Implementing And Testing Dynamic Timeout Adjustment As A Dos Counter-Measure

In this paper we experimentally analyse various dynamic timeout adjustment strategies in server queues as potential counter-measures against degradation of service attacks. Previous theoretical work studied the relative performance of both coarse-grained threshold-based timeout and fine-grained adjusment strategies where the timeout value is adjusted as the number of connections in the queue varies. In addition, two methods for removing timed-out connections were explored: the deterministic method where the expiry time is determined at connection arrival depending on the timeout value at that moment, and the deferred method where connections are continuously polled and flushed when the time-in-queue is larger than the current timeout value.We report on experiments performed on a lab network where these strategies were tested against various configuration and attack parameters. The experimental results confirm the conclusions previously obtained from mathematical modelling and simulation, i.e. that a) finer-grained dynamic adjustment performs better than coarse-grained or no adjustment, and b) that the deferred method performs better than the deterministic one. Furthermore, our implementation of these counter-measures is very efficient and transparent with respect to the servers and applications it tries to protect. It could therefore be easily integrated into existing OS and applications or implemented in separate network devices, either on dedicated machines or network appliances.