Personalised recommendations