Different protocols

MULTOPS relies on the assumption that, during normal operations, packet rates between two communicating parties are proportional. There are, however, different protocols, each with different implementations. With TCP, for example, implementations differ in their acknowledgment policy, although most TCP implementations acknowledge at least every other packet. Nonetheless, defining the MULTOPS detection heuristic quantitatively, i.e., choosing suitable values for $R_{min}$ and $R_{max}$, is tricky. In the current implementation of RatioBlocker, $R_{min} = 0.66$, and $R_{max} = 2.5$. These values were experimentally determined. One can imagine implementing a RatioBlocker that adjusts these values based on observed traffic patterns during normal operations, making the heuristic more flexible.

Protocols such as UDP and ICMP do not require acknowledgments at all. However, several applications such as NFS and DNS display proportional behavior similar to TCP, which is advantageous for the MULTOPS detection heuristic. Since most services on the Internet are TCP-based, we suggest rate-limiting all non-TCP traffic during an attack. Even though this is a drastic measure, it will allow most Internet traffic to proceed normally.