In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED. Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1%. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.
All Science Journal Classification (ASJC) codes
- Electrical and Electronic Engineering