Presentation is loading. Please wait.

Presentation is loading. Please wait.

Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03,"— Presentation transcript:

1 Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman YanivSpring 2007

2 Traditional DoS attacks Use high-rate transmission of packets (known as “sledge-hammer” approach) Lead to lack of resources Network bandwidth Server or router CPU cycles Server Interrupt processing capacity Specific protocol data structures (TCP…) Example DOS attacks TCP SYN attacks (TCP based) ICMP broadcast to a target host (IP based) DNS flood attacks (UDP based) Presents a statistical anomaly to network monitor Relatively easily detectable &,mitigated (using counter-DOS mechanisms)

3 Outline TCP congestion control protocol and timeout mechanism The shrew attack Simulation and internet experiments DoS detection mechanisms minRTO randomization

4 TCP congestion control protocol Using two timescales (Shorter vs. Longer) Round Trip Time (RTT) - 10’s-100’s msec Each flow transmit at the fair rate of its bottleneck link Use Additive-Increase Multiplicative Decrease (AIMD) control Retransmission timeout (RTO) – 1-N sec Used on severe congestion with multiple losses Exponential backoff phase. RTO doubles with each subsequent timeout Slow start mechanism Slow RTO time-scale mechanisms are a key source of vulnerability to low rate attacks

5 TCP timeout mechanism TCP Reno loss detection Timeout from non-receipt of ACKs Receipt of less than a triple-duplicate ACK RTO Low value vs. High value tradeoff Low value – spurious retransmission (ACKs are delayed, not lost) High value – late recover from congestion RTO = max(minRTO, SRTT + max(G,4*RTTVAR)) minRTO = 1 second (Allman and Paxton). SRTT - Smoothed Round-Trip Time RTTVAR - Round-Trip Time Variation G - Clock granularity (<= 100ms) R = RTT measurement For small-RTT flows, RTO is set constantly as minRTO

6 The shrew in the nature A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite. In other words: “Katan Aval Mamzer…”

7 The Shrew attack strategy Attempts to deny bandwidth to TCP flows Uses Low average rate TCP targeted attacks Elude detection by counter-Dos mechanisms Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows) Severity denial of service to legitimate users Exploit protocol homogeneity and determinism Protocols react in a pre-defined way Tradeoff of vulnerability vs. predictability Exploits the vulnerable TCP congestion control protocol

8 The Shrew Attack Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism Burst rate, R, varies up to full link capacity C Burst length l ~RTT Inter burst period, T ~minRTO, is between two successive outages

9 The Shrew Attack (Cont.) Burst length induces multiple packet losses for a flow, forcing TCP switch from RTT time-scale into RTO time- scale All active flows (nearly) simultaneously enter RTO time-scale

10 The Shrew Attack (Cont.) When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state Outages at RTO scale imply low average rate Victim will be throttled to near-zero throughput

11 The model A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow For any TCP flow in which (a) l >= RTT Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout (b) minRTO > SRTTi + 4*RTTVARi All TCP flows will have identical values of RTO and will thus timeout after minRTO seconds (ideal moment for an attack burst) The derived normalized throughput to link capacity (discarding slow- start phase) is given by Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time

12 Single TCP flow Simulation (vs. model) 1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms Two “null frequencies” responses (minRTO/2 & minRTO) Analytical model accurately predicts degradation Differences between minRTO/2 to RTO due to TCP slow start mechanism (TCP not utilize full link capacity) When T > minRTO, TCP flow obtains increasingly higher throughput between RTO expirations & attack bursts

13 Single TCP flow Simulation (cont.) Average attack rate is given by (R*l)/T R Decreasing with T increasing Attack effectiveness is clearly NOT increasing with the attacker average rate

14 Shrew challenges Aggregation RTT heterogeneity DoS peak rate (R<C) Short-lived TCP flows (Web browsing) TCP variants Internet experiments Can Shrews be successful on the Internet?

15 Aggregation of homogenous RTTs flows 5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms Similar to one-flow, model fits for homogeneity aggregate RTO homogeneity introduces one vulnerable timescale One “null frequency” response In minRTO time, there are flows in which RTT>l Vulnerable due to Shrew-induced flow synchronization

16 RTT heterogeneity RTT-based Filtering 20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms Shrews are high-RTT pass filters Service is denied to short-RTT flows (up to RTT=180ms) With No-DoS, shorter-RTT flows utilize more bandwidth Despite the excess capacity, longer-RTT flows do not manage to improve their throughput Depends on number of long-lived flows

17 RTT heterogeneity Shrew Peak Rate Since there is a background traffic (UDP, ACKs) attacker can lower its peak rate and still maintain effective attack 4 TCP flows (1 short-RTT, 3 long-RTT) Less-than-bottleneck bursts can damage short-RTT flows Very low rate periodic flows, operating at on of the null TCP timescales are highly problematic for TCP traffic Longer RTT flows play the role of background traffic

18 Short-lived TCP traffic as HTTP traffic Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50% Larger files (greater then 100 packets) are highly vulnerable Some flows benefit from the attack and decrease their response time Flow arrives into system between two attack outages and is able to transmit its entire file before next outage occurs

19 TCP variants Variants helps TCP flows survive multiple losses within single round trip time without incurring a retransmission timeout 4 attacks burst lengths (30, 50, 70, 90) For short attack bust, TCP Reno is the most fragile TCP is the most vulnerable in 1-1.2 sec time-scale region due to slow start Sufficient pulse width ensures timeout When burst length is severe enough => all TCP variants are equally fragile

20 Internet LAN/WAN experiments Intra-LAN C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S “Null frequency” at 1.2 sec Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s Inter-LAN 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two routers & Two switches between two traverses. “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s WAN R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s Shrew attacks are efficient for both LAN & WAN

21 Detecting Shrews Router-Assisted Mechanisms Shrews have low average rate, yet send high-rate bursts on short time-scales 9 Aggregate TCP SACK flows In “null frequency” at 1.2 sec, shrew remains effective RED-PD Detects Shrews with unnecessarily high rate (T<0.5 sec) Reducing RED-PD measurement time scale results in excessive false positives RED - Random Early Detection Packets dropped with a probability dependent on the excess sending rate of the flow RED-PD – RED with Preferential Dropping mechanism Uses packet drop history to detect high-bandwidth flows with high confidence

22 Detecting Shrews End-point minRTO randomization Observe Shrews exploit protocol homogeneity and determinism Question Can minRTO randomization alleviate threat of Shrews? TCP flows’ approach Randomize the minRTO = uniform(a,b) The longest most vulnerable timescale (“null frequency”) becomes T = b

23 Detecting Shrews End-point minRTO randomization (cont.) Shrews’ counter approach Given flows randomize minRTO, the optimal Shrew pulses at time-scale T=b Wait for all flows to recover and then pulse again TCP throughput for T=b time-scale of the Shrew attack a small  spurious retransmissions b large  bad for short-lived (HTTP) traffic Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

24 Conclusions Shrew principles Exploit slow-time-scale protocol homogeneity and determinism Real-world vulnerability to Shrew attacks Internet experiment: 87.8% throughput loss without detection Shrews are difficult to detect Low average rate and “TCP friendly” Cannot filter short bursts Fundamental mismatch of attack/defense timescales

25 Life conclusion Try to stay away from Shrews

26 Homework assignment 1. How does Shrew attack defer from traditional DoS attacks? 2. Shrew attacks are known as high-RTT pass filters. How they manage to do so? Can you consider an environment for using that capability? 3. Why shrew attacks are difficult to detect with existing counter-DoS mechanisms? What may be the risks of trying using bursts tuned detection? 4. For your opinion, does the underlying vulnerability is due to poor design of TCP timeout mechanism, or is it a consequence of other reason/s? Explain. E-mail: yanivwei@post.tau.ac.ilyanivwei@post.tau.ac.il

Download ppt "Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03,"

Similar presentations

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.
Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.

Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.
Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.
TCP Congestion Control Dina Katabi & Sam Madden nms.csail.mit.edu/~dina 6.033, Spring 2014.

TCP Congestion Control Dina Katabi & Sam Madden nms.csail.mit.edu/~dina 6.033, Spring 2014.
1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.

1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.
Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.

School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
1 Equation-Based Congestion Control for Unicast Applications Sally Floyd, Mark Handley, Jitendra Padhye & Jorg Widmer August 2000, ACM SIGCOMM Computer.

1 Equation-Based Congestion Control for Unicast Applications Sally Floyd, Mark Handley, Jitendra Padhye & Jorg Widmer August 2000, ACM SIGCOMM Computer.
Rice Networks Group Ph.D. Thesis Proposal Aleksandar Kuzmanovic Edge-based Inference and Control in the Internet.

Rice Networks Group Ph.D. Thesis Proposal Aleksandar Kuzmanovic Edge-based Inference and Control in the Internet.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
High speed TCP’s. Why high-speed TCP? Suppose that the bottleneck bandwidth is 10Gbps and RTT = 200ms. Bandwidth delay product is 166666 packets (1500.

High speed TCP’s. Why high-speed TCP? Suppose that the bottleneck bandwidth is 10Gbps and RTT = 200ms. Bandwidth delay product is packets (1500.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
1 TCP-LP: A Distributed Algorithm for Low Priority Data Transfer Aleksandar Kuzmanovic, Edward W. Knightly Department of Electrical and Computer Engineering.

1 TCP-LP: A Distributed Algorithm for Low Priority Data Transfer Aleksandar Kuzmanovic, Edward W. Knightly Department of Electrical and Computer Engineering.
1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.
Data Communication and Networks

Data Communication and Networks

Similar presentations

Ads by Google