Modeling and Mitigating the Coremelt Attackhespanha/published/2018ACC_1474_MS.pdf · Modeling and Mitigating the Coremelt Attack Guosong Yang 1, Hossein Hosseini 2, Dinuka Sahabandu

Modeling and Mitigating the Coremelt Attack

Guosong Yang1, Hossein Hosseini2, Dinuka Sahabandu2, Andrew Clark3,Joao Hespanha1, and Radha Poovendran2

Abstract— This paper studies the Coremelt attack, a link-flooding Distributed Denial of Service attack that exhauststhe bandwidth at a core network link using low-intensitytraffics between subverted sources. A dynamical system modelis formulated for analyzing the effect of the Coremelt attackon a single-link Transmission Control Protocol (TCP) network.Stability and convergence of the source flow rates are es-tablished using Lyapunov-based analysis. When the numberof subverted sources is limited, a modified TCP algorithm isdeveloped for the attackers to achieve a desired congestion level.A mitigation method is proposed to increase the bandwidthshared by legitimate users when the link is under attack. Thenetwork performance under different attack and mitigationscenarios is illustrated through simulation results.

I. INTRODUCTION

One of the major threats to Internet security today isthe Distributed Denial of Service (DDoS) attack, in whichan adversary attempts to interrupt legitimate users’ accessto certain network resources by sending superfluous trafficsfrom a vast number of scattered sources (called a botnet).Since the first incident of DDoS attack reported by theComputer Incident Advisory Capability (CIAC) in 1999 [1],many large-scale DDoS attacks have been launched againstvarious infrastructures and organizations (see, e.g., [2], [3]).Moreover, the frequency and size of DDoS attacks growsrapidly every year. The 11th Annual Worldwide Infrastruc-ture Security Report (WISR) from Arbor Network [4] showsthat 44% of service provider respondents have seen morethan 21 DDoS attacks per month from November 2014 toNovember 2015, up from 38% in the previous year. Thesame report also shows that, nearly one-quarter of themexperienced attacks with size over 100 Gbps, whereas 20percent reported attacks over 50Gbps the year before.

As pointed out in [3], most common DDoS attacks exploitone or both of the following two approaches: i) disruptinglegitimate users’ service by exhausting server resources; andii) disrupting legitimate users’ connectivity by exhaustinglink bandwidth. The second approach, called link-floodingDDoS, proves to be particularly effective and stealthy, as itcan be achieved without sending traffic to the victims at all.One of the first link-flooding DDoS attacks is the Coremelt

1G. Yang and J. Hespanha are with the Department of Electrical andComputer Engineering, University of California, Santa Barbara, CA 93106USA. {guosongyang, hespanha}@ucsb.edu.

2H. Hosseini, D. Sahabandu, and R. Poovendran are with the Departmentof Electrical Engineering, University of Washington, Seattle, WA 98195USA. {hosseinh, sdinuka, rp3}@uw.edu.

3A. Clark is with the Department of Electrical and Computer En-gineering, Worcester Polytechnic Institute, Worcester, MA 01609 [email protected].

Fig. 1. The Coremelt Attack [5]: a coordinated link-flooding DDoS attackwhich allows the flow rate of each subverted source to be kept well belowthe detection threshold, yet effectively congests/shuts down a target link inthe intersection of traffics.

attack [5], in which an adversary attempts to congest/shutdown a core link of the network using low-intensity trafficsbetween subverted sources. The Coremelt attack is of highinterest as it allows the individual sources participating inthe coordinated attack to keep the flow rates well below thedetection thresholds, yet effectively exhausts the bandwidthof the target link in the intersection of attack flows. Moreover,it has been further extended in the security literature todemonstrate attacks such as the Crossfire attack [6] that haveno known counter measures.

This paper studies the Coremelt attack presented in [5] ona single-link Transmission Control Protocol (TCP) network.Our goal is to build a dynamical system framework for mod-eling and developing mitigation methods for the Coremeltattack. We make the following specific contributions:

• A dynamical system model is formulated for analyzingthe effect of the Coremelt attack on the link congestionlevel in terms of drop probabilities. Based on this model,Lyapunov-based analysis is used to establish stabilityand convergence of the source flow rates.

• For a scenario with a limited number of subvertedsources, a modified TCP algorithm is developed for theattackers to achieve a desired drop probability at thelink.

• We propose a mitigation method against the Coremeltattack. With this mitigation, the bandwidth shared bylegitimate users remains the same as in the case whereall sources follow standard TCP, increasing the numberof subverted sources the adversary needs to achievehigher drop probabilities.

• Simulation results are provided to illustrate differentattack and mitigation scenarios.

This paper is organized as follows: Section II providesthe backgrounds on TCP and Coremelt attack. The networkmodel and the dynamics of TCP congestion control areformulated in Section III. In Section IV, we analyze the

CONFIDENTIAL. Limited circulation. For review only.

Preprint submitted to 2018 American Control Conference.Received September 25, 2017.

effect of the Coremelt attack, and present a modified TCPalgorithm through which a desired drop probability can beachieved. A mitigation method is proposed in Section V toimprove the link usage of legitimate users when the link isunder attack. Simulation results are presented in Section VI.Section VII concludes the paper.

II. BACKGROUND

Transmission Control Protocol (TCP). TCP is a proto-col that defines how to establish a connection between asource-destination pair, and reliably transmit data over theInternet [7]. A TCP source controls its flow rate based onthe size of a congestion window. It sends one window ofpackets per round-trip time (RTT), and updates the windowsize based on the rate of acknowledgments (ACKs) receivedfrom the destination to avoid congestion. The update is doneusing the additive-increase/multiplicative-decrease (AIMD)feedback control algorithm [8], which linearly increases therate for each ACK received by the source, and halves it whencongestion is detected through a missing ACK. In model-ing and analyzing the Coremelt attack, we consider TCP-NewReno [9], one of the most widely used TCP variants inmodern network settings.

Coremelt Attack. The Coremelt attack [5] is a DDoS attackin which large number of subverted sources communicatewith each other in such a way that the traffic of each source-destination pair traverses through a target core link of thenetwork and the aggregated traffic flows exceeds the linkcapacity. It has been shown that such an attack can disrupt theoperation of the entire Internet by deploying only an average-size botnet [5]. Conventional authenticity-based mitigationmethods fail against the Coremelt attack due to the use oflegitimate looking traffic by the botnet. Also, the distributednature of the subverted sources makes defense techniquessuch as path tracking or IP traceback more complex.

Several papers proposed defense mechanisms against theCoremelt attack [10]–[15]. A new network architecture isproposed in [10] as a defense against DDoS attacks. In[11], a protocol is proposed for edge gateways (routers atthe both ends of the link) to prevent bot flows that useIP spoofing for link-flooding attacks. In [12], the authorssuggested bandwidth isolation between different traffic flowsto minimize collateral damage by link-flooding attacks. Acollaborative defense mechanism, which enables routers todistinguish low-rate attack flows from legitimate ones, wasdeveloped in [13]. In [14], observable statistics at routersare used to infer the presence of an attack, and in [15], theauthors proposed to detect attacks by performing rate changetests.

In this paper, we model the Coremelt attack in the scopeof the current network architecture, and propose a mitigationmethod based on penalizing sources that are most responsiblefor the link congestion. We show that our method suc-cessfully protects legitimate users and suppresses aggressiveflows. This mitigation method does not require authenticatingusers or inspecting the packets, and does not need any

Fig. 2. A network with the “dumbbell” topology: N sources are competingfor the finite bandwidth c of a single link. When the aggregated flow ratey =

∑xk > c, a fraction p is dropped so that (1− p) y ≤ c.

changes to the network architecture or any modification tothe network protocols used by sources.

III. PRELIMINARIES

In this section, we describe the network model, definethe drop probability, and formulate the dynamics of TCPcongestion control.

Denote by R+ := [0,∞) the set of nonnegative realnumbers. Given a ∈ R and b ∈ R+, define the projection

(a)+b :=

{a, if b > 0, or b = 0 and a ≥ 0;

0, if b = 0 and a < 0.

When the first condition holds, we say that the projection isinactive; otherwise, the projection is active.

A. Network model

Consider the computer network shown in Fig. 2. In thisnetwork, data flows from N sources are competing for thefinite bandwidth c of a single link. Such a configuration isknown as the “dumbbell” topology, and is typically used toanalyze network congestion control [16]. Denote by xk theflow rate from source k ∈ N := {1, . . . , N}, and by y theaggregated flow rate at the link gateway, that is,

y =∑k∈N

xk. (1)

The link gateway manages the throughput via the “tail drop”technique: if the aggregated rate y > c, the gateway buffersthe excess data in a queue, waiting to be transmitted; whenthe queue is filled to its maximum capacity, the newlyarriving flows will be dropped until there is enough roomto accept incoming flows. In this case, the network is saidto be congested. In this paper, we are interested in thescenario where the link is persistently congested, that is, thesteady-state aggregated rate y∗ is consistently larger than thebandwidth c. Consequently, the steady-state drop probabilitywill be large (not close to 0).

B. Drop probability

We assume that flows from different sources arrive at thegateway in a random order, so that they all suffer the samedrop probability p. The value of p is approximated via asimple model

p = g(y) :=

1− c

y, if y > c;

0, otherwise,(2)



which has been used, e.g., in [17]. This model ensures thatp ∈ [0, 1] at all times, and the throughput never exceeds thebandwidth, that is, (1 − p) y ≤ c. It also has the followingproperty, which will be used in the subsequent analysis.

Lemma 1. For an arbitrary y∗ > c, it holds that

(y − y∗)(g(y)− g(y∗)) ≥ 0 ∀y ≥ 0. (3)

Proof. If y ≥ c, then

(y − y∗)(g(y)− g(y∗))

= (y − y∗)((

1− c

y

)−(1− c

y∗

))=c(y − y∗)2

yy∗≥ 0;

otherwise y < c < y∗ and g(y) = 0, thus

(y − y∗)(g(y)− g(y∗))

= −(y − y∗)(1− c

y∗

)=

(y∗ − y)(y∗ − c)y∗

≥ 0.

Lemma 1 implies that, if the steady-state aggregated ratey∗ > c, then the system defined by the memoryless functiong in (2) with input y− y∗ and output p− p∗ is passive (herep∗ = g(y∗) denotes the steady-state drop probability).

C. Dynamics of TCP

We consider the TCP-NewReno congestion control algo-rithm [9], which is one of the most widely used TCP variants,and is designed to improve the performance of its originalversion TCP-Reno when there are multiple packet drops inone transmission [9]. In TCP-NewReno, source k sends awindow of wk packets per RTT τk, and the window size wkis governed by the following AIMD algorithm:{

wk ← wk + 1/wk, when ACK received,wk ← wk/2, when packet dropped,

in which wk is halved only once when there are multiplepacket drops in one RTT. In modeling the dynamics of aTCP-NewReno source, we assume that the RTT τk of flow kis constant, and define the flow rate xk as the average numberof packets sent per unit time, that is, xk = wk/τk. Thisapproximation is valid since our model is not intended toprovide accurate description at finer time scales than the RTT.For the xk packets sent per unit time, an average of (1−p)xkACKs were received, which leads to an average increase of(1− p)xk · (1/wk) in wk; an average of pxk were dropped,which leads to an average decrease of (pxk/wk) · (wk/2)in wk. Combining the two cases, we obtain the dynamicalmodel

xk =

(1− pτ2k− pxk

2τk

)+

xk

(4)

where the projection is to ensure that xk ≥ 0.

Remark 1. In analyzing loss-based TCP algorithms, manypapers adopt the dynamical model

xk =

(1− pτ2k− 1

2px2k

)+

xk

,

which is derived via the approximation that, on average, wkis increased by (1− p)xk · (1/wk) per unit time due to the(1 − p)xk ACKs received, and decreased by pxk · (wk/2)per unit time due to the pxk packets dropped. However,this formulation is developed for TCP-Reno [18] with asmall drop probability, and is not suitable for analyzing TCP-NewReno in the current setting. More specifically, if multiplepackets are dropped in the same window (which is likelyunder a high drop probability), the window is halved onlyonce in TCP-NewReno, but multiple times in TCP-Reno.

IV. ANALYSIS OF COREMELT ATTACK

In this section, we analyze the Coremelt attack in two dif-ferent scenarios using tools from dynamical systems theory.In the first scenario, we assume all sources follow the TCP-NewReno algorithm, and compute the number of sources theadversary needs in order to achieve a certain drop probability.In the second scenario, we propose a modified TCP algorithmfor attackers through which a desired drop probability canbe achieved. In both cases, Lyapunov-based analysis is usedto establish stability and convergence of the flow rates.

Suppose there is an adversary who has taken control of Msources (called attackers), and is trying to congest the corelink so that the other S = N −M sources (called users)suffer a high drop probability. We only consider the case ofstatic Coremelt attacks, in which the attackers (and implicitlytheir transmission paths) are fixed. Without loss of generality,denote by A := {1, . . . ,M} and U := {M + 1, . . . , N} thesets of attackers and users, respectively. Hence N = A∪U .We assume that all users follow the TCP-NewReno algorithmfor sending data over the link. Attackers, however, can followa different algorithm, which is the same for all attackersand is distributed in the sense that the attackers cannotcommunicate, and adjust their flow rates independently. Eachsource (user or attacker) is not aware of the total number ofsources, link capacity or instantaneous link usage, and adjustits flow rate only according to the feedback (ACKs) received.

A. Attack with TCP-NewReno sources

Suppose that all sources (users and attackers) follow theTCP-NewReno dynamical model (4), which can be rewrittenas

xk = Kk(xk)(U′k(xk)− p)+xk

, k ∈ N , (5)

whereUk(xk) :=

2

τkln(τkxk + 2)

is strictly increasing and strictly concave, and

Kk(xk) :=τkxk + 2

2τ2k=

1

τ2kU′k(xk)

is strictly positive as the flow rate xk ≥ 0. The network thenbecomes a dynamical system with state x := (x1, . . . , xN ) ∈RN defined by (1), (2) and (5).1 Setting xk = 0 in (5), we

1The values of y and p are uniquely determined by x through (1) and(2).



see that the steady-state rate satisfies x∗k > 0.2 Consequently,

U ′k(x∗k) = p∗ ∀k ∈ N (6)

for the steady-state drop probability p∗, which implies thatp∗ ∈ (0, 1) and the steady-state aggregated rate y∗ > c at theequilibrium. Next, we establish stability and convergence ofthe flow rates via Lyapunov analysis.

Theorem 1. The dynamical system defined by (1), (2) and (5)is globally asymptotically stable w.r.t. a unique equilibrium.

Proof. The condition (6) and the concavity of Uk ensurethat there is a unique equilibrium x∗. The value of x∗ canbe calculated by combining (1), (2) and (6). Consider thefunction V :

∏k∈N [−x∗k,∞)→ R+ defined by

V (x− x∗) :=∑k∈N

Vk(xk − x∗k),

where

Vk(xk − x∗k) :=∫ xk

x∗k

s− x∗kKk(s)

ds, k ∈ N .

Since all Kk are strictly positive, V is positive definite. Also,all Vk, and therefore V , are radially unbounded. For eachk ∈ N , we have

Vk = V ′k(xk − x∗k) xk= (xk − x∗k)(U ′k(xk)− p)+xk

≤ (xk − x∗k)(U ′k(xk)− p)= (xk − x∗k)(U ′k(xk)− U ′k(x∗k))− (p− p∗)(xk − x∗k),

where the last equality follows from (6), and the inequalityfollows from the fact that if the projection is active, thenxk = 0 and U ′k(xk)− p < 0; thus (xk − x∗k)(U ′k(xk)− p) =−x∗k(U ′k(xk)− p) > 0. Hence

V =∑k∈N

Vk

=∑k∈N

(xk − x∗k)(U ′k(xk)− U ′k(x∗k))

− (p− p∗)∑k∈N

(xk − x∗k)

=∑k∈N

(xk − x∗k)(U ′k(xk)− U ′k(x∗k))− (p− p∗)(y − y∗)

≤∑k∈N

(xk − x∗k)(U ′k(xk)− U ′k(x∗k)),

where the inequality follows from Lemma 1. The concavityof Uk implies that (xk−x∗k)(U ′k(xk)−U ′k(x∗k)) is a negativedefinite function of xk−x∗k. Hence V is a Lyapunov function,and x∗ is globally asymptotically stable.

Theorem 1 ensures that the drop probability will convergeto the equilibrium value p∗. Combining (1), (2) and (6), weobtain that ∑

k∈N

1

τk=

2p∗c

(1− p∗)2. (7)

2Otherwise the projection would be active, which implies that x∗k = 0and p∗ > U ′k(0) = 1, and contradicts the fact that p ∈ [0, 1] at all times.

Suppose that every source has the same RRT τ , which isreasonable because the wait in the congested link dominatesthe network latency. To achieve a certain drop probabilityp∗, the number of attackers M needs to satisfy

M ≥ 2τp∗c

(1− p∗)2− S,

in which the number of users S is usually unknown tothe adversary but can often be estimated empirically. Evenwithout knowing the number of users, it will be sufficient todeploy enough attackers so that

M ≥ 2τp∗c

(1− p∗)2.

B. Attack with modified TCP sourcesConsider the case where the adversary intends to achieve

a target drop probability p0 ∈ (0, 1) with a limited numberof M attackers. On the one hand, simply following TCPmay not be sufficient, as the achievable drop probability isconstrained by (7). On the other hand, letting the attackerssend as much traffic as they can will greatly increase therisk of being detected. In this section, we provide a carefullyorchestrated algorithm for the attackers to adjust their flowrates based on the ACKs received, so that in steady-state thetarget drop probability is achieved with a minimal amountof traffic.

Suppose that all users follow the TCP-NewReno dynami-cal model

xi = Ki(xi)(U′i(xi)− p)+xi

, i ∈ U . (8)

Every attacker sets its flow rate xj by “amplifying” aninternal state ξj that emulates a TCP-NewReno flow witha gain λj ≥ 0, where the gain λj is adjusted via feedbackas follows:

ξj = Kj(ξj)(U′j(ξj)− p)+ξj ,

λj = γjξj(p0 − p)+λj,

xj = eλjξj ,

j ∈ A, (9)

where γj > 0 is a constant used to adjust the convergencerate, and the projections are to ensure that ξj , λj ≥ 0.(Details on implementing this modification can be foundin Section VI.) In particular, if λj ≡ 1 then the attacker’sbehavior is the same as TCP-NewReno. The network (shownin Fig. 3) then becomes a dynamical system with state(xu, ξ, λ) ∈ RN+M defined by (1), (2), (8) and (9), wherexu := (xM+1, . . . , xN ), ξ := (ξ1, . . . , ξM ) and λ :=(λ1, . . . , λM ); see also footnote 1.

Setting xi = ξj = λj = 0 in (8) and (9), we obtain thatthe steady-state drop probability satisfies p∗ = p0, and thesteady-state vectors x∗u and ξ∗ satisfy (see also footnote 2)

U ′i(x∗i ) = p0 ∀i ∈ U ,

U ′j(ξ∗j ) = p0 ∀j ∈ A.

(10)

Following (1) and (2), the steady-state vector λ∗ is con-strained by ∑

i∈Ux∗i +

∑j∈A

λ∗jξ∗j =

c

1− p0. (11)



Fig. 3. Attack with modified TCP sources: every attacker sets its flow ratexj by amplifying an internal state ξj that emulates a TCP-NewReno flowwith a gain λj ≥ 0.

The concavity of Ui and Uj implies that x∗u and ξ∗ areunique. However, the gains λ∗ are not unique and can takeany values satisfying (11). This is due to the distributed na-ture of the attack, and could be avoided in practice by lettingthe attackers communicate with each other occasionally.

Remark 2. Note that the target p0 cannot be smaller than thedrop probability for the case without attackers, that is,

c

1− p0≥∑i∈U

(U ′i)−1(p0) =

∑i∈U

2

τi

(1

p0− 1

). (12)

Otherwise the equilibrium set defined by (10) and (11) willbe empty. This condition is not a problem in actual attacksas the goal is to maintain a high lost probability.

Next, we establish stability and convergence of the net-work via Lyapunov analysis.

Theorem 2. Provided the target drop probability p0 is largeenough so that (12) holds, the dynamical system defined by(1), (2), (8) and (9) is globally asymptotically stable w.r.t.the equilibrium set defined by (10) and (11).

Proof. Let (x∗u, ξ∗, λ∗) be an arbitrary state vector satisfying

(10) and (11). Consider the function V :∏i∈U [−x∗i ,∞) ×∏

j∈A[−ξ∗j ,∞)× RM → R+ defined by

V (xu − x∗u, ξ − ξ∗, λ− λ∗)

:=∑i∈U

Vi(xi − x∗i ) +∑j∈A

Vj(ξj − ξ∗j , λj − λ∗j ),

where

Vi(xi − x∗i ) :=∫ xi

x∗i

s− x∗iKi(s)

ds, i ∈ U ,

and

Vj(ξi − ξ∗i ) :=(λj − λ∗j )2

2γj+ λ∗j

∫ ξj

ξ∗j

s− ξ∗jKj(s)

ds, j ∈ A.

Following the proof of Theorem 1, we obtain that V ispositive definite and radially unbounded, and that

Vi ≤ (xi − x∗i )(U ′i(xi)− U ′i(x∗i ))− (p− p0)(xi − x∗i )

for each i ∈ U . For each j ∈ A, we have

Vj =∂Vj∂ξj

ξj +∂Vj∂λj

λj

= λ∗j (ξj − ξ∗j )(U ′j(ξj)− p)+ξj + (λj − λ∗j ) ξj(p0 − p)+λj

≤ λ∗j (ξj − ξ∗j )(U ′j(ξj)− p) + (λj − λ∗j ) ξj(p0 − p)= λ∗j (ξj − ξ∗j )(U ′j(ξj)− U ′j(ξ∗j ))− λ∗j (ξj − ξ∗j )(p− p0) + (λj − λ∗j ) ξj(p0 − p)

= λ∗j (ξj − ξ∗j )(U ′j(ξj)− U ′j(ξ∗j ))− (p− p0)(λjξj − λ∗jξ∗j ),where the second to last equality follows from (6), and theinequality follows from similar arguments to those in theproof of Theorem 1. Hence

V =∑i∈U

Vi +∑j∈A

Vj

=W (xu − x∗u, ξ − ξ∗)

− (p− p0)(∑i∈U

(xi − x∗i ) +∑j∈A

(λjξj − λ∗jξ∗j ))

=W (xu − x∗u, ξ − ξ∗)− (p− p0)(y − y∗)≤W (xu − x∗u, ξ − ξ∗),

where

W (xu − x∗u, ξ − ξ∗) :=∑i∈U

(xi − x∗i )(U ′i(xi)− U ′i(x∗i ))

+∑j∈A

λ∗j (ξj − ξ∗j )(U ′j(ξj)− U ′j(ξ∗j )),

and the inequality follows from Lemma 1 and the fact thaty∗ > c due to g(y∗) = p0 ∈ (0, 1). The concavity of Uiand Uj implies that W is a negative definite function ofxu−x∗u and ξ− ξ∗. Hence V is a weak Lyapunov function,and LaSalle’s invariance principle implies that the dynamicalsystem defined by (1), (2), (8) and (9) is stable, and allsolutions approaches the equilibrium set defined by (10) and(11).

Theorem 2 ensures that the drop probability will convergeto the target value p0. Also, as λ = 0 everywhere in theequilibrium set defined by (10) and (11), every solution willconverge to a point in the equilibrium set and the systemwill approach a steady-state.

When targeting a high drop probability p0, the attackerswill have to engage relatively large flow rates comparedto the users. From the perspective of the link gateway,this means that the attackers are advertising small RTTs,and could potentially be identified if their perceived RTTsbecomes less than a predefined bound in the gateway. Thistype of defense mechanism is not explored here, but atopic for future research. In the next section, we proposea mitigation method which improves the performance oflegitimate users even if the attackers cannot be identified.

V. MITIGATION

The goal of mitigation is to improve the link usage of (le-gitimate) users. If all sources follow the same TCP algorithmand have the same RTT, then in steady-state the bandwidth



c will be evenly shared by them, that is, the throughput ofevery source will be ceq = c/N . Therefore, the upper boundof link usage of users is essentially cu = cM/N . In ourmitigation method, we intend to reduce the throughput ofeach attacker to the same as a user’s, so that the link usageof users reaches cu. This is challenging due to the fact thatattackers may not follow the same transmission protocol asusers, and can aggressively increase their flow rate in orderto exhaust the bandwidth and increase the drop probability.

The current TCP congestion control algorithm only in-volves the sources, and the link passively informs the sourcesabout the congestion. Moreover, the (memory-less) link doesnot distinguish flows from different sources, which simplifiesthe router algorithm but makes the network vulnerable toattackers’ misbehavior. To mitigate the attack effect, wepropose a method that involves the link into the dynamics ofeach individual source. In our method, the link pushes thethroughput of each source toward the desired equilibriumat which the bandwidth is evenly shared by all sources.More specifically, the incoming packets are dropped in sucha way that the throughput of every source approaches ceq .On average, this means setting different drop probabilitiesfor different sources so that those with higher flow rates willexperience more packet drops. The drop probability qi forsource i will be calculated by qi = max{1− ceq/xi, 0}.

The proposed mitigation method does not require a changein the transmission protocols used by sources. It also doesnot require the link to authenticate sources or inspect packets,as proposed in [19], [20]. The link only needs to adjust thedrop probability for each user based on its flow rate, thelink capacity, and the number of sources accessing the link.Moreover, our method ensures that, regardless of the attackstrategy and even if the attackers are coordinated, each userwill receive the bandwidth ceq on average. As a result, tooccupy the same bandwidth as in the case without mitigation,the adversary needs to deploy a significantly larger numberof sources. Also, when there is no attacker in the network,by definition, our method yields the same equilibrium (if allsources have the same RTT), and thus does not impair theoverall performance.

VI. SIMULATION RESULTS

In this section, we provide simulation results for scenarioswhere the attackers follow TCP-NewReno or the modifiedTCP algorithm, and the link uses no mitigation or ourproposed mitigation method. In all cases, we assume thelegitimate users follow the TCP-NewReno congestion controlalgorithm.

In the modified TCP algorithm, the attacker j amplifies hertransmission rate by the gain λj , where the update rule for λjis defined by (9). Similar to TCP-NewReno dynamics, sincethe drop probability p is not directly known, the attackersupdate λj as follows:{

λj ← λj + γjp0ξj , when ACK received,λj ← λj − γj(1− p0) ξj , when packet dropped.

0 2000 4000 6000 8000 10000time (in RTT)

0

0.2

0.4

0.6

0.8

1

Dro

p P

roba

bilit

y

Attackers follow TCP-NewRenoAttackers follow Modified TCP, p

0=0.5

Attackers follow Modified TCP, p0=0.8

0 2000 4000 6000 8000 10000time (in RTT)

0

0.2

0.4

0.6

0.8

1

Rat

io o

f Lin

k A

ssig

ned

to U

sers


0=0.5


Fig. 4. Effect of the modified TCP algorithm on link drop probability andlink usage of (legitimate) users. When the attackers follow TCP-NewReno,the link drop probability is almost zero and the fraction of bandwidthassigned to users is about 2/3. However, with the modified TCP algorithm,the link drop probability converges to the attackers’ target value and thefraction of bandwidth assigned to users is almost zero.

0 2000 4000 6000 8000 10000time (in RTT)

0

0.2

0.4

0.6

0.8

1

Dro

p P

roba

bilit

y

Drop rate of users, p0=0.5

Drop rate of attackers, p0=0.5

Drop rate of users, p0=0.8

Drop rate of attackers, p0=0.8

0 2000 4000 6000 8000 10000time (in RTT)

0

0.2

0.4

0.6

0.8

1

Rat

io o

f Lin

k A

ssig

ned

to U

sers


0=0.5


Fig. 5. Effect of the proposed mitigation method on the drop probabilitiesand link usage of (legitimate) users. When the attackers follow TCP-NewReno, the mitigation does not reduce users’ drop probability. In contrast,when the attackers follow the modified TCP algorithm, their drop probabilityconverges to the target value, while the drop probability of users remain nearzero. Moreover, the fraction of the link assigned to users increases whenattackers follow the modified TCP algorithm instead of TCP-NewReno.Therefore, the mitigation successfully protects the sources following TCP-NewReno.

In the proposed mitigation method, the link sets differentdrop probabilities for different sources according to their flowrates. In simulations, we assume that the link either keeps ordrops the entire window. Therefore, assuming that flows fromdifferent sources arrive at the link in a random order, the linkdrops them one by one with their corresponding probability,until the aggregate rate of remaining flows becomes less thanor equal to the capacity.

In simulations, we consider a scenario where 2000 usersand 1000 attackers are transmitting over a link with capacityof 1 Mbps. We assume that the RTT is the same for allsources and plot the results per RTT. We also set γj = 10in (9), and initialize the congestion windows and gains λjrandomly.

Figure 4 shows the link drop probability and link usage of(legitimate) users, when the attackers follow TCP-NewRenoand the modified TCP algorithm. As can be seen, when theattackers follow TCP-NewReno, the link drop probability isalmost zero and the fraction of bandwidth assigned to usersis about (N −M)/N = 2/3. However, with the modifiedTCP algorithm, the link drop probability converges to theattackers’ target value p0 and the fraction of bandwidthassigned to users is almost zero.

Figure 5 shows the drop probabilities and link usage of(legitimate) users, when the link deploys the proposed mit-igation method. When the attackers follow TCP-NewReno,



the link drop probability is almost zero and the fraction ofbandwidth assigned to users is about (N −M)/N = 2/3.Therefore, the mitigation does not reduce users’ drop prob-ability when all sources follow TCP-NewReno. In contrast,when the attackers follow the modified TCP algorithm, theirdrop probability converges to the target value, while the dropprobability of users remain near zero. This implies that themitigation successfully protects the sources following TCP-NewReno. Moreover, the fraction of bandwidth assigned toattackers is reduced when they follow the modified TCPalgorithm, and with a higher target drop probability, their linkusage will decrease even more. Hence, with our mitigationmethod in place, the best strategy for attackers is to use thesame transmission protocol as legitimate users. As a result,the adversary needs a significantly larger number of sourcesto achieve the same link usage as in the case without themitigation.

VII. CONCLUSION

In this paper, we studied the Coremelt attack on asingle-link TCP network using a dynamical system modeland Lyapunov-based analysis. We considered two attackscenarios, one with standard TCP and the other with amodified form of TCP, and proposed a mitigation methodthat increases the cost of attack. Future research directionsinclude to extend the results to more complex networkconfigurations, other transmission protocols and dynamicCoremelt attacks; and to generalize the dynamical systemframework for modeling and developing mitigation methodsfor other link-flooding DDoS attacks such as the Crossfireattack [6].

REFERENCES

[1] P. J. Criscuolo, “Distributed Denial of Service Trin00, Tribe FloodNetwork, Tribe Flood Network 2000, and Stacheldraht,” LawrenceLivermore National Laboratory, Tech. Rep. CIAC-2319, 2000.

[2] S. Specht and R. Lee, “Taxonomies of Distributed Denial of ServiceNetworks, Attacks, Tools, and Countermeasures,” Princeton Univer-sity, Tech. Rep. CE-L2003-03, 2003.

[3] S. T. Zargar, J. Joshi, and D. Tipper, “A Survey of defense mechanismsagainst Distributed Denial of Service (DDoS) flooding attacks,” IEEECommunications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069,2013.

[4] “Worldwide Infrastructure Security Report, Volume XI,” Arbor Net-works, Tech. Rep., 2016.

[5] A. Studer and A. Perrig, “The Coremelt attack,” in 16th EuropeanSymposium on Research in Computer Security, 2011, pp. 37–52.

[6] M. S. Kang, S. B. Lee, and V. D. Gligor, “The Crossfire attack,” in2013 IEEE Symposium on Security and Privacy, 2013, pp. 127–141.

[7] J. Postel et al., “Transmission Control Protocol,” Information SciencesInstitute, University of Southern California, Tech. Rep. RFC 793,1981.

[8] D.-M. Chiu and R. Jain, “Analysis of the increase and decreasealgorithms for congestion avoidance in computer networks,” ComputerNetworks and ISDN Systems, vol. 17, no. 1, pp. 1–14, 1989.

[9] T. Henderson, S. Floyd, A. Gurtov, and Y. Nishida, “The NewRenoModification to TCP’s Fast Recovery Algorithm,” IETF, Tech. Rep.RFC 6582, 2012.

[10] C. Basescu, R. M. Reischuk, P. Szalachowski, A. Perrig, Y. Zhang,H.-C. Hsiao, A. Kubota, and J. Urakawa, “SIBRA: Scalable internetbandwidth reservation architecture,” in 2016 Network and DistributedSystem Security Symposium, 2016.

[11] Y. Gilad and A. Herzberg, “LOT: A defense against IP spoofingand flooding attacks,” ACM Transactions on Information and SystemSecurity, vol. 15, no. 2, p. 30, 2012.

[12] J. C.-Y. Chou, B. Lin, S. Sen, and O. Spatscheck, “Proactivesurge protection: A defense mechanism for bandwidth-based attacks,”IEEE/ACM Transactions on Networking, vol. 17, no. 6, pp. 1711–1723,2009.

[13] S. B. Lee, M. S. Kang, and V. D. Gligor, “CoDef: Collaborativedefense against large-scale link-flooding attacks,” in 9th ACM Confer-ence on Emerging Networking Experiments and Technologies, 2013,pp. 417–428.

[14] A. P. Athreya, X. Wang, Y. S. Kim, Y. Tian, and P. Tague, “Resistanceis not futile: detecting DDoS attacks without packet inspection,” in10th Web Information System and Application Conference, 2013, pp.174–188.

[15] M. S. Kang, V. D. Gligor, and V. Sekar, “SPIFFY: Inducing cost-detectability tradeoffs for persistent link-flooding attacks,” in 2016Network and Distributed System Security Symposium, 2016, p. 15.

[16] J. P. Hespanha, S. Bohacek, K. Obraczka, and J. Lee, “Hybridmodeling of TCP congestion control,” in 4th International Conferenceon Hybrid Systems: Computation and Control, 2001, pp. 291–304.

[17] S. Kunniyur and R. Srikant, “End-to-end congestion control schemes:utility functions, random losses and ECN marks,” IEEE/ACM Trans-actions on Networking, vol. 11, no. 5, pp. 689–702, 2003.

[18] M. Allman, V. Paxson, and E. Blanton, “TCP Congestion Control,”IETF, Tech. Rep. RFC 5681, 2009.

[19] C. Jin, H. Wang, and K. G. Shin, “Hop-count filtering: An effectivedefense against spoofed DDoS traffic,” in 10th ACM Conference onComputer and Communication Security, 2003, pp. 30–41.

[20] A. Yaar, A. Perrig, and D. Song, “StackPi: New packet markingand filtering mechanisms for DDoS and IP spoofing defense,” IEEEJournal on Selected Areas in Communications, vol. 24, no. 10, pp.1853–1863, 2006.



Documents

Modeling and Mitigating the Coremelt Attackhespanha/published/2018ACC_1474_MS.pdf · Modeling and Mitigating the Coremelt Attack Guosong Yang 1, Hossein Hosseini 2, Dinuka Sahabandu