Detecting TCP ACK storm attack: A state transition modelling approach

Abstract

Ack-storm DoS attacks are injection attacks against an active Transmission Control Protocol (TCP) connection. These attacks can be generated by a very weak adversary and can generate amplification factor of orders of magnitude by exploiting a weakness in the TCP protocol specification. This attack requires sending two packets by the adversary with acknowledgement number greater than the sequence number used in each direction and the two end hosts will attempt to resynchronise the sequence numbers by sending duplicate acknowledgement and enter a loop. In this study, the authors propose a state transition model based detection scheme to detect these DoS attacks. This state transition machine called constrained counting automata (CCA) has the ability to count the number of times a state has been revisited and its transitions are constrained by invariant conditions to be satisfied. They model the chances of receiving a packet with acknowledgement number greater than the sequence number used by its peer as a probability distribution and use it to set appropriate value of threshold on revisits of a state for detecting attack. By experimenting within a local network and in Internet, they show that CCA can detect Ack-storm DoS attacks. © The Institution of Engineering and Technology 2018.