Detecting LDoS attack bursts based on queue distribution

摘要

Low-rate denial of service (LDoS) attacks exploit the congestion control mechanism to degrade the network quality of service. As a classic active queue management algorithm, random early detection (RED) algorithm is widely used to avoid network congestion. However, RED is vulnerable to LDoS attacks. LDoS attacks with well-configured attack parameters force RED queue to fluctuate severely, thereby throttling transmission control protocol (TCP) senders' sending rate. A feedback control model is proposed to describe the process of the congestion control, by which the congestion window and queue behaviours are analysed combined. After that, a two-dimensional queue distribution model composed of the instantaneous queue and the average queue is designed to extract the attack feature. Moreover then, a combination of a simple distance-based approach and an adaptive threshold algorithm is proposed to detect every LDoS attack burst. Test results of network simulator (NS)-2 simulation and test-bed experiments indicate that the proposed detection strategy can almost completely detect LDoS attack bursts and is especially robust to legitimate short bursts.