MULTOPS heuristic

Packets are defined to be malicious (and, thus, may be dropped) if they are destined for a host or subnet from which too few packets are coming back. This heuristic is based on the assumptions that (1) most Internet traffic consists of packet flows, and (2) during normal operations, the rate of packets in a flow going from $A$ to $B$ is proportional to the packet rate going from $B$ to $A$. Thus, during normal operations on the Internet, the packet rate of traffic going in one direction is proportional to the packet rate of traffic going in the opposite direction. If not, something must be wrong.

This heuristic appears to hold broadly. TCP, the protocol mainly used on the Internet, acknowledges every single--or every $k$--received packets by sending back a packet, and, therefore, has proportional packet flows.

The following example illustrates the heuristic. If machine $A$ is sending legitimate TCP packets to machine $B$, but $B$ is suffering under a bandwidth attack, then $A$'s packets will not reach $B$. Even if some of $A$'s packets reach $B$, then $B$'s packets may not reach $A$ because of the overloaded links and routers. In reaction to the absence of $B$'s packets, $A$ will automatically decrease the sending rate and, eventually, stop sending packets to $B$ altogether. If, on the other hand, $A$ is an attacker that blasts (any type of) packets at $B$, a MULTOPS-equipped router routing $A$'s packets to $B$ will detect the disproportional packet rates between them and could decide to drop packets going to $B$. Consequently, $B$ will not have to cope with $A$'s packets.

Let $R(P)$ be the ratio between the packet rate going to and coming from addresses with prefix $P$. Under normal circumstances, $R$ is close to some constant $k$ for all $P$, i.e., packet rates are proportional for all prefixes. If $R$ drops below $R_{min}$ or exceeds $R_{max}$, then a (host in) subnet with prefix $P$ is either under attack or a subnet with prefix $P$ harbors an attacker.

MULTOPS collects packet rates to and from address prefixes so that, given a certain $P$, $R(P)$ can be calculated. Packets may be dropped if they are destined for a host or subnet from which disproportionally fewer packets are coming back, i.e., if $R(P)$ is not between $R_{min}$ and $R_{max}$. The sensitivity of MULTOPS can be tuned by changing the values of $R_{min}$ and $R_{max}$.