Summary:
In this paper, the authors investigate a low-rate denial of service attack on TCP flows that exploits TCP's retransmission timeout mechanism.  They show that a square wave pulse equal to the link capacity but lasting only for a short duration (about one to two round-trip times), sent periodically every 1 second, can effectively throttle other TCP flows down to a fraction of their ideal rate.  Since 1 second is the minimum retransmission timeout period (minRTO) for TCP flows, such a pulse forces all TCP flows to synchronize with the attacker and remain in slow start with very small window sizes.  Also, since the ratio of the burst length to the period of the attacking flow is very small (0.1), the average rate of the attacking flow is also small and thus hard to detect at routers.

Through a number of simulations and experiments, they show that:

1. For a TCP flow aggregate with heterogeneous round-trip times (RTTs), such an attack acts like a "high-pass" filter, allowing higher RTT flows to get near their ideal rates, while severely reducing the rates for small RTT flows.
2. For HTTP traffic, response times go up by a factor of 3.5 to 5.
3. All variants of TCP (Tahoe, Reno, New-Reno and Sack) are similarly throttled given an attack with a sufficiently long burst length.
4. The behaviour can be observed experimentally in LAN and WAN scenarios.

Finally, they show perferential dropping algorithms such as RED and RED-PD cannot identify the attacking flow and argue that even randomizing the minRTO parameter does not help.

Critique:

1. The authors fail to consider per-flow scheduling algorithms as means for detecting and blocking such a DoS attack.  Even a simple fair-queueing algorithm such as Deficit Round Robin (DRR) will be very effective against such an attack.  Since the attacking flow sends a very high-rate burst, its queue will fill up and become the longest queue.  Thus, the attacking flow will be marked for preferential discard, while other TCP flows will be unaffected.
2. This attack has a higher chance of remaining undetected for low rate links such as the access links.  Thus, detection of these attacks can be done at edge routers where number of flows are not prohibitively large and it is feasible to implement per-flow scheduling.  For the high bandwidth backbone links (10 Gb/s), the average bandwidth would be 1 Gb/s for the attacking flow, which can easily be detected and filtered.
3. The argument for keeping minRTO 1 second is not convincing.  Even in times of heavy sustained congestion, a starting value of 2-3 times RTT for minRTO is preferable, given that there is an exponential backoff for repeated timeouts.  If minRTO is thus reduced, the low-rate DoS attack has a much smaller impact, since the TCP flows can get packets through in between the high-rate pulses of the attacker.
   
4. The HTTP experiments are not well documented, making it very difficult to understand their results.
5. Minor point:  Figure 3 precedes Figure 2 and Figure 10 precedes Figure 9!

In summary, by neglecting to consider per-flow scheduling, the authors have omitted a possible solution for detecting such a low-rate "shrew" attack.  It would make the paper much more interesting if they presented some results showing how the TCP flows behaved under fair-queueing in the presence of a shrew attack.

Anshul Kantawala