SUMMARYUnicasting video streams over TCP connections is a challenging problem, because video sources cannot normally adapt to delay and throughput variations of TCP connections. This paper describes a method of extending TCP so that TCP connections can effectively carry hierarchically-encoded layered video streams, while being friendly to other competing connections. We call the method Receiver-based Delay Control (RDC). Under RDC, a TCP connection can slow down its transmission rate to avoid congestion by delaying ACK packet generation at the TCP receiver based on congestion notifications from routers. We present the principle behind RDC, argue that it is TCP-friendly, describe an implementation that uses 1-bit congestion notification from routers, and demonstrate by simulations its effectiveness in streaming hierarchically-encoded layered video.
--We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic.
We describe an IP-layer INTRODUCTIONOver the current Internet, when a client acquires services from an application server, packets sent and received by the client reveal server IP addresses in the packet headers. There are a number of situations where it would be useful for an application to be able to send traffic to a destination without revealing the IP address of the destination to the source, the IP address of the source to the destination, or both. For example, a Web site may want to hide its IP addresses to reduce the risk of denial of service (DoS) attacks aimed at these addresses. See [9] for discussion on supporting anonymity at the IP layer.One way to achieve this anonymity, as described in this paper, is to use a network resident set of IP-layer servers that can forward IP packets, with encryption and decryption applied to their source and destination addresses when appropriate. We will call these network resident IP-layer servers anonymizing forwarders, or simply forwarders, and an IP anonymizing infrastructure based on these anonymizing forwarders ANON.Using ANON, a client can send and receive packets to and from application servers without knowing their IP addresses. This is analogous to a user sending and receiving U.S. mail using the P.O. Box number of an organization without using its street address. In this way, the organization can receive mails while not revealing its street address to the public.ANON incorporates countermeasures to provide protection against various security threats such as unauthorized monitoring of links in the infrastructure and launching of DoS attacks through the infrastructure. The countermeasures include previously known techniques such as link encryption, link padding, traffic mixing, multi-hop packet encryption/decryption and protocol camouflaging, as well as new techniques such as on-demand link padding and per-destination rate-limiting.The design of ANON assumes that it will be used mainly for low-bandwidth signaling and data applications, not data transfer that may require high bandwidth. As described later in the paper, this assumption will increase the effectiveness of our countermeasures. There are many applications that fit the model defined here, that is, they only need medium bandwidth to function properly. These include signaling applications such as connection setup and termination, user authentication, user authorization, service registration, and service discovery.Consider, for example, the use of ANON to protect authentication servers against DoS attacks. By definition, an authentication server needs to process requests from unknown users. An adversary can exploit this fact to launch DoS attacks on the authentication server. This means that the adversary can swamp the authentication server by sending a large number of fake authentication requests to it. The risk of this type of DoS attack increases when sophisticated authentication that requires increased processing is used. ANON provides a solution to this problem by hiding the IP address ...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.