Low-Rate TCP-Targeted Denial of Service Attacks
Presenter: Juncao Li
Authors: Aleksandar Kuzmanovic Edward W. Knightly
Computer Science, Portland State University 2 [email protected]
Contributions
• Present a denial of service attack – Shrew– throttle TCP flows to a small fraction
• Show the mechanism of Shrew attacks– Exploit TCP’s retransmission timeout
mechanism
• Develop several DoS traffic patterns for attacking
Computer Science, Portland State University 3 [email protected]
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 4 [email protected]
Denial of Service
• From Wikipedia– an attempt to make a computer resource
unavailable to its intended users
• Damage– Network bandwidth– CPU cycles– Server interrupt processing capacity– Specific protocol data structures
Computer Science, Portland State University 5 [email protected]
TCP Congestion Control
• To avoid or reduce the congestion• Small Round Trip Time (RTT) 10ms –
100ms– Additive-Increase Multiplicative-Decrease
(AIMD) control
• Severe congestion– Retransmission Time Out (RTO)– RTO is doubly increased when failure
happens
Computer Science, Portland State University 6 [email protected]
TCP Congestion Control
• Smoothed Round-Trip Time (SRTT) • Round-Trip Time Variation (RTTVAR)
Computer Science, Portland State University 7 [email protected]
TCP Retransmission Timer
Multiplicative decrease
Exponentioal backoff
1. Reduce congestion window to one
2. Doubles RTO
Package Loss
Computer Science, Portland State University 8 [email protected]
Shrew Attacks
• Low-rate DoS attacks that exploit the slow-timescale dynamics of retransmission timers
• Provoke a TCP flow to repeatedly enter a retransmission timeout state– Sending high-rate, but short-duration bursts– The bursts must have RTT-scale– Repeating periodically at slower RTO timescales
• Outage: short durations of the attacker’s loss-inducing bursts
Computer Science, Portland State University 9 [email protected]
Square-Wave DoS Stream
Outage
• Burst duration is long enough to induce transmission loss
• Average DoS rate is still low
Computer Science, Portland State University 10 [email protected]
DoS Scenario and System Model
Bottleneck Rate
Computer Science, Portland State University 11 [email protected]
DoS Model
• Given condition
• DoS TCP Throughput Model
Computer Science, Portland State University 12 [email protected]
Flow Filtering
• Flow Filtering Behavior– Only TCP flow that satisfies the condition
could be influenced by the shrew attacks
Computer Science, Portland State University 13 [email protected]
DoS TCP Throughput: Model and Simulation
• Depending on how well the attack can induce transmission loss
• Model does not consider the slow-start
Zero throughput
Computer Science, Portland State University 14 [email protected]
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 15 [email protected]
Instantaneous Bottleneck Queue Behavior
• Define B as the queue size and B0 as the queue size at the start of an attack
• Time to fill the queue:
Computer Science, Portland State University 16 [email protected]
Minimum Rate DoS Streams
• Double-Rate DoS Stream
Fill the queueKeep the queue full
• Use square-wave for DoS streams– Behaves the same– Simple, does not need knowledge of network params
Computer Science, Portland State University 17 [email protected]
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 18 [email protected]
DoS and Aggregated TCP Flows
Five long-lived homogeneity TCP flows
• RTT homogeneity introduces a single vulnerable timescale
• DoS induces the synchronization of RTO
Computer Science, Portland State University 19 [email protected]
RTT-Based Filtering
• 20 long-lived TCP flows on a 10 MB/s link• Range of round-trip time is 20 to 460 ms
Most short RTT TCP flows are influenced
Computer Science, Portland State University 20 [email protected]
High Aggregation with Heterogeneous RTT
High-RTT flows are not influenced much
Computer Science, Portland State University 21 [email protected]
Impact of DoS Burst Length
As the burst length increases, more TCP flows with high RTT are influenced
Computer Science, Portland State University 22 [email protected]
Impact of DoS Peak Rate
Low peak rates are sufficient to filter the short-RTT flow
• 1 TCP Flow with RTT: 12ms to 134ms• 3 TCP Flow with RTT: 108ms to 230ms
Computer Science, Portland State University 23 [email protected]
Impact on HTTP Flows
Attacks have greater impact on
larger files
Computer Science, Portland State University 24 [email protected]
TCP Variants
Computer Science, Portland State University 25 [email protected]
TCP Variants (Cont.)
Burst length L has a great influence on the throughput
Computer Science, Portland State University 26 [email protected]
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 27 [email protected]
DoS Attack Scenario
Intra-LAN ScenarioInter-LAN ScenarioWAN Scenario
Computer Science, Portland State University 28 [email protected]
Experiment Results
Shrew attacks can come from both remote sites or near by LANs
Computer Science, Portland State University 29 [email protected]
Agenda
• TCP Congestion Control and Shrew Attacks
• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and
Conclusions
Computer Science, Portland State University 30 [email protected]
Impact of RED and RED-PD routers
• For Router-Assisted Mechanisms: relatively long-timescale measurements are required to determine with confidence that a flow is transmitting at excessively high rate and should be dropped.
RED: Random Early DetectionRED-PD: RED with Preferential Dropping
Computer Science, Portland State University 31 [email protected]
Detecting DoS Streams
Computer Science, Portland State University 32 [email protected]
DoS under Randomized RTO
• Randomized minRTO shifts and smoothes TCP’s null frequencies
• It will influence the TCP performance• Helps but not very much to defend the attack
Computer Science, Portland State University 33 [email protected]
Conclusions
• Low-rate DoS attacks are successful against both short- and long-lived TCP aggregates
• In a heterogeneous-RTT environment, the success of the attack is weighted towards shorter-RTT flows
• All low-rate periodic open-loop streams could be harmful
• Shrew attacks can only be mitigated, but not eliminated, it is a tradeoff between performance
Computer Science, Portland State University 34 [email protected]
Questions ?