Intrusion detection system for identification of throughput degradation attack on TCP

Abstract

Improving Transmission Control Protocol (TCP) robustness and evaluation of its performance under attacks such as Denial-of-Service, Degradation-of-Service etc. has always been an area of active research. In this paper, we analyze a variant of degradation of service attacks against TCP that makes use of forged duplicate acknowledgments in order to degrade the throughput of an on-going connection. The receipt of three (forged) duplicate acknowledgments is an indicator towards the presence of congestion on the route between the server and client. To cope up with the congestion, the server reduces the congestion window resulting in throughput reduction. As the semantics of the attack remains the same under normal and attack conditions, the signature and anomaly based Intrusion Detection System (IDS) fail to detect the throughput degradation attack. We also propose an active IDS in order to detect the attack. An active IDS is capable of injecting packets in to the network in order to create difference between normal and attack scenarios. The simulation experiments are carried out to check the validity of proposed detection scheme. The proposed scheme is light weight and can be easily deployed on existing systems.