Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.

Similar presentations


Presentation on theme: "Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet."— Presentation transcript:

1 Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet

2 Aleksandar Kuzmanovic The Internet l 1969 The system of astonishing scale and complexity l 2004

3 Aleksandar Kuzmanovic Internet Design Principles l Network as a black-box l End-to-end argument [Clark84] –The core is simple –Intelligence at the endpoints l Implications –Easy to upgrade the network –Easy to incrementally deploy new services

4 Aleksandar Kuzmanovic Why End-Point Approach Today? l Scalability e2e scalability l Deployability –IP and network core are not extensible and are slowly evolving:  IPv6 (10 years)  IP Multicast (domain dependent) Goal: Improve network performance right here – right now!

5 Aleksandar Kuzmanovic Network Performance l Internet traffic –HTTP (web browsing) –FTP (file transfer)  Fact: 95% of the traffic today is TCP-based l Performance –QoS differentiation  Net win for both HTTP and FTP flows  End-point-based two-level differentiation scheme –Denial of Service  DoS attacks can demolish network performance  Prevent DoS attacks via a robust end-point protocol design

6 Aleksandar Kuzmanovic End-Point Service Differentiation l TCP-Low Priority –Utilizes only the excess network bandwidth l Key mechanism –Early congestion indications: one-way packet delay l Performance –Can improve the HTTP file transfers for more than 90% when FTP flows use TCP-LP l Deployability –no changes in the network core –sender side modification of TCP l High-speed version developed in cooperation with SLAC –tested over Gb/s networks in US

7 Aleksandar Kuzmanovic Denial of Service l A malicious way to consume resources in a network, a server cluster or in an end host, thereby denying service to other legitimate users l Example –Well-known TCP’s vulnerability to high-rate non-responsive flows

8 Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints l Implications –Easy to incrementally implement new services. –Easy to upgrade the network. –Large-scale system l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem  Needle in a haystack

9 Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints l Implications –Malicious clients may misuse the intelligence. –Easy to upgrade the network. –Large-scale system l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem  Needle in a haystack

10 Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints. –Hard to detect endpoint misbehavior. –Large-scale system –Malicious clients may misuse the intelligence l Implications l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem  Needle in a haystack

11 Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints. –Hard to detect endpoint misbehavior. –Large-scale system –Malicious clients may misuse the intelligence l Implications l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem  Needle in a haystack

12 Aleksandar Kuzmanovic End-Point Protocol Design l Performance vs. Security –End-point protocols are designed to maximize performance, but ignore security –95% of the Internet traffic is TCP traffic  Can have catastrophic consequences l DoS-resilient protocol design –Jointly optimize performance and security –Outperforms the core-based solutions

13 Aleksandar Kuzmanovic Remaining Outline l End-point protocol vulnerabilities –Low-rate TCP-targeted DoS attacks –Receiver-based TCP stacks with a misbehaving receiver l Limitations of network-based solutions l DoS-resilient end-point protocol design

14 Aleksandar Kuzmanovic Low-Rate Attacks l TCP is vulnerable to low-rate DoS attacks

15 Aleksandar Kuzmanovic TCP: a Dual Time-Scale Perspective l Two time-scales fundamentally required –RTT time-scales (~ ms)  AIMD control –RTO time-scales (RTO=SRTT+4*RTTVAR)  Avoid congestion collapse l Lower-bounding the RTO parameter: –[AllPax99]: minRTO = 1 sec  to avoid spurious retransmissions –RFC2988 recommends minRTO = 1 secRFC2988

16 Aleksandar Kuzmanovic The Low-Rate Attack

17 Aleksandar Kuzmanovic The Low-Rate Attack l At a random initial time l A short burst (~RTT) sufficient to create outage –Outage – event of correlated packet losses that forces TCP to enter RTO mechanism l The impact of outage is distributed to all TCP flows

18 Aleksandar Kuzmanovic The Low-Rate Attack l The outage synchronizes all TCP flows –All flows react simultaneously and identically  backoff for minRTO l The attacker stops transmitting to elude detection

19 Aleksandar Kuzmanovic The Low-Rate Attack l Once the TCP flows try to recover –hit them again l Exploit protocol determinism

20 Aleksandar Kuzmanovic The Low-Rate Attack l And keep repeating… l RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP traffic

21 Aleksandar Kuzmanovic Low-Rate Attacks l TCP is vulnerable to low-rate DoS attacks

22 Aleksandar Kuzmanovic Vulnerability of Receiver-Based TCP to Misbehaviors l Sender-based TCP –Control functions given to the sender

23 Aleksandar Kuzmanovic Receiver-Based TCP l Receiver decides how much data can be sent, and which data should be sent by the sender l DATA – ACK communication becomes REQ - DATA l Example protocols –TFRC [RFC3448], WebTP, and RCP

24 Aleksandar Kuzmanovic Why Receiver-Based TCP? l Example: Busy web server –Receiver-based TCP distributes the state management across a large number of clients l Generally –Whenever a feedback is needed from the receiver, receiver-based TCP has advantage over sender-based schemes due to the locality of information l Benefits [RCP03] Performance Functionality - Loss recovery- Seamless handoffs - Congestion control- Server migration - Power management for - Bandwidth aggregation mobile devices - Web response times - Network-specific congestion control

25 Aleksandar Kuzmanovic Vulnerability l Receivers decide which packets and when to be sent –Receivers remotely control servers l Receivers have both means and incentive to manipulate the congestion control algorithm –Means: open source OS –Incentive: faster web browsing & file download

26 Aleksandar Kuzmanovic Receiver-Induced DoS Attacks l Request flood attack –A misbehaving receiver floods the server with requests, which replies and congests the network l Goals –Evaluate network-based schemes –Develop end-point solutions

27 Aleksandar Kuzmanovic Remaining Outline l End-Point protocol vulnerabilities l Limitations of network-based solutions –Low rate attacks –Misbehaving receivers l DoS-resilient end-point protocol design

28 Aleksandar Kuzmanovic Random Early Detection with Preferential Dropping l RED-PD [MFW01] designed to detect and thwart non-responsive flows –Monitors only a subset of flows at the router and compares their rates to the targeted bandwidth (TB)  TB is computed as a TCP-fair throughput for »Observed Ploss & RTT=40ms  If Ti > TB => flow i malicious l Key questions –Can algorithms intended to find high-rate attacks detect low-rate attacks? –Could we tune the algorithms to detect low-rate attacks without having too many false alarms?

29 Aleksandar Kuzmanovic The Time-Scale Issue l Scenario: 9 TCP Sack flows with RED and RED-PD –RED-PD detects high bandwidth flows  DoS inter-burst period < 500 ms

30 Aleksandar Kuzmanovic The Time-Scale Issue l Scenario: 9 TCP Sack flows with RED and RED-PD –RED-PD detects high but fails to detect low-rate attacks bandwidth flows DoS inter-burst period > 500 ms  DoS inter-burst period < 500 ms

31 Aleksandar Kuzmanovic CHOKe l CHOKe [PPP00] controls misbehaving flows by preventing a flow to monopolize buffer resources l Question: –Why don’t we use CHOKe against low-rate attacks?

32 Aleksandar Kuzmanovic Flow Filtering Scenario l Heterogeneous RTT environment: –Short-RTT flows are the most vulnerable to low- rate attacks l Implications: –Long-RTT flows ‘collaborate’ in the attack –Less-than bottleneck rates needed to attack short-RTT flows

33 Aleksandar Kuzmanovic CHOKe and Flow Filtering l DoS flow utilizes only 3.3% of the bottleneck capacity l CHOKe fails to throttle the low-rate attack against short-RTT flows

34 Aleksandar Kuzmanovic Request Flooding DoS Attack l Pushback [RFC3168] –Network nodes coordinate efforts to detect a malicious (flooding) node l But in the request flooding scenario, the flooding machine is not malicious –moreover, it is a victim…

35 Aleksandar Kuzmanovic Bandwidth Stealing l Fact –Network-based schemes lack the exact knowledge of end-point parameters l Example –RED-PD doesn’t know about RTT: TB=f(Ploss, RTT=40ms) l Implication –Clients with RTT > 40 ms can exploit this vulnerability l Algorithmic misbehavior –We generalized the TCP formula  T=f(Ploss, RTT, a, b) –Our algorithm tells how to re-tune AIMD parameters to steal bandwidth, yet elude detection

36 Aleksandar Kuzmanovic Summary of Limitations l Low rate attacks –RED-PD: issue of time-scales –CHOKe: flow filtering l Misbehaving receivers –Pushback: No distinction of causes and effects –RED-PD: No knowledge of endpoint parameters l Can we do better from the endpoints? –End-point parameter randomization –End-point TCP-fairness verification

37 Aleksandar Kuzmanovic End-point minRTO Randomization l Observe: –Low-rate attacks exploit protocol determinism  minRTO=1sec l Question: –Can minRTO randomization alleviate the problem? l Approach: –Randomize the minRTO parameter – l Insight: –The most vulnerable time-scale is T=b  Wait for flows to recover and then hit them again

38 Aleksandar Kuzmanovic End-point minRTO Randomization l TCP throughput formula on T=b time-scale of the low-rate attack

39 Aleksandar Kuzmanovic End-point minRTO Randomization l TCP throughput formula on T=b time-scale of the Shrew attack l Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales l Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

40 Aleksandar Kuzmanovic An End-Point Solution l Sender-side verification: –Ping Agent:  Measures RTT without a cooperation from the receiver –TFRC Agent:  Computes “TCP- fair” rate –Control Agent:  Enforces the sending rate

41 Aleksandar Kuzmanovic Evaluation l Scenarios: –with behaving receiver (to study false positives) –with misbehaving receivers (to study detection) End-point scheme is able to detect even very moderate misbehaviors Slight inaccuracy for higher packet loss ratios (due to TFRC conservatism)

42 Aleksandar Kuzmanovic Summary l Denial of Service attacks represent a fundamental threat to today’s Internet l Network-based solutions are necessary, yet are quite often very limited l End-point protocols optimized for performance, not security l DoS-resilient protocol design  Parameter randomization  Ability to control the other end-point

43 Aleksandar Kuzmanovic Conclusions l Improve network performance via –End-point QoS differentiation –DoS-resilient protocol design l QoS differentiation –Developed, implemented, and tested TCP-LP –Can significantly improve the network performance l Denial of Service –Pro-active approach –Jointly consider both performance and security aspects

44 Aleksandar Kuzmanovic Publications [1] Measuring Service in Multi-Class Networks, In IEEE INFOCOM [2] Measurement Based Characterization and Classification of QoS- Enhanced Systems, In IEEE TPDS, 14(7): , [3] TCP-LP: A Distributed Algorithm for Low Priority Data Transfer, In IEEE INFOCOM [4] TCP-LP: Low-Priority Service via End-Point Congestion Control, To appear in IEEE/ACM ToN. [5]* HSTCP-LP: A Protocol for Low-Priority Bulk Data Transfer in High- Speed High-RTT Networks, In PFLDnet [6] Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In ACM SIGCOMM [7] Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies, Submitted to IEEE/ACM ToN. [8] A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols, In IEEE ICNP [9] Receiver-based Congestion Control with a Misbehaving Receiver: Vulnerabilities and End-Point Solutions, Submitted to IEEE/ACM ToN. * With R. Les Cottrell, SLAC.


Download ppt "Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet."

Similar presentations


Ads by Google