On the effect of router buffer sizes on low-rate denial of service attacks

Router queues buffer packets during congestion epochs. A recent result by Appenzeller et al. showed that the size of FIFO queues can be reduced considerably without sacrificing utilization. While Appenzeller showed that link utilization is not affected, the impact of this reduction on other aspects of queue management such as fairness, is unclear. Recently, a new class of low-rate DoS attacks called shrews was shown to throttle TCP connections by causing periodic packet drops. Unfortunately, smaller buffer sizes make shrew attacks more effective and harder to detect since shrews need to overflow a smaller buffer to cause drops. In this paper, we investigate the relation between buffer size and the shrew sending rate required to cause damage. Using a simple mathematical model, we show that a relatively small increase in the buffer size over the value proposed by Appenzeller is sufficient to render the shrew attack ineffective. Intuitively, bigger buffers require the shrews to transmit at much higher rates to fill the router queue. However, by doing so, shrews are no longer low-rate attacks and can be detected by active queue management (AQM) techniques such as RED-PD. We verified our analysis through simulations showing that a moderate increase in the buffer size, coupled with an AQM mechanism is adequate to achieve high link utilization while protecting TCP flows from shrew attacks.