Malicious packet dropping: how it might impact the TCP performance and how we can detect it

Among various types of denial of service attacks, 'dropping attack' is probably the most difficult one to handle. This paper explores the negative impacts of packet dropping attacks and a method to detect such attacks. First, three dropping patterns are classified and investigated. We demonstrate that attackers can choose different dropping patterns to degrade TCP service to different levels, and selectively dropping a very small number of packets can result in a severe damage to TCP performance. Second, we show that a hacker can utilize a DDoS attack tool to control a 'uncompromised' router to emulate dropping attacks. This proves that dropping attacks are indeed practically very possible to happen in today's Internet environment. Third, we present a statistic analysis module for the detection of TCP packet dropping attacks. Three measures, session delay, the position and the number of packet reordering, have been implemented in the statistic module. This paper has evaluated and compared their detection performance.