[ijcst-v2i5p11] author: arsh arora, lekha bhambhu

8/11/2019 [IJCST-V2I5P11] Author: Arsh Arora, Lekha Bhambhu

http://slidepdf.com/reader/full/ijcst-v2i5p11-author-arsh-arora-lekha-bhambhu 1/5

International Journal of Computer Science Trends and Technology (IJCST) – Volume 2 Issue 5, Sep-Oct 2014

ISSN: 2347-8578 www.ijcstjournal.org Page 51

Performance Analysis of RED & Robust REDArsh Arora 1, Lekha Bhambhu 2

Research Scholar, HOD,Department of Computer Science and Engineering

Jan Nayak Ch. Devilal College of Engineering, Sirsa,Haryana - India

ABSTRACTActive Queue Management is a way to control Congestion. The existing RED (Random Early Detection) Active QueueManagement algorithm and its variants are found vulnerable to emerging LDoS attacks. The RRED algorithm was proposed toimprove TCP throughput under LDoS attacks by detecting and filtering out attack packet. We conduct a set of simulation tocompare and evaluate the performance of RED and RRED under normal TCP traffic without LDoS attacks and With LDoSattacks. The results show that, RRED algorithm nearly fully preserves the TCP throughput in the presence of LDoS attacks.Simulation is done by using Network Simulator (NS2).Keywords: - AQM, RED, RRED, DoS, LDoS, NS2.

I. INTRODUCTION

An enhancement of the router based queue management isknown as Active Queue management (AQM) [1].Generally, In AQM schemes congestion is measured andcontrol actions are taken. There are two approaches tomeasure congestion in AQM. (1) In Flow based congestionis observed and action is taken based on the packet arrivalrate. (2) In Queue based congestion is measured by queuesize and action is taken by maintaining a set of queues byInternet routers. The basic goal of all AQM techniques is tokeep the average queue size in routers small to Controls

average queue size to avoid global synchronization of TCPand absorbs bursts without dropping packets to prevent biasagainst bursty connections [7]. AQM also reduces thenumber of timeouts in TCP and take actions againstmisbehaving flows.

In past decades a few active queue management(AQM) algorithms such as Random Early Detection (RED)[2] and its variants have been proposed to improve the TCP

performance in congestion. AQM algorithms are highlyrobust to diverse network conditions; most of them weredesigned without considering their robustness againstnetwork attacks, such as the Denial-of-Service (DoS) [10]attacks that have been considered as a major threat to

Internet services now days. DoS attacks such as TCP SYNflood attacks, Internet Control Message Protocol (ICMP)flood attacks, ping attacks, smurf attacks, DNS floodattacks [11]. These attacks can be detected and recovered

because they generate high rate broadcast of packetstoward the target node. Recently low-rate DoS attack has

been proposed in [5 ] that manipulate the TCP’sretransmission timeout mechanism to bring down TCPthroughput without being detected. RRED is proposed in [3]to thwart these LDoS attacks by detecting and filtering outLDoS attack packets.

In this paper we conduct simulation to evaluate the performances of RED and RRED active queuemanagement algorithm under TCP traffic in absence ofLDoS attacks and in presence of LDoS attacks in NS2 [6].

II. LDOS ATTACKS

LDoS attack is a kind of DoS attack, in which morenumber of packets are sent in a short period of time and it

is repeated for several intervals. The packet sending rate isso high, so that it crosses the link capacity and hencecongestion will occur in network. It is very difficult toidentify LDoS attack, because of low average rate ismaintained during network congestion [5].

Fig.1: LDoS attack stream

In the above figure regarding LDoS attacks, where theattacking period is, is the attacking burst width and isthe attacking burst rate. The LDoS attac k catches TCP’s

RESEARCH ARTICLE OPEN ACCESS

Rate

T b

Time

http://www.ijcstjournal.org/







slow-time-scale dynamics of retransmission time out (RTO)mechanism to decrease TCP throughput [9].

An attacker can make a TCP flow to regularly enter aRTO state by pushing high-rate ( ), but short duration

burst ( ), and repeating at slower RTO time-scales ( ). Asuccessful LDoS attack will have rate large enough toestablish loss and duration of attack must be long enough to

set up congestion but short enough to keep away fromdetection. LDoS attacks will decrease the performance ofTCP traffic and web traffic. Low the RTT of packets, highthe effect of attack. LDoS attack triggers unbalance innetwork load and also interrupts in internet routing. TheLDoS attack will burn up recourses of the assigned serverwith only low-rate traffic; therefore server security schemesare violated [5].

III. RANDOM EARLY DETECTION(RED)

Random Early Detection (RED) [2] was proposed byFloyd and Jacobson as an efficient congestion avoidancemechanism in the network routers/gateways. It also helps to

prevent the global synchronization in the TCP connectionssharing a congested router and to decrease the bias against

bursty connections. It is assumed to solve the traditional problems of queue management techniques. It was animprovement over the previous techniques such as RandomDrop and Early Random Drop [10]. RED use probabilisticdiscard methodology of queue fill before overflowconditions are reached. By detecting incipient congestionearly and to convey congestion notification to the end-hosts,allowing them to decrease their transmission rates beforequeues in the network overflow and packets are dropped.

The RED gateway computes the average queue size byusing a low pass filter along with an exponential weightedmoving average. The average queue size is compared withtwo thresholds: a minimum and a maximum threshold.When the size of average queue is less than the minimumthreshold, no packets are marked. When the size of averagequeue is greater than the maximum threshold, everyarriving packet from gateway is marked. If marked packetsare, in fact, dropped or if all source nodes are collaborative,this assures that the average queue size does notsignificantly exceed the maximum threshold.The general RED algorithm is given below:

For each packet arrivalcalculate the average queue size

if

calculate probabilitywith probability :

mark the arriving packetelse if ≥

mark the arriving packet

Fig. 2- General algorithm for RED gateways [2]

When the average queue size is varying in between theminimum and maximum thresholds, each arriving packet ismarked with a probability , where , is a function of theaverage queue size . Each time a packet is marked, the

probability that a packet is marked from a particular link is

roughly relative to that connection’s share of the bandwidthat the gateway.

Thus, the RED gateway has two different algorithms.One for computing the average queue size determines

the degree of burstiness allowed in the gateway queue andthe second one for computing the packet-marking

probability or drop probability determines how

frequently the gateway marks the packets, which give thecurrent level of congestion. The goal of gateway is to markthe packets fairly, in order to avoid biases and globalsynchronization, and also to mark packets sufficientlyfrequently to control the average queue size.

IV. ROBUST RANDOM EARLYDETECTION (RRED)

Robust random early detection (RRED) [3] algorithmwas proposed to improve the TCP throughput againstDenial-of-Service (DoS) attacks; particularly Low-rateDenial-of-Service (LDoS) [9] attacks. RED can detect andrespond to attacks those has high rate transmission of

packets toward the targeted node , but it cannot detectcongestion caused by short-term tra ffi c load changes. Inaddition, it is well known that an appropriate tuning of

RED parameters is not an easy task and may result in anon-stabilizing controls scheme. RRED is a queuingdiscipline for a network scheduler. Experiments haveconfirmed that the existing RED-like algorithms arenotably vulnerable under LDoS attacks due to theoscillating TCP queue size caused by the attacks. TheRobust RED (RRED) algorithm was proposed to increasethe efficiency of TCP throughput against LDoS attacks.

Detection and

Filtering

RED

Packets from attack flows

Dro acket feed back

Robust RED



http://en.wikipedia.org/wiki/Network_scheduler

http://en.wikipedia.org/wiki/Network_scheduler






Fig.3 - Architecture of Robust RED

The fig 3 shows the basic architecture of RREDalgorithm. As we can see there a detection and filter blockis added in front of a regular RED block on a router. All theincoming packets are filtering out the LDoS attacks beforethey feed to RED. RRED algorithm can significantlyimprove the performance of TCP under Low-rate denial-of-service attacks [5].

How to distinguish an attacking packet from normalTCP packets is critical in the RRED design.

V. SIMULATION MODEL

A. Simulation

We use the Network Simulator (NS2). TheNS2 is adiscrete event simulator developed by the University of

California at Berkeley and the Virtual Internetwork Tested(VINT) project. The NS2 support two languages, system programming languages C++ for detail implementation andscripting languages TCL for configuring and experimentingwith different parameters quickly. The NS2 has all theessential features like abstraction, visualization, emulation,traffic and scenario generation [6].

B. Simu lati on Topology

A Simple network topology is chosen to make it easierto understand the congestion network environment.

R0 R1

User30

User1

Attacker1

10Mbps2ms

10Mbps2ms

Attacker20

…

…

Server

Bottleneck

5Mbps6ms

Fig. 4 - Simulation topology

As shown in Fig. 4 The queue size of the bottlenecklink is 50 packets. AQM algorithms are used on the

bottleneck queue. A TCP ( ) based FTP flow with packet size of 1000 bytes is generated from each user (User1 to User 30). LDoS traffic is generated from Attacker 1 toAttacker 20 by sending UDP packets with packet size of 50

bytes.

VI. RESULTS & DISCUSSION

Case 1: The average throughput versus attack peroid

with constant attack burst width ( ) = 1ms and attack

burst rate = 0.25Mbps. Attack peroid varies

from 0.2s to 2s.

TABLE IAVERAGE THROUGHPUT OF NORMAL TCP TRAFFIC THROUGH BOTTLENECK

LINK WHEN THERE IS LDOS ATTACKS WITH ATTACK PERIOD

Time of T a RED RRED0.2 91.27 598.70

0.5 222.82 588.811.0 370.28 597.221.5 519.07 595.02

2 530.75 581.51

Fig. 5: Throughput-Varying Attack period Ta (s)

As we can see from the fig. 5, In case of attack periodincreases in the of normal TCP traffic through the

bottleneck link when there is LDoS attack, as the attack period increases the throughput varies. So in this scenario,the performance of RRED is better than RED and is best at0.2 seconds.

Case 2: The average throughput versus attack burst width( ) with constant attack period = 1s and attack burst

rate = 0.25Mbps. Attack burst width ( ) varies

from 100ms to 600ms.

TABLE IIAVERAGE THROUGHPUT OF NORMAL TCP TRAFFIC THROUGH BOTTLENECK

LINK WHEN THERE IS LDOS ATTACKS WITH ATTACK BURST WIDTH

Time of T b RED RRED100 536 499

200 597 513300 424 499400 394 499

500 324 499

600 293 499








Fig. 6: Throughput-Varying Attack burst width Tb (ms)

As we can see from the fig. 6, In case of burst widthincreases in the of normal TCP traffic through the

bottleneck link when there is LDoS attack, as the burst

width increases the throughput varies. So in this scenario,the performance of RRED is better than RED and is best at200 ms.

Case3: The average throughput versus attack burst ratewith constant attack period = 1s and attack

burst rate ( ) = 0.2ms. Attack burst rate varies from0.1 to 0.5 Mbps.

TABLE IIIAVERAGE THROUGHPUT OF NORMAL TCP TRAFFIC THROUGH BOTTLENECK

LINK WHEN THERE IS LDOS ATTACKS WITH ATTACK PERIOD

Time of T a RED RRED0.1 537 538

0.2 516 4910.3 498 4910.4 458 489

0.5 448 488

Fig. 7: Throughput-Varying Attack burst rate Rb (Mbps)

As we can see from the fig. 7, In case of attack burstrate increases in the of normal TCP traffic through the

bottleneck link when there is LDoS attack, as the attack burst rate increases the throughput varies. So in thisscenario, the performance of RRED is better than RED andis best at 0.1 sec.

For the three parameters Ta, Tb, Rb of the LDoSattack, we choose =1s reported that LDoS attacks with

≈ 1 are most effective. is set to 200ms and is setas 0.15Mbps so that the aggregate of 20 attackers isequal to the bottleneck bandwidth of the network (5Mbps).With these three parameters, we conduct simulation inthree cases as we can see. For each case, we fix two

parameters and vary the other value. As we see in case 1,we vary Ta from 0.2 to 2 while fixing Tb and Rb . Same

procedure we did in case 2 and case 3 by varying Tb and Rb respectively. Varying these parameters aims to examinethe robustness of RRED. And it is clear from the results

that RRED is better than RED in presence of LDoS attacks.

VII. CONCLUSIONS

We have simulated both RED and Robust RED (RRED)in NS2. Results show that the RRED algorithm is (i) highlyrobust (ii) can improve the performance of normal TCPtraffic through bottleneck link under LDoS attacks and (iii)obviously it performs better than RED

ACKNOWLEDGMENT

I am thankful to Mrs. Lekha Bhambhu, Head ofComputer Science and Engineering Department, Jan NayakCh. Devilal College of Engineering, Sirsa has best owed onme by providing individual guidance and supportthroughout the research work. I am also thankful to Mr.Deepak Mehta & Mr. Gopal Sharma for their keen interest,expert guidance, valuable suggestions and persistentencouragement.

I am also thankful to the authors whose works Ihave consulted and quoted in this work. Last but not theleast I would like to thank God for not letting me down atthe time of crisis and showing me the silver lining in thedark clouds.

REFERENCES

[1] S. B. Braden, et al, Recommendations on QueueManagement and Congestion Avoidance in theInternet, RFC 2309, April, 1998.







ISSN: 2347-8578 www.ijcstjournal.org 5

[2] Floyd, S., and Jacobson, V. (1993), Random EarlyDetection gateways for Congestion Avoidance V.1

N.4, August 1993, pp. 397-413..

[3] Changwang Z., Jianping Y., Zhiping C., and WeifengC (2010), RRED: Robust RED Algorithm to CounterLow-Rate Denial-of-Service Attacks IEEECOMMUNICATIONS LETTERS, VOL. 14, NO. 5,

MAY 2010[4] H. V. Shashidhara, Dr. S. Balaji , “Low Rate Denial of

Service (LDoS) attack – A Survey ”, IJETAE, Volume4, Issue 6, June 2014

[5] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-targeted denial of service attacks and counterstrategies,” IEEE/ACM Trans. Netw. , vol. 14, no. 4,

pp. 683 – 696, 2006.

[6] Paul Meeneghan and Declan Delaney, “AnIntroduction to NS, Nam and OTcl Scripting”,

National University of Ireland, Maynooth, 2004

[7] Serhat ÖZEKES, “EVALUATION OF ACTIVEQUEUE MANAGEMENT ALGORITHMS”, _stanbulTicaret Üniversitesi Fen Bilimleri Dergisi Yıl:4 Sayı:7Bahar 2005/1 s.123-140

[8] V. Sharma, J.Virtamo and P. lassila,“PERFORMANCE ANALYSIS OF RANDOMEARLT DETECTION ALGORITHM”, Networking

Laboratory, Helsinki University of Technology[9] Lija Mohan, Bijesh M. G. and Jyothish K. John,

“Survey of Low rate Denial of Service (LDoS) attackon RED And its Counter Strategies ”, IEEEInternational Conference on ComputationalIntelligence and Computing Research 2012

[10] Floyd, S., “TCP and Explicit Congestion Notification.ACM Computer Communication Review, V. 24 N. 5,October 1994, pp. 10-23.

[11] Sílvia Farraposo, Laurent Gallon and PhilippeOwezarski, “ Network Security and DoS Attacks ”,2005.




[ijcst-v2i5p11] author: arsh arora, lekha bhambhu

Documents