Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.

Published byNatalie Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK."— Presentation transcript:

1 Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK

2 .2. Outline Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

3 .3. Introduction to the Low-rate TCP Attack  Common DoS attack  Consume resources (bandwidth, buffer …etc)  Keep legitimate users away form service  Large number of machines or agents are involved  Harmful, but relatively easy to be detected  Consume resources (bandwidth, buffer …etc)  Keep legitimate users away form service  Large number of machines or agents are involved  Harmful, but relatively easy to be detected  Low-rate DoS attack  Aim to deny the bandwidth of legitimate TCP flows  Attacker sends the attack stream with low volume  Exploit the TCP congestion control feature  Attacker sends a periodic short burst to victim/router  Aim to deny the bandwidth of legitimate TCP flows  Attacker sends the attack stream with low volume  Exploit the TCP congestion control feature  Attacker sends a periodic short burst to victim/router

4 .4. TCP Retransmission Mechanism  TCP congestion control If under severe network congestion:  Wait till transmission timeout (RTO)  Reduce the congestion window double the RTO retransmit the packet  If succeed, enter slow start phase else, exponential back off again If under severe network congestion:  Wait till transmission timeout (RTO)  Reduce the congestion window double the RTO retransmit the packet  If succeed, enter slow start phase else, exponential back off again  Calculation of RTO In RFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR))  Usually, RTO = minRTO when slow start  minRTO=1 second (recommended in RFC 2988) In RFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR))  Usually, RTO = minRTO when slow start  minRTO=1 second (recommended in RFC 2988)

5 .5. Low-rate DoS Attack to TCP Flow  A example of low-rate DoS attack  Sufficiently large attack burst  Packet loss at congested router  TCP waits until timeout & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput.  Sufficiently large attack burst  Packet loss at congested router  TCP waits until timeout & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput. TCP Avg BW= lR/T

6 .6. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

7 .7.  T: Attack period  l: Length of burst  R: Rate of burst  N: Background noise  S: Time shift  T: Attack period  l: Length of burst  R: Rate of burst  N: Background noise  S: Time shift l Formal Description  Mathematical Description N R T S

8 .8. Low-rate DoS Traffic Pattern The periodic burst may have different patterns:  Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)  Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)  General peaks with background noise

9 .9. Low-rate DoS Traffic Pattern Attack traffic is not easy to remain the same as the original at the victim router. Attack traffic between different period may not be the same, thus T, l, R may vary. We need a “ ROBUST ” method to identify all possible forms of attack

10 .10. Low-rate DoS Traffic Pattern Multiple distributed attack sources  Long Period combination  Small Burst combination

11 .11. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

12 .12. Dynamic Detection  Overall Idea of Dynamic Detection

13 .13. Dynamic Detection  Traffic signature Detection  Small average throughput => Throughput based IDS  No signature in packet => “per packet” approaches  Extract the essential signature of attack traffic  Small average throughput => Throughput based IDS  No signature in packet => “per packet” approaches  Extract the essential signature of attack traffic X X √

14 .14. Dynamic Detection  Advantages of Dynamic Detection  Push the detection of low-rate attacks as close as possible to the attack sources  Minimize the damage to other legitimate TCP flows  Push the detection of low-rate attacks as close as possible to the attack sources  Minimize the damage to other legitimate TCP flows

15 .15. Pattern match Extract the signature Filter the noise Sample the traffic Algorithm of Detection  Sample the throughput of link interface at a constant rate (The rate should be frequent enough but not over burden system)  Each time of detection consists of a sequence of sampled throughput (The length of sequence should also be properly adjusted)  Normalization is necessary  The background noise of samples need to be filtered  Background noise (UDP flows and other TCP flows that less sensitive to attack)  For simplicity, a threshold filter can be used.  Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. Autocorrelation can also mask the difference of time shift S  Unbiased normalization M: length of input sequence m: index of autocorrelation  Similarity between the template and input should be calculated.  We use Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in the paper)  The smaller the DTW value is, the more similar they are.  DTW values will clustered; threshold can be set to distinguish them.

16 .16. Robustness of Detection SPSBRPSBSPGBRPGB Max 34.8835.6634.0834.69 Min 00.800.841.20 Mean 10.689.6310.8910.48 Stdv 7.836.866.775.26 Attack traffic simulations  DTW values for low-rate attack  4 types of attack traffic: Strictly Periodic Square Burst (SPSB), Random Periodic Square Burst (RPSB), Strictly Periodic General Burst (SPGB), Random Periodic General Burst (RPGB)  T,l : Uniformly distributed s.t. :l /T<=0.25  R : 1 (full bandwidth)  N,S : Uniformly distributed  Around 3000 simulations /type  4 types of attack traffic: Strictly Periodic Square Burst (SPSB), Random Periodic Square Burst (RPSB), Strictly Periodic General Burst (SPGB), Random Periodic General Burst (RPGB)  T,l : Uniformly distributed s.t. :l /T<=0.25  R : 1 (full bandwidth)  N,S : Uniformly distributed  Around 3000 simulations /type

17 .17. Robustness of Detection  DTW values of legitimate traffic  Legitimate traffic composition.  Legitimate traffic simulation using Gaussian model: C+ Gaussian(0, N)  Run more than 8000 simulations  DTW values of legitimate traffic  Legitimate traffic composition.  Legitimate traffic simulation using Gaussian model: C+ Gaussian(0, N)  Run more than 8000 simulations Max 286.53 Min 113.50 Mean 236.95 Stdv 43.10  DTW values for Legitimate traffic (Gaussian)

18 .18.  Attack flows V.S. legitimate (Gaussian) flows  Expect a separation between them.  Attack flows V.S. legitimate (Gaussian) flows  Expect a separation between them. Robustness of Detection  Probability distribution of DTW values

19 .19. Robustness of Detection  More accurate network traffic model (Ethernet traffic, WWW traffic)  Use FARIMA model to generate self- similar traffic.  Hurst Parameter H: [0.75-0.85]  Run more than 10,000 simulations  More accurate network traffic model (Ethernet traffic, WWW traffic)  Use FARIMA model to generate self- similar traffic.  Hurst Parameter H: [0.75-0.85]  Run more than 10,000 simulations Max 238.16 Min 28.01 Mean 130.73 Stdv 51.44  DTW values for Legitimate traffic (Self-similar)

20 .20.  Attack flows V.S. Self-similar flows  Small Overlap (Around 30)  Attack flows V.S. Self-similar flows  Small Overlap (Around 30) Robustness of Detection  Probability distribution of DTW values (Self-similar) False Self-similar 141 Total Self-similar 11000 False Positive 1.28% False Attack 378 Total Attack 11492 False Negative 3.54%

21 .21. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

22 .22.  Pushback detection  Pushback to outmost deployed router distributed attack  Deficit Round Robin (DRR)  Pushback detection  Pushback to outmost deployed router distributed attack  Deficit Round Robin (DRR) Defense Mechanism  Router deployment } Resource Management

23 .23.  Deficit Round Robin (DRR) Defense Mechanism 1500 300 600 500 20001000 Second Round First Round Head of Queue A B C 0 Quantum[i]=1000 bytes 1st Round A’s counter : 1000 B’s counter : 200 (served twice) C’s counter : 400 2nd Round A’s counter: 500 (served) B’s counter: 0 C’s counter: 800 (served)  Classify packets according to the input port [i].  deficit_counter[i]=0 ;  deficit_counter[i] += Quantum[i]  If packet’s size<= deficit_counter[i], serve the packet  deficit_counter[i] -=packet’s size.  If no packet[i], deficit_counter[i] =0.  Classify packets according to the input port [i].  deficit_counter[i]=0 ;  deficit_counter[i] += Quantum[i]  If packet’s size<= deficit_counter[i], serve the packet  deficit_counter[i] -=packet’s size.  If no packet[i], deficit_counter[i] =0.

24 .24.  Definitions in DRR algorithm Fairness Analysis of DRR Algorithm  Backlogged: A port i is backlogged during an interval (t 1 ; t 2 ) of a DRR execution if the queue for port i is never empty during the interval.  Flow Share: We assume there is some quantity f i that expresses the ideal share obtained by the port i that f i = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).  Sent Packets: Let sent i (t 1 ; t 2 ) be the total number of bytes sent on the output port i in the interval (t 1 ; t 2 )  Backlogged: A port i is backlogged during an interval (t 1 ; t 2 ) of a DRR execution if the queue for port i is never empty during the interval.  Flow Share: We assume there is some quantity f i that expresses the ideal share obtained by the port i that f i = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).  Sent Packets: Let sent i (t 1 ; t 2 ) be the total number of bytes sent on the output port i in the interval (t 1 ; t 2 )  Fairness Measurement: Let Fairness Measurement FM(t 1 ; t 2 ) be the maximum of (sent i (t 1 ; t 2 )/f i - sent j (t 1 ; t 2 )/f j ) over all ports i,j that are backlogged in the interval (t 1 ; t 2 ).  Now we can define a service discipline to be fair if FM(t 1 ; t 2 ) is bounded by a small constant.  Fairness Measurement: Let Fairness Measurement FM(t 1 ; t 2 ) be the maximum of (sent i (t 1 ; t 2 )/f i - sent j (t 1 ; t 2 )/f j ) over all ports i,j that are backlogged in the interval (t 1 ; t 2 ).  Now we can define a service discipline to be fair if FM(t 1 ; t 2 ) is bounded by a small constant.

25 .25.  Lemmas of DRR Fairness Fairness Analysis of DRR Algorithm  Lemma 1: For any port i,during the execution of DRR algorithm, the deficit_counter[i] is within the range [0;Max) at the end of each round, where Max is the maximum size of all possible packets. 0 ≤ deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤ deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero ■  Lemma 1: For any port i,during the execution of DRR algorithm, the deficit_counter[i] is within the range [0;Max) at the end of each round, where Max is the maximum size of all possible packets. 0 ≤ deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤ deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero ■

26 .26. Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytes i (k) be the bytes sent by port i in round k. And let sent i (k) be the bytes sent by port i from round 1 through k.Thus, sent i (k) = ∑ bytes i (k) Obviously: bytes i (k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1] bytes i (k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k] Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytes i (k) be the bytes sent by port i in round k. And let sent i (k) be the bytes sent by port i from round 1 through k.Thus, sent i (k) = ∑ bytes i (k) Obviously: bytes i (k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1] bytes i (k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]  Lemmas of DRR Fairness Summing this equation over m rounds of servicing of port i: We have: sent i (m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m] Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows. ■ Summing this equation over m rounds of servicing of port i: We have: sent i (m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m] Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows. ■ Fairness Analysis of DRR Algorithm Lemma 2: m × Quantum[i]-Max ≤ sent i (t 1 ; t 2 ) ≤ m × Quantum[i] +Max Lemma 2: m × Quantum[i]-Max ≤ sent i (t 1 ; t 2 ) ≤ m × Quantum[i] +Max  Lemma 2: During any period in which port i is backlogged the number of bytes sent on the behalf of port i is roughly equal to m × Quantum[i],specifically bounded as follows: m × Quantum[i]-Max ≤ sent i (t 1 ; t 2 ) ≤ m × Quantum[i] +Max where m is the number of round-robin service round received by port i during this interval.  Lemma 2: During any period in which port i is backlogged the number of bytes sent on the behalf of port i is roughly equal to m × Quantum[i],specifically bounded as follows: m × Quantum[i]-Max ≤ sent i (t 1 ; t 2 ) ≤ m × Quantum[i] +Max where m is the number of round-robin service round received by port i during this interval.

27 .27.  Theorem of DRR Fairness Fairness Analysis of DRR Algorithm  Theorem 1: For an interval (t 1 ; t 2 ) in any execution of the DRR service discipline FM(t 1 ; t 2 ) ≤ 2 × Max + Quantum ; where Quantum = Min(Quantum[i])  Theorem 1: For an interval (t 1 ; t 2 ) in any execution of the DRR service discipline FM(t 1 ; t 2 ) ≤ 2 × Max + Quantum ; where Quantum = Min(Quantum[i]) Proof: let m be the number of DRR execution rounds given to port i in interval (t 1 ; t 2 ), let m’ be the number of DRR execution rounds given to port j in the same interval. As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1 Proof: let m be the number of DRR execution rounds given to port i in interval (t 1 ; t 2 ), let m’ be the number of DRR execution rounds given to port j in the same interval. As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1 From Lemma 2 : sent i (t 1 ; t 2 ) ≤ m×Quantum[i] +Max since Ideal Share f i = Quantum[i]/Quantum We have the normalized service received by port i: sent i (t 1 ; t 2 )/f i ≤ m × Quantum + Max/f i (1) Similarly for port j: sent j (t 1 ; t 2 )/f j ≥ m’ × Quantum - Max/f j (2) From Lemma 2 : sent i (t 1 ; t 2 ) ≤ m×Quantum[i] +Max since Ideal Share f i = Quantum[i]/Quantum We have the normalized service received by port i: sent i (t 1 ; t 2 )/f i ≤ m × Quantum + Max/f i (1) Similarly for port j: sent j (t 1 ; t 2 )/f j ≥ m’ × Quantum - Max/f j (2) Thus: FM(t 1 ; t 2 ) = sent i (t 1 ; t 2 )/f i - sent j (t 1 ; t 2 )/f j ≤ (m-m’) ×Quantum + Max/f i + Max/f j ≤ Quantum+2Max ■ Thus: FM(t 1 ; t 2 ) = sent i (t 1 ; t 2 )/f i - sent j (t 1 ; t 2 )/f j ≤ (m-m’) ×Quantum + Max/f i + Max/f j ≤ Quantum+2Max ■

28 .28.  Analytical Results for DRR Algorithm Analysis of DRR Algorithm  Fairness: Using Golestani's fairness definition, difference in the normalized bytes sent between ports within a certain interval (t 1 ; t 2 ) is bounded by a small constant.  Implementation Cost: DRR algorithm can be implemented with less work compared with other scheduling algorithm. In general, the processing cost of DRR is O(1) per packet. As a result, DRR can provide not only a fairness scheduling method, but also work with a low implementation cost.  Fairness: Using Golestani's fairness definition, difference in the normalized bytes sent between ports within a certain interval (t 1 ; t 2 ) is bounded by a small constant.  Implementation Cost: DRR algorithm can be implemented with less work compared with other scheduling algorithm. In general, the processing cost of DRR is O(1) per packet. As a result, DRR can provide not only a fairness scheduling method, but also work with a low implementation cost.

29 .29. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

30 .30.  In a Congested Droptail Router: 1.N TCP flows go through 2.Droptail queue at output interface  Dropping Function: P: Drop Prob. x i : length of queue i; Q i : Size of queue i  Behavior of Queue Length: C: Capacity of the link  In a Congested Droptail Router: 1.N TCP flows go through 2.Droptail queue at output interface  Dropping Function: P: Drop Prob. x i : length of queue i; Q i : Size of queue i  Behavior of Queue Length: C: Capacity of the link  Model of TCP on a Droptail Router Fluid Model of TCP Flows

31 .31.  Throughput of TCP flow i: W i (t) :Window Size R i (t) : Round Trip Time  Round Trip Time: a i :Propagation delay  Throughput of TCP flow i: W i (t) :Window Size R i (t) : Round Trip Time  Round Trip Time: a i :Propagation delay  Model of TCP on a Droptail Router Fluid Model of TCP Flows

32 .32.  Slow start/ Congestion Avoidance: Hi :threshold  Retransmission Time Out: where u(n) is a unit step function: q(W) denotes the Prob. of that loss is caused by timeout  Slow start/ Congestion Avoidance: Hi :threshold  Retransmission Time Out: where u(n) is a unit step function: q(W) denotes the Prob. of that loss is caused by timeout  Model of TCP on a Droptail Router Fluid Model of TCP Flows  Finally, the behavior of TCP window size: Overview of TCP droptail scheduling: Numerical result of differential equations (1-9)  Finally, the behavior of TCP window size: Overview of TCP droptail scheduling: Numerical result of differential equations (1-9)

33 .33.  Modification based on the Droptail Model Different Queue Management may cause: 1.Change of the behavior of Queue Length 2.Change of the calculation of round trip time  Modification based on the Droptail Model Different Queue Management may cause: 1.Change of the behavior of Queue Length 2.Change of the calculation of round trip time  Model of TCP on a DRR Router Fluid Model of TCP Flows  Behavior of Queue Length in DRR: where τ t : time length for each round  Behavior of Queue Length in DRR: where τ t : time length for each round  Calculation of round trip time :  Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model  Calculation of round trip time :  Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model

34 .34.  Attack with Single TCP Flow (Droptail Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Propagation delay=0.1s Attack starts 2s later  Attack with Single TCP Flow (Droptail Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Propagation delay=0.1s Attack starts 2s later  Simulation of TCP fluid model Fluid Model of TCP Flows

35 .35.  Attack with Single TCP Flow (DRR Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Propagation delay=0.1s Quantum = 1kb Buffer size =10kb Attack starts 2s later  Attack with Single TCP Flow (DRR Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Propagation delay=0.1s Quantum = 1kb Buffer size =10kb Attack starts 2s later  Simulation of TCP fluid model Fluid Model of TCP Flows

36 .36.  Attack with Multiple TCP Flows (Droptail Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Attack starts 2s later Propagation delay=0.1s, 0.2s, 0.4s and 0.8s  Attack with Multiple TCP Flows (Droptail Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Attack starts 2s later Propagation delay=0.1s, 0.2s, 0.4s and 0.8s  Simulation of TCP fluid model Fluid Model of TCP Flows

37 .37.  Attack with Multiple TCP Flows (DRR Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Quantum = 1kb Buffer size =10kb Attack starts 2s later Propagation delay=0.1s, 0.2s, 0.4s and 0.8s  Attack with Multiple TCP Flows (DRR Router):  Settings: T = 1.1s, l = 0.1s R = 300kb/s C = 100kb/s Quantum = 1kb Buffer size =10kb Attack starts 2s later Propagation delay=0.1s, 0.2s, 0.4s and 0.8s  Simulation of TCP fluid model Fluid Model of TCP Flows

38 .38. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

39 .39. Experiment of Defense Mechanism  Single TCP flow vs. single source attacker  Go through the same router  Link Capacity 5Mbp/s  Go through the same router  Link Capacity 5Mbp/s Drop TailDRR TCP (Kbps) Attack (Kbps) TCP (Kbps) Attack (Kbps) Tahoe224.37 4.49 % 1016.52 20.33 % 3402.0 7 68.04 % 780.39 15.61 % Reno26.30 0.53 % 1022.55 20.45 % 946.87 18.94 % 1014.9 7 20.30 % NewRe no 23.62 0.47 % 1022.04 20.44 % 3690.3 2 73.81 % 913.39 18.27 %

40 .40. Experiment of Defense Mechanism  Multiple TCP flows vs. single source attacker Drop TailDRR Throughput (Kbps)% of link capacityThroughput (Kbps)% of link capacity Attack 928.7618.58%343.096.86% TCP1 8.71 0.17%965.9119.32% TCP2 210.77 4.22%645.7912.92% TCP3 4.75 0.10%629.1512.58% TCP4 11.09 0.22%618.0512.36% TCP5 5.54 0.11%468.39.37% TCP6 267.82 5.36%356.577.13% TCP7 72.11 1.44%293.975.88% TCP8 3.17 0.06%194.933.90% TCP Sum 583.9611.68%4172.6783.45%  Eight TCP flows  Single low-rate attacker  Go through the same router  Link Capacity 5Mbp/s  Eight TCP flows  Single low-rate attacker  Go through the same router  Link Capacity 5Mbp/s

41 .41. Experiment of Defense Mechanism  Network model of attack vs. Multiple TCP flows Drop TailDRR on R6 DRR on R6,R4 DRR on R6,R4,R2 DRR on R6,R4,R2,R1 ρ(Kbps) Attack640.00561.00453.00419.00404.00 TCP1386.00358.00311.00314.00778.00 TCP2264.00329.00282.00874.00763.00 TCP3324.00251.001245.00924.00788.00 TCP4425.001719.001154.00966.00765.00 Total TCP 1399.002657.002992.003078.003094.00  4 TCP flows  Single attacker  7 routers network  R1,R2,R4,R6 may run DRR  Link capacity 5 Mb/s  4 TCP flows  Single attacker  7 routers network  R1,R2,R4,R6 may run DRR  Link capacity 5 Mb/s

42 .42. What is the next? Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion

43 .43. Related Work & Conclusion  Related Work  Another solution to this attack: Randomizing RTO 1.Intuitive solution 2.Widespread updates of end user software 3.May reduce the performance of TCP  Reduction of Quality (RoQ) Attack 1.General class of attack exploiting the transients of adaptation. 2.Similar attack form  Another solution to this attack: Randomizing RTO 1.Intuitive solution 2.Widespread updates of end user software 3.May reduce the performance of TCP  Reduction of Quality (RoQ) Attack 1.General class of attack exploiting the transients of adaptation. 2.Similar attack form  Conclusions  Formal model to describe low-rate TCP attack.  Distributed detection mechanism using Dynamic Time Wrapping  The push back mechanism  DRR approach protection and isolation  Formal model to describe low-rate TCP attack.  Distributed detection mechanism using Dynamic Time Wrapping  The push back mechanism  DRR approach protection and isolation

44 .44. Major References HaiBin Sun, John C.S. Lui, David K.Y. Yau. “ Defending Against Low-rate TCP Attack: Dynamic Detection and Protection ” IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, October, 2004. HaiBin Sun, John C.S. Lui, David K.Y. Yau. “ Distributed Mechanism in Detecting and Defending Against Low-rate TCP Attack ” Computer Networks Journal (Elsevier), July,2005.

45 .45. Thank you for your attention! Q & A

Download ppt "Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK."

Similar presentations

Balaji Prabhakar Active queue management and bandwidth partitioning algorithms Balaji Prabhakar Departments of EE and CS Stanford University

Balaji Prabhakar Active queue management and bandwidth partitioning algorithms Balaji Prabhakar Departments of EE and CS Stanford University
RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.
TCP Vegas: New Techniques for Congestion Detection and Control.

TCP Vegas: New Techniques for Congestion Detection and Control.
WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.

WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.
Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.
1 Transport Protocols & TCP CSE 3213 Fall 2007 130 April 2015.

1 Transport Protocols & TCP CSE 3213 Fall April 2015.
Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.

Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.

1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.
Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Ion Stoica, Scott Shenker, and Hui Zhang SIGCOMM’98, Vancouver, August 1998 subsequently IEEE/ACM Transactions on Networking 11(1), 2003, pp. 33-46. Presented.

Ion Stoica, Scott Shenker, and Hui Zhang SIGCOMM’98, Vancouver, August 1998 subsequently IEEE/ACM Transactions on Networking 11(1), 2003, pp Presented.
On Modeling Feedback Congestion Control Mechanism of TCP using Fluid Flow Approximation and Queuing Theory  Hisamatu Hiroyuki Department of Infomatics.

On Modeling Feedback Congestion Control Mechanism of TCP using Fluid Flow Approximation and Queuing Theory  Hisamatu Hiroyuki Department of Infomatics.
1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.

1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Advanced Computer Networks: RED 1 Random Early Detection Gateways for Congestion Avoidance * Sally Floyd and Van Jacobson, IEEE Transactions on Networking,

Advanced Computer Networks: RED 1 Random Early Detection Gateways for Congestion Avoidance * Sally Floyd and Van Jacobson, IEEE Transactions on Networking,
AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.

AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.
Modeling TCP Throughput Jeng Lung WebTP Meeting 11/1/99.

Modeling TCP Throughput Jeng Lung WebTP Meeting 11/1/99.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly

Similar presentations

Ads by Google