Practical study of a defense against low-rate TCP-targeted DoS attack

It has been proven in theory and through simulations [3, 9] that a low-rate TCP-targeted Denial-of-Service (DoS) attack is possible by exploiting the retransmission timeout (RTO) mechanism of TCP. In contrast to most DoS attacks, this exploit requires periodic, low average volume traffic in order to throttle TCP throughput. Consequently this attack is hard to detect and prevent, since most DoS detection systems are triggered by high-rate traffic. For the attack to be successful, the attacker must inject a short burst of traffic, capable of filling up the bottleneck buffers, right before the expiration of the sender´s RTO. This forces the sender´s TCP connections to timeout with very low throughput. The effectiveness of the attack depends on the attacker´s synchronization with the victim´s RTO. Certain commercial systems follow the guidelines of RFC-2988 [4] (suggesting a minimum RTO of 1 sec), making this synchronization is far from impossible, while popular operating systems using lower minRTO values (e.g. Linux) are still vulnerable to an attacker using a low latency network. RTO randomization was proposed by [9] as a defense against this attack, since it prevents the attacker from synchronizing attack traffic with RTO expiration intervals. In this paper, we study the results of the attack on a real system (Linux), and evaluate the effectiveness the of RTO randomization in defending against low-rate TCP targeted DoS attacks, showing that the method can prevent a TCP flow from being throttled from attack traffic.