[ General info | People | Papers&Presentations | Ns code | Linux code ]

A shrew is a small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite.

Denial of Service attacks are presenting an increasing threat to the global internetworking infrastructure. Hosts with the divergent or malicious interests can readily subvert the protocols and infrastructure that Internet depends on. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability by high-rate non-responsive flows. However, little is known about low-rate denial of service attacks. We have discovered that low-rate attacks can be as harmful as the high-rate ones, yet even more dangerous due to the fact that they are difficult for routers and counter-DoS mechanisms to detect.

In particular, the low-rate attack (named the shrew attack) consists of short, maliciously-chosen-duration bursts of packets that repeat with a fixed, maliciously chosen, slow-time-scale frequency. This traffic pattern is carefully designed to exploit TCP's deterministic retransmission timeout mechanism. When multiplexed with TCP cross-traffic, such pattern is able to throttle TCP flows to a small fraction of their ideal rate while transmitting at sufficiently low average rate to elude detection. Moreover, we demonstrated the ubiquity of the attacks by launching limited-scale attacks in parts of the Internet.