In this paper we experimentally analyse various dynamic timeout adjustment strategies in server queues as potential counter-measures against degradation of service attacks. Previous theoretical work studied the relative performance of both coarse-grained threshold-based timeout and fine-grained adjusment strategies where the timeout value is adjusted as the number of connections in the queue varies. In addition, two methods for removing timed-out connections were explored: the deterministic method where the expiry time is determined at connection arrival depending on the timeout value at that moment, and the deferred method where connections are continuously polled and flushed when the time-in-queue is larger than the current timeout value.We report on experiments performed on a lab network where these strategies were tested against various configuration and attack parameters. The experimental results confirm the conclusions previously obtained from mathematical modelling and simulation, i.e. that a) finer-grained dynamic adjustment performs better than coarse-grained or no adjustment, and b) that the deferred method performs better than the deterministic one. Furthermore, our implementation of these counter-measures is very efficient and transparent with respect to the servers and applications it tries to protect. It could therefore be easily integrated into existing OS and applications or implemented in separate network devices, either on dedicated machines or network appliances.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Jelena Mirkovic , Sven Dietrich , David Dittrich , Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security), Prentice Hall PTR, Upper Saddle River, NJ, 2004
	2	Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004  [doi>10.1145/997150.997156]
	3	Catherine Meadows, A Formal Framework and Evaluation Method for Network Denial of Service, Proceedings of the 12th IEEE workshop on Computer Security Foundations, p.4, June 28-30, 1999
	4	Catherine Meadows, A cost-based framework for analysis of denial of service in networks, Journal of Computer Security, v.9 n.1-2, p.143-164, Jan. 1,2001
	5	José Nazario. Estonian DDoS attacks - a summary to date. http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date, February 2007.
	6	Jelena Mirkovic , Peter Reiher , Sonia Fahmy , Roshan Thomas , Alefiya Hussain , Stephen Schwab , Calvin Ko, Measuring denial Of service, Proceedings of the 2nd ACM workshop on Quality of protection, October 30-30, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179494.1179506]
	7	Daniel Boteanu, José M. Fernandez, John McHugh, and John Mullins. Queue management as a DoS counter-measure? In Proc. Information Security Conference (ISC), 2007. To appear.
	8	Microsoft Corporation. Security considerations for network attacks. http://www.microsoft.com/technet/security/topics/networksecurity/secdeny.mspx.
	9	Srinivas Shakkottai, R. Srikant, Nevil Brownlee, Andre Broido, and K.C. Claffy. The RTT distribution of TCP flows in the internet and its impact on TCP-based flow control. Technical report, Cooperative Association for Internet Data Analysis (CAIDA), February 2004.