Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Published byAiyana Alison Modified over 9 years ago

Similar presentations

Presentation on theme: "Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew."— Presentation transcript:

1 Rice Networks Group http://www.ece.rice.edu/networks Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)

2 A. Kuzmanovic and E. W. Knightly Background l Traditional view of DoS attacks –Attacker consumes resources and denies service to legitimate users  Ex. traffic floods, DDoS  Result: TCP backs off –Observe: statistical anomalies that are relatively easily detectable  Due to attacker’s high rate

3 A. Kuzmanovic and E. W. Knightly Thesis: TCP is Vulnerable to Low-rate Attacks l Shrew: low-rate TCP-targeted attacks –Elude detection by counter-DoS mechanisms –Able to severely deny service to legitimate users l Goals –Analyze TCP mechanisms that can be exploited by DoS attackers –Explore TCP frequency response to Shrews –Evaluate detection mechanisms –Analyze effectiveness of randomization strategies l Methodology: modeling, simulations, Internet experiments

4 A. Kuzmanovic and E. W. Knightly Shrew l Very small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite l Reviewer 3: “only some shrews are venomous and the amount of venom in even the venomous species is very mild.”

5 A. Kuzmanovic and E. W. Knightly TCP: a Dual Time-Scale Perspective l Two time-scales fundamentally required –RTT time-scales (~10-100 ms)  AIMD control –RTO time-scales (RTO=SRTT+4*RTTVAR)  Avoid congestion collapse l RTO must be lower bounded to avoid spurious retransmissions –[AllPax99] and RFC2988 recommends minRTO = 1 secRFC2988

6 A. Kuzmanovic and E. W. Knightly TCP Timeline l Timeline of TCP congestion window –AIMD control

7 A. Kuzmanovic and E. W. Knightly The Shrew Attack (1/3) l Pulse-induced outage – multiple losses force TCP to enter RTO mechanism Short outages (~RTT) force TCP to timeout All flows simultaneously enter this state

8 A. Kuzmanovic and E. W. Knightly The Shrew Attack (2/3) l When flows attempt to simultaneously exit timeout and enter slow-start… l Shrew pulses again and forces flows synchronously back into timeout state

9 A. Kuzmanovic and E. W. Knightly The Shrew Attack (3/3) l Shrew periodically repeats pulse –RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP –Flows synchronize their state to the Shrew

10 A. Kuzmanovic and E. W. Knightly Shrew Principles l Shrews exploit protocol homogeneity and determinism –Protocols react in a pre-defined way –Tradeoff of vulnerability vs. predictability l Periodic outages synchronize TCP flow states and deny their service l Slow time scale protocol mechanisms enable low- rate attacks –Outages at RTO scale, pulses at RTT scale imply low average rate

11 A. Kuzmanovic and E. W. Knightly Creating Outages in the Network l Shrew: square-wave stream ( l~RTT, T~minRTO ) –Optimal pattern in paper l Low-rate “TCP friendly” DoS  hard to detect –Counter-DOS mechanisms tuned for high rate attacks –Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows)

12 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l DoS detection mechanisms l minRTO randomization

13 A. Kuzmanovic and E. W. Knightly The Shrew in Action l How much is TCP throughput degraded? l DoS stream:  R=C=1.5Mb/s;  l=70ms (~TCP RTT)

14 A. Kuzmanovic and E. W. Knightly The Shrew in Action l Shrews induce null frequency near RTO l Shrew has low average rate .08C l Analytical model accurately predicts degradation

15 A. Kuzmanovic and E. W. Knightly Challenges for Shrews l Aggregation –Vulnerable due to Shrew-induced flow synchronization l RTT heterogeneity –Shrews are high-RTT pass filters l DoS peak rate –Less-than-bottleneck bursts can damage short-RTT flows l Short-lived TCP flows –Web browsing l Internet experiments –Can Shrews be successful on the Internet?

16 A. Kuzmanovic and E. W. Knightly Shrews vs. Short-lived TCP Traffic l Scenario: Web browsing [FGHW99] –Average damage to  a mouse (<100pkts) =400% delay increase  an elephant (>100pkts) =24500%delay increase

17 A. Kuzmanovic and E. W. Knightly Shrews vs. Short-lived TCP Traffic l Scenario: Web browsing –Larger files more vulnerable  most suffer  some benefit

18 A. Kuzmanovic and E. W. Knightly Internet Experiments: Scenario l Scenario: victim on a lightly loaded 10 Mb/sec LAN l Attacker on same LAN, nearby LAN, or over WAN l WAN path: –EPFLETH, 8 hops (10/100/OC-12)

19 A. Kuzmanovic and E. W. Knightly Internet Experiments: Results l Shrew average rate: 909 kb/sec –R = 10 Mb/sec, l = 100 msec, T = 1.1 sec l TCP throughput –9.8 Mb/sec without Shrew –1.2 Mb/sec with Shrew, 87.8% degradation

20 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l Counter DoS mechanisms –Robust TCP variants (NewReno, Sack…) –Router detection mechanisms (RED, RED-PD, …) l minRTO randomization

21 A. Kuzmanovic and E. W. Knightly Detecting Shrews l Shrews have low average rate, yet send high-rate bursts on short time-scales l Key questions –Can algorithms intended to find high-rate attacks detect Shrews? –Can we tune the algorithms to detect Shrews without having too many false alarms? l A number of schemes can detect malicious flows –E.g., RED-PD:  use the packet drop history to detect high-bandwidth flows and preferentially drop packets from these flows

22 A. Kuzmanovic and E. W. Knightly Router-Assisted Mechanisms l Scenario: 9 TCP Sack flows with RED and RED-PD l RED-PD only detects Shrews with unnecessarily high rate l Reducing RED-PD measurement time scale results in excessive false positives

23 A. Kuzmanovic and E. W. Knightly Outline l Shrew attack l Simulation and Internet experiments l Counter DoS mechanisms l minRTO randomization

24 A. Kuzmanovic and E. W. Knightly End-point minRTO Randomization l Observe –Shrews exploit protocol homogeneity and determinism l Question –Can minRTO randomization alleviate threat of Shrews? l TCP flows’ approach –Randomize the minRTO = uniform(a,b) l Shrews’ counter approach –Given flows randomize minRTO, the optimal Shrew pulses at time-scale T=b  Wait for all flows to recover and then pulse again

25 A. Kuzmanovic and E. W. Knightly End-point minRTO Randomization l TCP throughput for T=b time-scale of the Shrew attack  a small  spurious retransmissions [AllPax99]  b large  bad for short-lived (HTTP) traffic l Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales l Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

26 A. Kuzmanovic and E. W. Knightly Conclusions l Shrew principles –Exploit slow-time-scale protocol homogeneity and determinism l Real-world vulnerability to Shrew attacks –Internet experiment: 87.8% throughput loss without detection l Shrews are difficult to detect –Low average rate and “TCP friendly” –Cannot filter short bursts –Fundamental mismatch of attack/defense timescales

27 A. Kuzmanovic and E. W. Knightly Open Questions l Can filters specific to Shrews be designed without excessive false positives? l Can end-point algorithms be sufficiently randomized, so that –attackers cannot exploit their known reactions –performance is not sacrificed l Reconsider “TCP friendly” definition

28 A. Kuzmanovic and E. W. Knightly Backup Slides

29 A. Kuzmanovic and E. W. Knightly Aggregation l Homogeneous TCP aggregates are vulnerable l Shrews induce flow synchronization l Analytical model accurately predicts degradation Scenario: 5 TCP flows, homogenous RTTs

30 A. Kuzmanovic and E. W. Knightly DoS Peak Rate l Less-than-bottleneck bursts can damage short-RTT flows –Scenario: 4 TCP flows + DoS  1 short-RTT & 3 long-RTT flows  DoS outage ~ RTT of the short-RTT flow

31 A. Kuzmanovic and E. W. Knightly DoS Peak Rate l DoS flow is masked with long-RTT TCP flows l Long-RTT flows inadvertently collaborate in the attack

32 A. Kuzmanovic and E. W. Knightly TCP Variants l TCP Reno is the most fragile l NewReno? Sack? l Scenario: –TCP variants  Reno  New Reno  Tahoe  SACK –DoS stream  Burst rate equals the bottleneck capacity  Burst length:30ms, 50ms, 70ms, and 90ms

33 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 30ms –TCP Reno is the most fragile

34 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 50ms –TCP is the most vulnerable in 1-1.2 sec time- scale region due to slow start

35 A. Kuzmanovic and E. W. Knightly TCP Variants l All TCP variants obtain the same profile –Sufficient pulse width ensures timeout –Windows remain small

36 A. Kuzmanovic and E. W. Knightly TCP Variants l Burst length = 90ms –When burst length is severe enough -> all TCP stacks are equally fragile

37 A. Kuzmanovic and E. W. Knightly The Role of Time-Scales l Scenario: R=2 Mb/s; T=1 sec; l~50-450 ms

38 A. Kuzmanovic and E. W. Knightly The Role of Time-Scales l RED-PD detects l=300 ms shrews –Recall that 30 ms enough for DoS l A fundamental mismatch –If shorter time-scales are used =>  high false alarm probability (bursty TCP flows)

39 A. Kuzmanovic and E. W. Knightly Shrews vs. Heterogeneous RTTs l Hypothesis: Shrews are high-RTT-pass filters –Service is denied to short-RTT flows

40 A. Kuzmanovic and E. W. Knightly Flow Filtering l Shrews damage short-RTT flows the most –Scenario  20 TCP flows; RTT ~ 20-460 ms  Cut-off time scale ~ 180 ms

Download ppt "Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew."

Similar presentations

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.
When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University

When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University
Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.

Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.
Aleksandar Kuzmanovic and Edward W. Knightly Rice Networks Group Measuring Service in Multi-Class Networks.

Aleksandar Kuzmanovic and Edward W. Knightly Rice Networks Group Measuring Service in Multi-Class Networks.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.

Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-4690: Experimental Networking Informal Quiz: TCP Shiv Kalyanaraman:

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-4690: Experimental Networking Informal Quiz: TCP Shiv Kalyanaraman:
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
The Power of Explicit Congestion Notification Aleksandar Kuzmanovic Northwestern University

The Power of Explicit Congestion Notification Aleksandar Kuzmanovic Northwestern University
Rice Networks Group Aleksandar Kuzmanovic & Edward W. Knightly TCP-LP: A Distributed Algorithm for Low Priority Data Transfer.

Rice Networks Group Aleksandar Kuzmanovic & Edward W. Knightly TCP-LP: A Distributed Algorithm for Low Priority Data Transfer.
Rice Networks Group Ph.D. Thesis Proposal Aleksandar Kuzmanovic Edge-based Inference and Control in the Internet.

Rice Networks Group Ph.D. Thesis Proposal Aleksandar Kuzmanovic Edge-based Inference and Control in the Internet.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University

A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University
1 Internet Networking Spring 2002 Tutorial 10 TCP NewReno.

1 Internet Networking Spring 2002 Tutorial 10 TCP NewReno.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Rice University R. Les Cottrell SLAC/SCS-Network Monitoring.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Rice University R. Les Cottrell SLAC/SCS-Network Monitoring.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03,

Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03,

Similar presentations

Ads by Google