A dynamic quarantine scheme for controlling unresponsive TCP sessions

Sungwon Yi, Xidong Deng, George Kesidis, Chitaranjan Das

Research output: Contribution to journalArticle

11 Citations (Scopus)

Abstract

In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED. Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1%. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.

Original languageEnglish (US)
Pages (from-to)169-189
Number of pages21
JournalTelecommunication Systems
Volume37
Issue number4
DOIs
StatePublished - Apr 1 2008

Fingerprint

Associative storage
Data storage equipment
Congestion control (communication)
Routers
Internet
Bandwidth
Monitoring
Denial-of-service attack

All Science Journal Classification (ASJC) codes

  • Electrical and Electronic Engineering

Cite this

@article{a6252425f46845e988c6d8730ba0bcb0,
title = "A dynamic quarantine scheme for controlling unresponsive TCP sessions",
abstract = "In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED. Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1{\%}. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.",
author = "Sungwon Yi and Xidong Deng and George Kesidis and Chitaranjan Das",
year = "2008",
month = "4",
day = "1",
doi = "10.1007/s11235-008-9104-2",
language = "English (US)",
volume = "37",
pages = "169--189",
journal = "Telecommunication Systems",
issn = "1018-4864",
publisher = "Springer Netherlands",
number = "4",

}

A dynamic quarantine scheme for controlling unresponsive TCP sessions. / Yi, Sungwon; Deng, Xidong; Kesidis, George; Das, Chitaranjan.

In: Telecommunication Systems, Vol. 37, No. 4, 01.04.2008, p. 169-189.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A dynamic quarantine scheme for controlling unresponsive TCP sessions

AU - Yi, Sungwon

AU - Deng, Xidong

AU - Kesidis, George

AU - Das, Chitaranjan

PY - 2008/4/1

Y1 - 2008/4/1

N2 - In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED. Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1%. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.

AB - In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED. Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1%. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.

UR - http://www.scopus.com/inward/record.url?scp=43949096522&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=43949096522&partnerID=8YFLogxK

U2 - 10.1007/s11235-008-9104-2

DO - 10.1007/s11235-008-9104-2

M3 - Article

AN - SCOPUS:43949096522

VL - 37

SP - 169

EP - 189

JO - Telecommunication Systems

JF - Telecommunication Systems

SN - 1018-4864

IS - 4

ER -