ON THE DESIGN OF A LOW-RATE DOS ATTACK AGAINST

ITERATIVE SERVERS

Gabriel Maci

a-Fern

andez, Jes

us E. D

ıaz-Verdejo, Pedro Garc

ıa-Teodoro

Dep. of Signal Theory, Telematics and Communications - University of Granada

c/ Daniel Saucedo Aranda, s/n - 18071 - Granada (Spain)

Keywords:

network security, denial of service, attack modelling, low-rate attack.

Abstract:

Recent research exposes the vulnerability of current networked applications to a family of low-rate DoS attacks

based on timing mechanisms. A kind of those attacks is targeted against iterative servers and employs an

ON/OFF scheme to send attack packets during the chosen critical periods. The overall behaviour of the attack

is well known and its effectiveness has been demonstrated in previous works. Nevertheless, it is possible to

achieve a trade off between the performance of the attack and its detectability. This can be done by tuning

some parameters of the attack waveform according to the needs of the attacker and the deployed detection

mechanisms. In this paper, a mathematical model for the relationship among those parameters and their impact

in the performance of the attack is evaluated. The main goal of the model is to provide a better understanding

of the dynamics of the attack, which is explored through simulation. The results obtained point out the model

as accurate, thus providing a framework feasible to be used to tune the attack.

1 INTRODUCTION

Nowadays, networked systems represent a vital in-

frastructure involved in a lot of everyday activities. As

the dependence on those systems increases, the risks

of compromising the network itself or the services

provided become more threatening. In this context,

one of the most devastating menaces are the so called

Denial of Service (DoS) attacks (CERT Coordination

Center, 2003). Recent incidents involving companies

with big presence in Internet (Williams, 2000) guar-

antee the existence of this threat while, at the same

time, demonstrate its potential impact.

The vulnerabilities and mechanisms enabling DoS

attacks are of diverse nature (Axelsson, 2000), al-

though two main families of attacks can be estab-

lished. The ﬁrst one is composed by software or hard-

ware vulnerabilities that can be exploited by a suit-

able piece of software causing the stopage of the tar-

geted system, service or network facility. This kind of

DoS attacks is very similar to many other attacks (e.g.

virus-based attacks) and so are the defence mecha-

nisms. The second kind is based on saturating some

necessary resource at the target by means of ﬂood-

ing. Due to the high number of requests usually

needed to ﬂood the resource, these kind of attacks

are commonly called brute-force attacks (Douligeris,

2004). Anyway, recent research (Kuzmanovic, 2003)

(Maci

a-Fern

andez et al., 2006b) points out the exis-

tence of a more subtle kind of DoS attacks charac-

terized by the use of a relatively low-rate of request

packets to achieve the ﬂood of the resource. The

present paper is focused on exploring one of these

attacks, speciﬁcally (Maci

a-Fern

andez et al., 2006b),

which will be called MF06 from now on.

On the other hand, the development and deploy-

ment of countermeasures does not completely elim-

inate the threat. The main defence mechanisms are

solely based on preventive measures such as ingress

ﬁltering (Ferguson, 2001), egress ﬁltering (SANS In-

stitute, 2000), or disabling unused services (Geng,

2000), just to mention some of them. Some works

propose to use honeypots (Weiler, 2002) and intru-

sion detection systems (IDS) (Axelsson, 2000) to han-

dle an in-progress attack. In this sense, IDS’ have

proven to be a useful tool to detect brute-force attacks

through the assessment of the volume of trafﬁc. Any-

way, this is an area of active research. Furthermore,

the defence mechanisms against the above mentioned

low-rate attacks are also under research. Thus, some

solutions have been proposed for the TCP attack (Sun

et al., 2004), (Shevtekar et al., 2005), although they

149

Maciá-Fernández G., E. Díaz-Verdejo J. and García-Teodoro P. (2006).

ON THE DESIGN OF A LOW-RATE DOS ATTACK AGAINST ITERATIVE SERVERS.

In Proceedings of the International Conference on Security and Cryptography, pages 149-156

DOI: 10.5220/0002103301490156

 SciTePress

are speciﬁc for this kind of attack. More research

should be made in order to capture the behavior of the

attack in MF06 to develop protection mechanisms.

Before a deeper insight into MF06 is made in

the following sections, some comments concerning

the two above mentioned low-rate attacks should be

pointed out. First, both attacks are founded on a pre-

dictable temporary behavior enabling an intelligent

selection for the timings of the attack packets. There-

fore, an ON/OFF attack waveform is used in both

cases, which reduces the rate of packets needed to

carry out the attack. But there ends the similarities.

The temporary mechanisms exploited are clearly dif-

ferent in both cases: while (Kuzmanovic, 2003) ex-

ploits the TCP congestion control mechanism, MF06

exploits some knowledge concerning the inter-output

time between responses in a service. This way, even

the attacked resources are different: the links’ capac-

ity in the network and the incoming requests queue,

respectively. Moreover, the levels at which the at-

tack is carried out are different: transport/application

layer, and so are their impacts: global to the targeted

network or local to the targeted service.

One of the most interesting characteristics of the

MF06 attack is related to its versatility. By adjusting

some attack parameters that will be described later,

it is possible to achieve a compromise between the

effectiveness of the attack, in the sense of the level

of denial of service achieved, and the rate of trafﬁc

generated by the attack. This property would allow

a potential intruder to select the optimum parameters

in order not to be detected by an IDS system based

on some rate threshold mechanism. The purpose of

this work is to study how these adjustments affect the

behavior of the attack and, therefore, how to optimize

the design the attack. This knowledge can lead to the

development of new defence mechanisms. For this

purpose, the authors propose to use and evaluate a re-

cently developed mathematical model for the cited at-

tack.

The rest of the article is structured as follows. A

brief description of the low-rate DoS attack is re-

viewed in Section 2. Section 3 presents an overview

of the mathematical model that supports the design

of the attack. Some conclusions extracted from the

model and concerning the behavior of the attack are

compiled in Section 4, while Section 5 describes the

simulations made to validate the model. Finally, Sec-

tion 6 presents the conclusions of this work.

2 LOW-RATE DOS ATTACK

The low-rate DoS attack under consideration is tar-

geted against an iterative server and uses certain a pri-

ori knowledge concerning the time between responses

from the server. From the statistics of the so called

inter-output time and the observation of the responses

from the server it is possible to infer when the next

output is likely to be generated. Therefore, the aim of

the attack, when in a stationary stage with the server

at plenty of its capacity, will be to replace the request

being served, either legitimate or malicious, with a

new malicious request from the intruder by timing

it appropriately. Some details about the operation of

the attack and the targeted scenario will be described

next.

Let us consider an standard iterative server in

which, as usual, requests are queued up in a ﬁnite

length queue while awaiting for its processing in a

FIFO discipline. Similarly, let us suppose a request

arriving at the server at a given time, t. The behaviour

of the service, relatedto that petition, can be described

as follows. First, if there exists at least one free po-

sition in the input queue, the request is queued. Oth-

erwise, the request is not accepted. Whether a reject

message is sent back to the requester or not is irrele-

vant to our study. Next, after some queuing time, t

the request will be the ﬁrst in the queue and, there-

fore, will be processed by the server during a service

time, t

. Finally, at t + t

+ t

, a response is provided

and sent back to the requester.

Up to now, just the standard behavior of an itera-

tive server has been depicted. But, although both the

service time and the queue time are random variables,

some predictable timing can be expected under con-

trolled circumstances. Thus, if an intruder manages

to always request the same resource at the server, it

it expectable for the service time, t

, to be always

identical. On the other hand, the time between two

consecutive outputs, under the single condition of the

existence of at least one pending request in the in-

put queue, is directly the service time. Therefore, the

inter-output time, τ

int

, for the server is predictable

and always has the same value. Nevertheless, even in

this scenario, some variability in the inter-output time

appears due to several reasons related to the function-

ing of the server and the machine it is running on (e.g.

multithread operation, random access times and so

on). To account for this variability, the intruder should

determine an statistical characterization for the inter-

output by sending some requests and observing the

behavior of the system. This can be easily done in a

non-intrusive way.

In this environment, the attack consists of the iter-

ation of a basic period composed by a period of inac-

tivity, called offtime followed by a period of activity,

called ontime (Fig. 1). During ontime, the attacker

iteratively sends the same request in the hope that at

least one of them acquire a free position in the input

queue. The task of the intruder is to forecast the in-

stant at which a free position is going to be generated,

which is, when an output is to be emitted, and to syn-

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

150

Figure 1: Attack waveform as generated by the intruder.

chronize the attack in such a way that an attack packet

reaches the server in the minimum possible time af-

ter the output occurs. In an optimal situation, just a

single attack packet per ontime period is necessary.

Nevertheless, the above mentioned variability in the

inter-output time makes advisable to use more attack

packets per period. The low-rate nature of the attack

relies in the fact that only a small number of attack

packets are sent during each ontime period. Although

not mentioned, the round trip time between the server

and the intruder plays and additional role in this at-

tack. The details are shown in MF06 and exceeds the

scope of this paper.

2.1 Attack Parameters

The attack can be characterized by the following pa-

rameters (Fig. 1:

• Ontime interval (t

ontime

): activity interval during

which an attempt to seizure a free position in the

service queue is made by emitting request packets.

• Offtime interval (t

offtime

): inactivity interval pre-

vious to ontime in the period of attack, during

which no attack packets are transmitted.

• Interval (∆): the time elapsed between the sending

of two consecutive packets during ontime.

2.2 Performance Indicators

The performance of the attack can be measured in re-

lation to the level of denial of service achieved, which

is the direct objective of the attack, and the number of

attack packets that have to be send in order to get the

free positions in the queue as they become available.

Both aspects can be established through the following

indicators:

• Effort (E): ratio between the trafﬁc rate generated

by the intruder and the maximum trafﬁc rate ac-

cepted by the server (server capacity).

• User perceived performance (UPP): ratio between

the number of legitimate users requests processed

by the server, and the total number of requests sent

by them.

Although UPP can be measured in a controlled en-

vironment, it is difﬁcult to estimate it in a real one.

Nevertheless, it is possible to derive UPP from a para-

meter that can be deﬁned in an ideal situation and that

gives an estimate of the time during which the service

is vulnerable. This parameter, called mean idle time

can be deﬁned as follows:

• Mean idle time (

idle

): the percentage of time dur-

ing which the system has free positions in the ser-

vice queue, related to the total duration of the attack

when legitimate users send no trafﬁc.

From the very deﬁnition, it is almost obvious that

the higher the value of the mean idle time, the higher

should be the UPP, as the service is available during

more time for the use by a legitimate user. Therefore,

the objective of the attack should be to reduce as much

as possible the value of the mean idle time but with as

lowest effort as possible.

3 ATTACK MODELLING

As indicated above, there is a need to ﬁnd a relation

between the speciﬁc settings of the parameters that

deﬁne the attack (see Section 2), and the values for

the indicators that these conﬁgurations produce. To

address this problem, a mathematical framework pro-

posed by the authors (Maci

a-Fern

andez et al., 2006a)

is brieﬂy described. It allows to estimate, for a given

server and attack characteristics, the effort and the ef-

ﬁciency of the attack.

The model is described as a set of functions that

provide the values for the mean idle time, the user

perceived performance, and the effort of the attack

from a set of input values. These inputs come from

two sources: the statistics for the behaviour of the

server/network, and the parameters of the attack. The

ﬁrst category accounts for the probability function of

the occurrence of an output in the server and the mean

round trip time. The second consider the ontime pe-

riod, t

ontime

, the offtime period, t

offtime

, and the in-

terval, ∆.

The ﬁrst step in developing the mathematical

model is the evaluation of the mean idle time. Once a

function for this parameter is deducted, it is possible

to derive some expressions for the user perceived per-

formance and the effort of the attack by making some

assumptions about the behaviour of the server and the

attack.

ON THE DESIGN OF A LOW-RATE DOS ATTACK AGAINST ITERATIVE SERVERS

151

0,002

0,004

0,006

0,008

0,01

0,012

0,014

0,016

0,018

0,02

time

Probability of ocurrence of an

output in the server

offtime

ontime

D D

RTT

-¥

+¥

Attack packets

Figure 2: Diagram of occurrence for an output: probability

function and associated calculation points. In this example,

only three attack packets are considered and a normal dis-

tribution is assumed.

3.1 Model for the Idle Time

As indicated in Section 2, the strategy of the intruder

is based on synchronizing the arrival of the ontime

interval at the server with the occurrence of an out-

put, event that generates a free position in the service

queue. Doing this, the time during which this posi-

tion is available for legitimate users (

idle

) is reduced

and, therefore, the denial of the service (measured by

UP P ) would be more annoying.

The intruder carries out a period of attack every

estimated inter-output time, τ

int

. The time between

two consecutive outputs is considered as an stochas-

tic process that can be modelled by a distribution. As

the mean idle time is deﬁned as a percentage of time

during which at least a free position is available, for

the purpose of developing a mathematical model that

evaluates this indicator, an observation period should

be deﬁned. A period of an attack, that is, an offtime

interval followed by an activity interval (ontime) will

be the observation period. Moreover, it is considered

that the service queue is full of requests at the begin-

ning of this period.

Let us consider one attack period and relate it with

the probability of generation of an output at the server.

From the attack design, it is expected that the maxi-

mum probability of generation will occur at the same

time that the central attack packet arrives at the server

(Fig. 2). In the ﬁgure, the instants for the arrival of

attack packets (during the ontime interval) are repre-

sented by vertical arrows. These arrivals occur at the

instants labeled a

(i ≥ 1).

On the other hand, and according to the deﬁnition,

the idle time for this period will be the time elapsed

between the actual generation of the output and the

reception of the next incoming attack packet. To eval-

uate the mean idle time it is necessary to average this

value over the whole period, taking into account both

the probability of generation of an output and the pe-

riod till the next incoming packet. For this purpose,

a set of so called calculation points, A, is deﬁned.

The calculation points delimit a set of intervals that

will be used to calculate the instantaneous values of

the idle time, T

. This set is composed by the in-

stants at which an attack packet arrives at the server,

, 1 ≤ i ≤ n, n = ceil[t

ontime

/∆], and a special

point, a

, which is situated a time

RT T before the

reception of the ﬁrst attack packet in the observation

period, that is,

= a

−

RT T (1)

If an output is generated at an instant t, and assum-

ing that

∆ = a

− a

i−1

≤

RT T (2)

the associated idle time is

(t) =



RT T if t < a

or t ≥ a

− t otherwise, 0 ≤ i ≤ n

(3)

The reasoning for Eq. 3 is as follows. If an output is

generated before a

of after a

, the time during which

a queue position is available, in absence of user traf-

ﬁc, will be

RT T , as an attack packet will (automat-

ically) be emitted by the intruder upon the reception

of the output. Thus, the timeline will be as follows.

At time t, the output is generated at the server, at time

t +

RT T /2, this output is received by the intruder,

which sends a new attack packet as response, at time

t + RT T the attack packet is received at the server,

and the idle time ends. It is important to note that we

are assuming the RTT to be always its mean value.

This is appropriate as the ﬁnal objective is to evalu-

ate the mean idle time. On the other hand, if an out-

put is generated by the server at any other instant, the

next scheduled attack packet will be received by the

server before the automatically generated response if

and only if the round trip time is lower than the in-

terval. In this case, the instantaneous idle time is the

time till the next scheduled attack packet. Otherwise,

the idle time is again

RT T . Nevertheless, this case

is not relevant in most situations as will be explained

later.

Thus, for the case in which ∆ ≤

RT T , the mean

idle time in a period of attack can be obtained through

integration as:

idle



−∞

RT T · f (t)dt

− t) · f(t)dt

+ . . . +

n−1

− t) · f(t)dt

∞

RT T · f (t)dt



(4)

where f (t) is the probability function for the genera-

tion of an output at the instant t and T

is the duration

of a period of the attack, that is, T

= t

offtime

ontime

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

152

The assumed distribution for f(t) will affect to the

values obtained from the model, although the model

itself is independent of the proposed distribution.

Eq. (4) have been deducted under the condition that

the value of ∆ should be low enough to accomplish

the condition in Eq. (2). However, the model could

be easily adapted to the opposite condition, that is,

∆ >

RT T . Nevertheless, this case is out of the scope

of this work due to the fact that a good attack design

should preserve the case in Eq. (2). If this condition

is not meet, the attack would mainly become an al-

most naive attack in which a request is made every

time a response from the server is received. This way,

the ON/OFF behavior of the attack waveform will be-

come useless and an important increase in the number

of total attack packets will appear.

3.2 Model for the User Perceived

Performance

The user perceived performance (UP P ) is an indica-

tor deﬁned for a system where both legitimate users

and the attacker are simultaneously trying to access to

the target system. According to MF06, the packet ar-

rivals from the legitimate user are modeled by a Pois-

son distribution. This implies that the probability of

packet reception from a legitimate user during a pe-

riod of time T is given by the exponential distribution

function:

F (T ) = 1 − e

−λT

(5)

where λ is the arrival rate of packets from the legiti-

mate users.

The UP P can be evaluated by estimating the prob-

ability for a legitimate user to queue its request dur-

ing a period of the attack, P

. This probability can

be obtained through the mean idle time, that is, the

more time a position is free the more probability of a

capture by the user. According to the proposed distri-

bution, the probability of an user capture in the k-th

interval (Fig. 2), that is (a

k−1

, a

), denoted as P

, is

given by the expression:

= 1 − e

−λT

idle

(6)

where T

idle

represents the generated idle time during

the k-th interval, that is:

idle

− a

k−1

)

f(t)dt (7)

By summing up the probability of capture for all

the intervals, the total probability for a legitimate user

to seize a position in the service queue for a complete

period of the attack, P

, is

n+1

k=0



1 − e

−λT

idle



(8)

where n is the index of the last calculation point.

The Eq. (7) does not consider the presence of traf-

ﬁc coming from legitimate users. Some approxima-

tions have to be made in order to take into account

users’ trafﬁc. The details and justiﬁcation for them

exceeds the purposes of this paper and can be found in

(Maci

a-Fern

andez et al., 2006a). On the other hand,

the experimental results shown in Section 5 conﬁrm

the goodness of these approximations. Anyway, a set

of equations relating P

and the mean idle time can

be derived from those reasonings, yielding

(t) =

RT T · (1 − P

)

+ min



− t

ontime



· P

(9)

The calculation of the expressions for T

idle

and P

should be made recursively, due to the fact that there

is a cross-dependency between them.

Once a stable value for P

is obtained, the ﬁnal

expression for the U P P , for an attack of duration T ,

with C seizures, is given by:

UP P =

· C

T/λ

(10)

3.3 Effort of the Attack

The effort of the attack, E, corresponds to the num-

ber of packets sent to the server by the intruder during

the attack. Two sources of attack packets exists: the

activity period, ontime, during which packets are gen-

erated at a rate 1/∆; and the packet sent as a response

to the reception of an output by the intruder.

For the calculation of the effort an assumption will

be made: the intruder will receive the answers from

the server after sending all the packets corresponding

to the ontime interval. This is similar to suppose that

the attack period is not going to be restarted during

ontime, being the number of packets generated equal

to ceil(t

ontime

/∆). On the other hand, not all the

outputs are received at the intruder side. Therefore,

no attack packet is sent in this case. The percentage

of attack periods at which an output is not received

from the server is given by UP P .

All these considerations lead to:

E = ceil



ontime

∆



+ (1 − UP P ) (11)

ON THE DESIGN OF A LOW-RATE DOS ATTACK AGAINST ITERATIVE SERVERS

153

4 MODEL DISCUSSION

In summary, the described model allows to obtain the

expected value of the mean idle time for any speciﬁc

setting of the attack and server/network characteris-

tics. Both aspects are considered in the model as:

• Server characteristics: they are considered in the

f(t) term, which is univocally deﬁned by the mean

value and the variance of the inter-output time ob-

served by the intruder.

• Network characteristics: as discussed above, the

main network factor that affects the attack is the

round trip time. As it can be seen from the ﬁnal

expressions of the model, it is clear the affection of

this parameter. Both the mean value (RT T ) and its

variance, var[RT T ], through the distribution f(t),

affects the value obtained for T

idle

• Setting of the attack: the conﬁguration of the attack

is reﬂected on the calculation points of the expres-

sion. In effect, their position depends on the para-

meters of the attack, that is, t

offtime

, t

ontime

, and

the considered value for the interval ∆.

Some conclusions concerning the behaviour of the

attack can be deducted from this model:

• As the value of

RT T increases, a lower efﬁciency

is obtained.

• Lower values of T

are obtained when the output

is generated during the reception of the ontime in-

terval, if the design of the attack complies the con-

dition ∆ ≤ RT T. Moreover, in this case, as the

value of interval is lower, a lower value for

idle

is also expected. Outputs generated out of the on-

time interval imply a higher value for the mean idle

time.

• Variations in the mean service time does not affect

the behavior of the attack period. This implies that,

for an attack period, the total time during which a

free position is available will be the same. As the

mean idle time is deﬁned as a percentage, lower

values are expected when

increases.

On the other hand, the model also provides the ex-

pected values for the user perceived performance and

the effort, which determine the performance of the at-

tack.

For the UP P, two conclusions can be drawn from

Eqs. (10) and (8). First, the tendencies of the values

for UP P and

idle

are similar, that is, an increase

in the value of UP P is expectable when the mean

idle time becomes higher. Second, there is no linear

dependency between the trafﬁc rate of the legitimate

users and the value obtained for U P P , as it can be

seen from expressions (4), and (8).

Finally, it is clear from Eq. (11), that the effort

is mainly affected by the duration of ontime and the

setting of the interval value.

5 EXPERIMENTAL VALIDATION

OF THE MODEL

The main purpose of this paper is to validate the the-

oretical framework presented in the above Sections.

This objective has been accomplished through experi-

mental results obtained from simulations made within

Network Simulator 2 (NS2) (Fall, 2006).

In a ﬁrst step, the results from the simulations are

going to be compared with those from the proposed

mathematical models to check its validity. Thereafter,

the conclusions derived from the model concerning

the expected behavior when some attack parameters

are changed are tested.

5.1 Attack Performance Indicators

The ﬁrst step in validating the models is, as previ-

ously stated, to check whether the expected values

for the performance indicators are in accordance with

those obtained by simulation. For this purpose, we

have evaluated the behavior in a set of scenarios with

different conﬁgurations for both the attack and server

parameters. The results from these experiments have

been compared to the values derived from the mathe-

matical model, obtaining a very good approximation

between them.

First, we examine the mean idle time, as the other

measurements are deducted from it. Fig. 3.a) shows

a comparison between expected and simulated values

for this parameter in 13 different scenarios from the

test set. The maximum variation given by the model

is 3.77%, with a mean value of 1.71%, what means a

very good approximation.

Next, the remaining parameters are tested. Fig.

3.b) shows a comparison for 13 different scenarios,

where the user perceived performance is evaluated.

The results are shown both in absolute and relative

values. As can be seen, the obtained values from the

model approximate well to the simulated ones, with a

mean variation of 0.4% and a maximum of 1.46%.

Finally, Fig. 3.c) depicts the comparison for the ef-

fort between both the simulation and the model val-

ues, for 13 different scenarios. It can be observed

that the model approximates well the simulated val-

ues, with a mean variation of 1.42% and a maximum

of 4.02%.

As a conclusion, the approximations made in

the mathematical model can be considered accurate

enough, providing validity to the model as a tool to

evaluate the potential effect of an attack starting from

the knowledge of its design parameters.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

154

10%

20%

30%

40%

50%

60%

70%

1 2 3 4 5 6 7 8 9 10 11 12 13

model

simulation

Mean idle time

0,00%

2,00%

4,00%

6,00%

8,00%

10,00%

12,00%

14,00%

1 2 3 4 5 6 7 8 9 10 11 12 13

Model

Simulation

UPP

100%

200%

300%

400%

500%

600%

1 2 3 4 5 6 7 8 9 10 11 12 13

Model

Simulation

Effort

Figure 3: Comparison between the values obtained from

simulation and from the mathematical model for 13 differ-

ent scenarios: a) mean idle time; b) user perceived perfor-

mance; and c) effort.

5.2 Attack Dynamics

To check the different conclusions extracted from the

mathematical models about the behavior of the attack

(attack dynamics), some simulations have been made.

The purpose is to study the variations of the proposed

indicators that measure the efﬁciency and the rate of

the attack, as the parameters of the attack are adjusted.

In a ﬁrst approach, these parameters are supposed to

be independent on each other. Therefore, only one of

them is modiﬁed on each set of experiments.

The results obtained are shown in Fig. 4. It shows

the effectiveness of the attack, in terms of UP P and

idle

, and also the effort for those attacks.

Some conclusions can be extracted from these ex-

periments:

• The tendencies in the behavior of UP P and

idle

are similar. That is, an increase in the value of

UP P also involves a higher value for

idle

-see

Fig. 4-.

• As the ontime period becomes longer or the

interval takes a shorter value, both UP P and

idle

are reduced, and a higher effort is obtained

– see Figs. 4.a), b), c) and d)–.

• An increase in the value of RT T affects only to the

efﬁciency and not to the rate –Figs. 4.e) and f)–.

This implies that a higher value of UP P and T

idle

is obtained when the

RT T increases.

• The increase of the var[τ

int

] implies a lower efﬁ-

ciency –Figs. 4.g) and h)–. This is because more

outputs are generated out of the boundaries of the

ontime interval. Moreover, when an output arrives

to the intruder before the ontime interval is sent, the

attack period is restarted. Due to this fact, the effort

decreases when the variance is higher.

• The value of the efﬁciency decreases as soon as the

mean value for the service time (

) is higher –Figs.

4.i) and j)–. The reason is that the mean idle time

represents a percentage of the time during which

the service queue has a free position and this time

is equal independently of the mean service time.

Moreover, the effort is not affected by this kind of

variations in the setting of the attack.

• There is no linear dependency between variations

in the rate of the legitimate users trafﬁc and the ef-

ﬁciency –see Figs. 4.k) and l)–, as expected from

expression (10).

All these conclusions are coherent with those ob-

tained from the mathematical models in Section 4,

which allow us to conclude that these models are valid

for an approximated analytical study of the behavior

of the attack.

6 CONCLUSIONS

Low-rate DoS attack against iterative server (Maci

Fern

andez et al., 2006b) has appeared as a threatening

way of attacking simple applications. In this paper,

the fundamentals of the design for these kind of at-

tacks are presented.

A framework for evaluating the behaviour of the

attack is contributed. Leaning on it, a mathematical

model that let us to adjust the design parameters to get

an speciﬁc efﬁciency and rate is proposed. Finally, by

means of simulation, all the design rules proposed are

contrasted.

As a future work, the comprehensive understanding

of the behaviour of this kind of attacks will lead to the

development of response and detection mechanisms.

We are now working in this ﬁeld, obtaining promising

results.

ON THE DESIGN OF A LOW-RATE DOS ATTACK AGAINST ITERATIVE SERVERS

155

ACKNOWLEDGEMENTS

This work has been partially supported by the Span-

ish Government through MYCT (Project TSI2005-

08145-C02-02, FEDER funds 70%)

REFERENCES

Axelsson, S. (2000). Intrusion detection systems: A survey

and taxonomy. Technical Report 99-15, Department

of Computer Engineering, Chalmers Univ., Goteborg.

Douligeris, Christos; Mitrokotsa, A. (2004). DDoS attacks

and defense mechanisms: classiﬁcation and state-of-

the-art. Computer Networks, 44(5):643–666.

Fall, Kevin; Varadhan, K. (2006). The ns manual. Retrieved

from http://www.isi.edu/nsnam/ns/.

Ferguson, P.; Senie, D. (2001). Network ingress ﬁltering:

defeating denial of service attacks which employ ip

source address spooﬁng. RFC 2827.

Geng, X.; Whinston, A. (2000). Defeating distributed de-

nial of service attacks. IEEE IT Professional, 2(4):36–

42.

Kuzmanovic, A.; Knightly, E. (2003). Low rate TCP-

targeted denial of service attacks (The shrew vs. the

mice and elephants). In Proc. ACM SIGCOMM’03,

pages 75–86.

Maci

a-Fern

andez, G., D

ıaz-Verdejo, J., and Garc

ıa-

Teodoro, P. (2006a). Evaluation of a low-rate dos at-

tack against iterative servers. Submitted to Computer

Networks.

Maci

a-Fern

andez, G., D

ıaz-Verdejo, J., and Garc

ıa-

Teodoro, P. (2006b). Low rate dos attack to mono-

process servers. Lecture Notes in Computer Science,

3934:43–47.

CERT Coordination Center (2003). De-

nial of Service attacks. Retrieved from

http://www.cert.org/tech

tips/denial of service.

SANS Institute (2000). Special notice - egress ﬁltering.

global incident analysis center.

Shevtekar, A., Anantharam, K., and Ansari, N. (2005).

Low rate tcp denial-of-service attack detection at edge

routers. IEEE Communications Letters, 9(4):363–

365.

Sun, H., Lui, J., and Yau, D. (2004). Defending against low-

rate tcp attacks: Dynamic detection and protection. In

Proc. of the IEEE Conference on Network Protocols

(ICNP2004), pages 196–205.

Weiler, N. (2002). Honeypots for distributed denial of ser-

vice. In Proc. of the Eleventh IEEE International

Workshops Enabling Technologies: Infrastructure for

Collaborative Enterprises 2002, pages 109–114.

Williams, M. (2000). Ebay, Amazon, Buy.com

hit by attacks, 02/09/00. Retrieved from

http://www.nwfusion.com/news/2000/0209attack.html.

a) b)

c) d)

e) f)

g) h)

i) j)

k) l)

Figure 4: Attack dynamics. Variations on the indicators of

the attack for different settings of the parameters: a) & b)

ontime interval, c) & d) interval ∆, e) & f) mean round trip

time, g) & h) variance of the inter-output time perceived by

the intruder, i) & j) mean service time, and k) & l) legitimate

users trafﬁc rate.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

156