Stability of TCP/AQM Networks Under DDoS Attacks With Design

The current Internet is dramatically suffering the Distributed Denial of Service (DDoS) attacks, in which the perpetrator maliciously makes network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the Internet. In this paper, we investigate an Internet transmission control protocol/active queue management (TCP/AQM) router subject to DDoS attacks. We utilize the time delay control theory to analyze the dynamics of the congestion control windows, and the queues at the router. We derive some explicit conditions under which the TCP/AQM system under DDoS attacks is asymptotically stable. We discuss the convergence of the queue lengths in the router. Our results suggest that, if the network parameters in the TCP window updating, and control parameters in the AQM algorithm satisfy certain conditions, the TCP/AQM system is stable, and its queue lengths can converge to any given target. This result is important, and promising in terms of applications in that, when the DDoS attacked traffic is differentiated from the legitimate traffic, one is able to choke the DDoS attacks by limiting their rates, and then to improve the bandwidth usage of the normal flows. We illustrate the theoretical results using the network simulation platform $ns2$ , and demonstrate that the controlled network can achieve good performance, enhancing the Internet robustness, and performance against DDoS attacks.