low-rate tcp-targeted denial of service attacks presenter: juncao li authors: aleksandar kuzmanovic...
Post on 22-Dec-2015
225 Views
Preview:
TRANSCRIPT
Low-Rate TCP-Targeted Denial of Service Attacks
Presenter: Juncao Li
Authors: Aleksandar Kuzmanovic Edward W. Knightly
Computer Science, Portland State University 2 juncao@cs.pdx.edu
Contributions
• Present a denial of service attack – Shrew– throttle TCP flows to a small fraction
• Show the mechanism of Shrew attacks– Exploit TCP’s retransmission timeout
mechanism
• Develop several DoS traffic patterns for attacking
Computer Science, Portland State University 3 juncao@cs.pdx.edu
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 4 juncao@cs.pdx.edu
Denial of Service
• From Wikipedia– an attempt to make a computer resource
unavailable to its intended users
• Damage– Network bandwidth– CPU cycles– Server interrupt processing capacity– Specific protocol data structures
Computer Science, Portland State University 5 juncao@cs.pdx.edu
TCP Congestion Control
• To avoid or reduce the congestion• Small Round Trip Time (RTT) 10ms –
100ms– Additive-Increase Multiplicative-Decrease
(AIMD) control
• Severe congestion– Retransmission Time Out (RTO)– RTO is doubly increased when failure
happens
Computer Science, Portland State University 6 juncao@cs.pdx.edu
TCP Congestion Control
• Smoothed Round-Trip Time (SRTT) • Round-Trip Time Variation (RTTVAR)
Computer Science, Portland State University 7 juncao@cs.pdx.edu
TCP Retransmission Timer
Multiplicative decrease
Exponentioal backoff
1. Reduce congestion window to one
2. Doubles RTO
Package Loss
Computer Science, Portland State University 8 juncao@cs.pdx.edu
Shrew Attacks
• Low-rate DoS attacks that exploit the slow-timescale dynamics of retransmission timers
• Provoke a TCP flow to repeatedly enter a retransmission timeout state– Sending high-rate, but short-duration bursts– The bursts must have RTT-scale– Repeating periodically at slower RTO timescales
• Outage: short durations of the attacker’s loss-inducing bursts
Computer Science, Portland State University 9 juncao@cs.pdx.edu
Square-Wave DoS Stream
Outage
• Burst duration is long enough to induce transmission loss
• Average DoS rate is still low
Computer Science, Portland State University 10 juncao@cs.pdx.edu
DoS Scenario and System Model
Bottleneck Rate
Computer Science, Portland State University 11 juncao@cs.pdx.edu
DoS Model
• Given condition
• DoS TCP Throughput Model
Computer Science, Portland State University 12 juncao@cs.pdx.edu
Flow Filtering
• Flow Filtering Behavior– Only TCP flow that satisfies the condition
could be influenced by the shrew attacks
Computer Science, Portland State University 13 juncao@cs.pdx.edu
DoS TCP Throughput: Model and Simulation
• Depending on how well the attack can induce transmission loss
• Model does not consider the slow-start
Zero throughput
Computer Science, Portland State University 14 juncao@cs.pdx.edu
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 15 juncao@cs.pdx.edu
Instantaneous Bottleneck Queue Behavior
• Define B as the queue size and B0 as the queue size at the start of an attack
• Time to fill the queue:
Computer Science, Portland State University 16 juncao@cs.pdx.edu
Minimum Rate DoS Streams
• Double-Rate DoS Stream
Fill the queueKeep the queue full
• Use square-wave for DoS streams– Behaves the same– Simple, does not need knowledge of network params
Computer Science, Portland State University 17 juncao@cs.pdx.edu
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 18 juncao@cs.pdx.edu
DoS and Aggregated TCP Flows
Five long-lived homogeneity TCP flows
• RTT homogeneity introduces a single vulnerable timescale
• DoS induces the synchronization of RTO
Computer Science, Portland State University 19 juncao@cs.pdx.edu
RTT-Based Filtering
• 20 long-lived TCP flows on a 10 MB/s link• Range of round-trip time is 20 to 460 ms
Most short RTT TCP flows are influenced
Computer Science, Portland State University 20 juncao@cs.pdx.edu
High Aggregation with Heterogeneous RTT
High-RTT flows are not influenced much
Computer Science, Portland State University 21 juncao@cs.pdx.edu
Impact of DoS Burst Length
As the burst length increases, more TCP flows with high RTT are influenced
Computer Science, Portland State University 22 juncao@cs.pdx.edu
Impact of DoS Peak Rate
Low peak rates are sufficient to filter the short-RTT flow
• 1 TCP Flow with RTT: 12ms to 134ms• 3 TCP Flow with RTT: 108ms to 230ms
Computer Science, Portland State University 23 juncao@cs.pdx.edu
Impact on HTTP Flows
Attacks have greater impact on
larger files
Computer Science, Portland State University 25 juncao@cs.pdx.edu
TCP Variants (Cont.)
Burst length L has a great influence on the throughput
Computer Science, Portland State University 26 juncao@cs.pdx.edu
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 27 juncao@cs.pdx.edu
DoS Attack Scenario
Intra-LAN ScenarioInter-LAN ScenarioWAN Scenario
Computer Science, Portland State University 28 juncao@cs.pdx.edu
Experiment Results
Shrew attacks can come from both remote sites or near by LANs
Computer Science, Portland State University 29 juncao@cs.pdx.edu
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 30 juncao@cs.pdx.edu
Impact of RED and RED-PD routers
• For Router-Assisted Mechanisms: relatively long-timescale measurements are required to determine with confidence that a flow is transmitting at excessively high rate and should be dropped.
RED: Random Early DetectionRED-PD: RED with Preferential Dropping
Computer Science, Portland State University 32 juncao@cs.pdx.edu
DoS under Randomized RTO
• Randomized minRTO shifts and smoothes TCP’s null frequencies
• It will influence the TCP performance• Helps but not very much to defend the attack
Computer Science, Portland State University 33 juncao@cs.pdx.edu
Conclusions
• Low-rate DoS attacks are successful against both short- and long-lived TCP aggregates
• In a heterogeneous-RTT environment, the success of the attack is weighted towards shorter-RTT flows
• All low-rate periodic open-loop streams could be harmful
• Shrew attacks can only be mitigated, but not eliminated, it is a tradeoff between performance
top related