TCP Based Denial-of-Service Attacks to Edge Network: Analysis and Detection

End-to-end congestion control algorithms in TCP are designed for a highly co-operative environment with the assumption that the end hosts voluntarily participate in it and obey the congestion control rules. The steady growth of malicious activities such as Denial-of-Service attacks (DoS) on the Internet reveals that the Internet no longer remains as a network of only trusted entities. The focus of this paper is on a special class of DoS attacks targeted to edge networks by exploiting the vulnerabilities of TCP congestion control algorithms to duplicate acknowledgement and optimistic acknowledgement spoofing. We analyse two DoS attack scenarios namely pulse and sustained attack arising from two different behaviours of the attacker and compare them with other widely seen DoS attacks. Our simulation results show that such attacks are feasible and also reveal the negative impact of the attacks on the target. We extend our work by presenting a simple but effective method for detecting such attacks by passively monitoring the inbound and outbound traffic of the targeted network. The detection is achieved by differentiating malicious streams of duplicate and optimistic acknowledgments from normal acknowledgments. The proposed detection technique fits well into the framework of an intrusion detection system, which can operate independently without any kind of cooperation or service from the end points.