The current Internet is dramatically suffering the Distributed Denial of Service (DDoS) attacks, in which the perpetrator maliciously makes network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the Internet. In this paper, we investigate an Internet transmission control protocol/active queue management (TCP/AQM) router subject to DDoS attacks. We utilize the time delay control theory to analyze the dynamics of the congestion control windows, and the queues at the router. We derive some explicit conditions under which the TCP/AQM system under DDoS attacks is asymptotically stable. We discuss the convergence of the queue lengths in the router. Our results suggest that, if the network parameters in the TCP window updating, and control parameters in the AQM algorithm satisfy certain conditions, the TCP/AQM system is stable, and its queue lengths can converge to any given target. This result is important, and promising in terms of applications in that, when the DDoS attacked traffic is differentiated from the legitimate traffic, one is able to choke the DDoS attacks by limiting their rates, and then to improve the bandwidth usage of the normal flows. We illustrate the theoretical results using the network simulation platform $ns2$ , and demonstrate that the controlled network can achieve good performance, enhancing the Internet robustness, and performance against DDoS attacks.

中文翻译：

---

DDoS攻击下TCP / AQM网络的稳定性设计

当前的Internet遭受了分布式拒绝服务（DDoS）攻击，攻击者通过暂时或无限期破坏连接到Internet的主机的服务，恶意地使网络资源无法供其预期的用户使用。在本文中，我们研究了遭受DDoS攻击的Internet传输控制协议/主动队列管理（TCP / AQM）路由器。我们利用时间延迟控制理论来分析拥塞控制窗口和路由器队列的动态。我们得出一些明确的条件，在这些条件下，DDoS攻击下的TCP / AQM系统是渐近稳定的。我们讨论路由器中队列长度的收敛。我们的结果表明，如果更新TCP窗口中的网络参数，并且AQM算法中的控制参数满足特定条件，TCP / AQM系统稳定，队列长度可以收敛到任何给定目标。这一结果非常重要，并且在应用方面很有希望，因为当DDoS攻击的流量与合法流量区分开时，可以通过限制DDoS攻击的速率来阻止DDoS攻击，然后提高正常流量的带宽利用率。 。我们使用网络仿真平台说明理论结果 然后提高正常流的带宽利用率。我们使用网络仿真平台说明理论结果 然后提高正常流的带宽利用率。我们使用网络仿真平台说明理论结果$ ns2 $ ，并证明受控网络可以实现良好的性能，增强Internet的鲁棒性，并具有抵御DDoS攻击的性能。