Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Similar presentations


Presentation on theme: "Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew."— Presentation transcript:

1 Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)

2 A. Kuzmanovic and E. W. Knightly Background l Traditional view of DoS attacks –Attacker consumes resources and denies service to legitimate users  Ex. traffic floods, DDoS  Result: TCP backs off –Observe: statistical anomalies that are relatively easily detectable  Due to attacker’s high rate

3 A. Kuzmanovic and E. W. Knightly Thesis: TCP is Vulnerable to Low-rate Attacks l Shrew: low-rate TCP-targeted attacks –Elude detection by counter-DoS mechanisms –Able to severely deny service to legitimate users l Goals –Analyze TCP mechanisms that can be exploited by DoS attackers –Explore TCP frequency response to Shrews –Evaluate detection mechanisms –Analyze effectiveness of randomization strategies l Methodology: modeling, simulations, Internet experiments

4 A. Kuzmanovic and E. W. Knightly Shrew l Very small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite l Reviewer 3: “only some shrews are venomous and the amount of venom in even the venomous species is very mild.”

5 A. Kuzmanovic and E. W. Knightly TCP: a Dual Time-Scale Perspective l Two time-scales fundamentally required –RTT time-scales (~ ms)  AIMD control –RTO time-scales (RTO=SRTT+4*RTTVAR)  Avoid congestion collapse l RTO must be lower bounded to avoid spurious retransmissions –[AllPax99] and RFC2988 recommends minRTO = 1 secRFC2988

6 A. Kuzmanovic and E. W. Knightly TCP Timeline l Timeline of TCP congestion window –AIMD control

7 A. Kuzmanovic and E. W. Knightly The Shrew Attack (1/3) l Pulse-induced outage – multiple losses force TCP to enter RTO mechanism Short outages (~RTT) force TCP to timeout All flows simultaneously enter this state

8 A. Kuzmanovic and E. W. Knightly The Shrew Attack (2/3) l When flows attempt to simultaneously exit timeout and enter slow-start… l Shrew pulses again and forces flows synchronously back into timeout state

9 A. Kuzmanovic and E. W. Knightly The Shrew Attack (3/3) l Shrew periodically repeats pulse –RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP –Flows synchronize their state to the Shrew

10 A. Kuzmanovic and E. W. Knightly Shrew Principles l Shrews exploit protocol homogeneity and determinism –Protocols react in a pre-defined way –Tradeoff of vulnerability vs. predictability l Periodic outages synchronize TCP flow states and deny their service l Slow time scale protocol mechanisms enable low- rate attacks –Outages at RTO scale, pulses at RTT scale imply low average rate

11 A. Kuzmanovic and E. W. Knightly Creating Outages in the Network l Shrew: square-wave stream ( l~RTT, T~minRTO ) –Optimal pattern in paper l Low-rate “TCP friendly” DoS  hard to detect –Counter-DOS mechanisms tuned for high rate attacks –Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows)

12 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l DoS detection mechanisms l minRTO randomization

13 A. Kuzmanovic and E. W. Knightly The Shrew in Action l How much is TCP throughput degraded? l DoS stream:  R=C=1.5Mb/s;  l=70ms (~TCP RTT)

14 A. Kuzmanovic and E. W. Knightly The Shrew in Action l Shrews induce null frequency near RTO l Shrew has low average rate .08C l Analytical model accurately predicts degradation

15 A. Kuzmanovic and E. W. Knightly Challenges for Shrews l Aggregation –Vulnerable due to Shrew-induced flow synchronization l RTT heterogeneity –Shrews are high-RTT pass filters l DoS peak rate –Less-than-bottleneck bursts can damage short-RTT flows l Short-lived TCP flows –Web browsing l Internet experiments –Can Shrews be successful on the Internet?

16 A. Kuzmanovic and E. W. Knightly Shrews vs. Short-lived TCP Traffic l Scenario: Web browsing [FGHW99] –Average damage to  a mouse (<100pkts) =400% delay increase  an elephant (>100pkts) =24500%delay increase

17 A. Kuzmanovic and E. W. Knightly Shrews vs. Short-lived TCP Traffic l Scenario: Web browsing –Larger files more vulnerable  most suffer  some benefit

18 A. Kuzmanovic and E. W. Knightly Internet Experiments: Scenario l Scenario: victim on a lightly loaded 10 Mb/sec LAN l Attacker on same LAN, nearby LAN, or over WAN l WAN path: –EPFLETH, 8 hops (10/100/OC-12)

19 A. Kuzmanovic and E. W. Knightly Internet Experiments: Results l Shrew average rate: 909 kb/sec –R = 10 Mb/sec, l = 100 msec, T = 1.1 sec l TCP throughput –9.8 Mb/sec without Shrew –1.2 Mb/sec with Shrew, 87.8% degradation

20 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l Counter DoS mechanisms –Robust TCP variants (NewReno, Sack…) –Router detection mechanisms (RED, RED-PD, …) l minRTO randomization

21 A. Kuzmanovic and E. W. Knightly Detecting Shrews l Shrews have low average rate, yet send high-rate bursts on short time-scales l Key questions –Can algorithms intended to find high-rate attacks detect Shrews? –Can we tune the algorithms to detect Shrews without having too many false alarms? l A number of schemes can detect malicious flows –E.g., RED-PD:  use the packet drop history to detect high-bandwidth flows and preferentially drop packets from these flows

22 A. Kuzmanovic and E. W. Knightly Router-Assisted Mechanisms l Scenario: 9 TCP Sack flows with RED and RED-PD l RED-PD only detects Shrews with unnecessarily high rate l Reducing RED-PD measurement time scale results in excessive false positives

23 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l Counter DoS mechanisms l minRTO randomization

24 A. Kuzmanovic and E. W. Knightly End-point minRTO Randomization l Observe –Shrews exploit protocol homogeneity and determinism l Question –Can minRTO randomization alleviate threat of Shrews? l TCP flows’ approach –Randomize the minRTO = uniform(a,b) l Shrews’ counter approach –Given flows randomize minRTO, the optimal Shrew pulses at time-scale T=b  Wait for all flows to recover and then pulse again

25 A. Kuzmanovic and E. W. Knightly End-point minRTO Randomization l TCP throughput for T=b time-scale of the Shrew attack  a small  spurious retransmissions [AllPax99]  b large  bad for short-lived (HTTP) traffic l Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales l Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

26 A. Kuzmanovic and E. W. Knightly Conclusions l Shrew principles –Exploit slow-time-scale protocol homogeneity and determinism l Real-world vulnerability to Shrew attacks –Internet experiment: 87.8% throughput loss without detection l Shrews are difficult to detect –Low average rate and “TCP friendly” –Cannot filter short bursts –Fundamental mismatch of attack/defense timescales

27 A. Kuzmanovic and E. W. Knightly Open Questions l Can filters specific to Shrews be designed without excessive false positives? l Can end-point algorithms be sufficiently randomized, so that –attackers cannot exploit their known reactions –performance is not sacrificed l Reconsider “TCP friendly” definition

28 A. Kuzmanovic and E. W. Knightly Backup Slides

29 A. Kuzmanovic and E. W. Knightly Aggregation l Homogeneous TCP aggregates are vulnerable l Shrews induce flow synchronization l Analytical model accurately predicts degradation Scenario: 5 TCP flows, homogenous RTTs

30 A. Kuzmanovic and E. W. Knightly DoS Peak Rate l Less-than-bottleneck bursts can damage short-RTT flows –Scenario: 4 TCP flows + DoS  1 short-RTT & 3 long-RTT flows  DoS outage ~ RTT of the short-RTT flow

31 A. Kuzmanovic and E. W. Knightly DoS Peak Rate l DoS flow is masked with long-RTT TCP flows l Long-RTT flows inadvertently collaborate in the attack

32 A. Kuzmanovic and E. W. Knightly TCP Variants l TCP Reno is the most fragile l NewReno? Sack? l Scenario: –TCP variants  Reno  New Reno  Tahoe  SACK –DoS stream  Burst rate equals the bottleneck capacity  Burst length:30ms, 50ms, 70ms, and 90ms

33 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 30ms –TCP Reno is the most fragile

34 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 50ms –TCP is the most vulnerable in sec time- scale region due to slow start

35 A. Kuzmanovic and E. W. Knightly TCP Variants l All TCP variants obtain the same profile –Sufficient pulse width ensures timeout –Windows remain small

36 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 90ms –When burst length is severe enough -> all TCP stacks are equally fragile

37 A. Kuzmanovic and E. W. Knightly The Role of Time-Scales l Scenario: R=2 Mb/s; T=1 sec; l~ ms

38 A. Kuzmanovic and E. W. Knightly The Role of Time-Scales l RED-PD detects l=300 ms shrews –Recall that 30 ms enough for DoS l A fundamental mismatch –If shorter time-scales are used =>  high false alarm probability (bursty TCP flows)

39 A. Kuzmanovic and E. W. Knightly Shrews vs. Heterogeneous RTTs l Hypothesis: Shrews are high-RTT-pass filters –Service is denied to short-RTT flows

40 A. Kuzmanovic and E. W. Knightly Flow Filtering l Shrews damage short-RTT flows the most –Scenario  20 TCP flows; RTT ~ ms  Cut-off time scale ~ 180 ms


Download ppt "Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew."

Similar presentations


Ads by Google