1 Sonia Fahmy, Roman Chertov, Ness B. Shroff, and a group of M.S. students Center for Education and Research in Information Assurance and Security (CERIAS)

Slides:

Advertisements

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Advertisements

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

Web Server Benchmarking Using the Internet Protocol Traffic and Network Emulator Carey Williamson, Rob Simmonds, Martin Arlitt et al. University of Calgary.

1 Carla Brodley, Sonia Fahmy, Cristina Nita-Rotaru, Catherine Rosenberg Current Students: Roman Chertov, Yu-Chun Mao, Kevin Robbins Undergraduate Student:

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute

1 Sonia Fahmy Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.

6/3/ Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross-Layer Information Awareness CS495 – Spring 2005 Northwestern University.

1 PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

Presented by Prasanth Kalakota & Ravi Katpelly

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

RCS: A Rate Control Scheme for Real-Time Traffic in Networks with High B X Delay and High error rates J. Tang et al, Infocom 2001 Another streaming control.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Performance Enhancement of TFRC in Wireless Ad Hoc Networks Mingzhe Li, Choong-Soo Lee, Emmanuel Agu, Mark Claypool and Bob Kinicki Computer Science Department.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.

17/10/2003TCP performance over ad-hoc mobile networks. 1 LCCN – summer 2003 Uri Silbershtein Roi Dayagi Nir Hasson.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.

Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,

Multicast Congestion Control in the Internet: Fairness and Scalability

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing

Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

TFRC: TCP Friendly Rate Control using TCP Equation Based Congestion Model CS 218 W 2003 Oct 29, 2003.

1 Heterogeneity in Multi-Hop Wireless Networks Nitin H. Vaidya University of Illinois at Urbana-Champaign © 2003 Vaidya.

Sharing Information across Congestion Windows CSE222A Project Presentation March 15, 2005 Apurva Sharma.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

CA-RTO: A Contention- Adaptive Retransmission Timeout I. Psaras, V. Tsaoussidis, L. Mamatas Demokritos University of Thrace, Xanthi, Greece This study.

A.SATHEESH Department of Software Engineering Periyar Maniammai University Tamil Nadu.

1 TCP/IP based TML for ForCES Protocol Hormuzd Khosravi Furquan Ansari Jon Maloy 61 st IETF Meeting, DC.

Covilhã, 30 June Atílio Gameiro Page 1 The information in this document is provided as is and no guarantee or warranty is given that the information is.

ICOM 6115: Computer Systems Performance Measurement and Evaluation August 11, 2006.

Requirements for Simulation and Modeling Tools Sally Floyd NSF Workshop August 2005.

Cisco 3 - Switching Perrine. J Page 16/4/2016 Chapter 4 Switches The performance of shared-medium Ethernet is affected by several factors: data frame broadcast.

EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

A Utility-based Approach to Scheduling Multimedia Streams in P2P Systems Fang Chen Computer Science Dept. University of California, Riverside

Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller Jonathon Duerig Shashi Guruprasad, Tim Stack, Kirk Webb,

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Based upon slides from Jay Lepreau, Utah Emulab Introduction Shiv Kalyanaraman

1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Computer Simulation of Networks ECE/CSC 777: Telecommunications Network Design Fall, 2013, Rudra Dutta.

Chapter 11.4 END-TO-END ISSUES. Optical Internet Optical technology Protocol translates availability of gigabit bandwidth in user-perceived QoS.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Internet research Needs Better Models Sally Floyd, Eddie Kohler ISCI Center for Internet Research, Berkeley, California Presented by Max Podlesny.

An Evaluation of Fairness Among Heterogeneous TCP Variants Over 10Gbps High-speed Networks Lin Xue*, Suman Kumar', Cheng Cui* and Seung-Jong Park* *School.

TCP transfers over high latency/bandwidth networks & Grid DT Measurements session PFLDnet February 3- 4, 2003 CERN, Geneva, Switzerland Sylvain Ravot

Access Link Capacity Monitoring with TFRC Probe Ling-Jyh Chen, Tony Sun, Dan Xu, M. Y. Sanadidi, Mario Gerla Computer Science Department, University of.

Integrated Simulation and Emulation Platform for Cyber-Physical System Security Experimentation Wei Yan, Yuan Xue, Xiaowei Li, Jiannian Weng, Timothy Busch,

Performance Comparison of Ad Hoc Network Routing Protocols Presented by Venkata Suresh Tamminiedi Computer Science Department Georgia State University.

© 2006 Andreas Haeberlen, MPI-SWS 1 Monarch: A Tool to Emulate Transport Protocol Flows over the Internet at Large Andreas Haeberlen MPI-SWS / Rice University.

© THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 1 ns-2 TCP Simulations with The Network Simulation Cradle Sam Jansen and Anthony McGregor.

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic

PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov

Internet Research Needs a Critical Perspective Towards Models

Achieving Resilient Routing in the Internet

Review of Internet Protocols Transport Layer

Presentation transcript:

1 Sonia Fahmy, Roman Chertov, Ness B. Shroff, and a group of M.S. students Center for Education and Research in Information Assurance and Security (CERIAS) and Department of Computer Science Purdue University February 1 st, 2006 Experiments with DETER, Emulab, WAIL, and ns-2: A case study with TCP-targeted DoS attacks + Topology generation tools

2 Emulation  High fidelity/scalability is a key tradeoff  Simulators cannot execute real applications/system software, and only approximate various appliances.  Emulation provides a convenient way to use real appliances and systems, but is constrained by the number of nodes, types of appliances, and difficulty in configuration/management/reproducibility.  When to use each? How to compare and interpret results?  One goal of DETER/EMIST is to develop rigorous testing methodologies, tools, and benchmarks for important classes of Internet attacks and defenses.  It is crucial to understand the effectiveness of defense mechanisms on realistic networks.  Results obtained on testbeds can be used to develop more accurate analytical, simulation, and emulation models.  Refs: Kohler and Floyd, … others.

3 Tools Large scale experiments on an emulation testbed require (i) topology generation, (ii) extensive router configuration, (iii) automated node control with synchronization, and (iv) support sensitivity analysis. Hence, it is important to create an infrastructure for fast experiment creation and automation, including complex BGP/OSPF scenarios.

4 Topology/Routing Tools Many sources for AS-level topologies, e.g., RouteViews RocketFuel/traceroute provide router-level topologies. For intra-domain links, RocketFuel provides inferred OSPF weights However, no BGP policies; we infer/assign some of them by L. Gao’s inference algorithmsOR: Create a topology with a topology generator, e.g., GT- ITM Assign ASes to router nodes Configure all border and non-border routers Working on RocketFuel, policy inference, testing, documentation

5 Other Available Tools Can be found at Scriptable Event System (SES): Allows using a script to repeat experiments while changing parameters As tasks can take arbitrary time to complete, an event completion callback is required Software link monitor Ref: EMIST/ISI technical notes Measurement and data integration tools, and other useful scripts. The data can also be displayed by ESVT upon experiment completion, allowing easy graphical examination

6 TCP-Targeted Attacks  Why? Easy to launch, stealthy, and potentially damaging attack  A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of service attacks. SIGCOMM  H. Sun et al. Defending against low-rate TCP attacks: Dynamic detection and protection. ICNP  M. Guirguis et al. Exploiting the transients of adaptation for RoQ attacks on Internet resources. ICNP  Studied only via simulation and limited experiments  Tricky as it strongly relies on timing (phase effects)  Vary: Attacker, burst length l, sleep period T-l, pkt size, RTT, bfr size  Objective:  Understand attack effectiveness (damage versus effort)  Qualitatively compare emulation to simulation to analysis T-l ll Time Rate R

7 Experimental Scenario Original TCP-targeted attacks are tuned to RTO frequency for near zero throughput Can exploit Additive Increase Multiplicative Decrease congestion avoidance of TCP without tuning period to RTO, and hence throttle TCP’s throughput at any predetermined level Simple dumbbell topology with single file transfer flow is easiest to interpret and is the worst case (most demanding for attacker)

8 Experimental Setup Data from DETER, Emulab, WAIL, and ns-2 is compared to a simple throughput degradation analytical model Besides using default OS routing, routing nodes on DETER were configured with the Click modular software router [Kohler et al., ACM TOCS 2000]

9 Loss occurs during each pulse. Connection does not RTO. There is no packet loss during attack sleep periods. Throughput Degradation is the Cwnd growth during a sleep period time between two loss events

10 Analysis vs. Simulation Simulation results are closest to the analysis when the attack pulse length is equal to the flow RTT. Non-monotonic increase amplified by phase effects. Adding randomization helps.

11 Forward Direction  Analysis corresponds to ns-2 results when attack pulse length is greater or equal to TCP flow RTT and when buffer sizes are not too large  DETER is not as affected by the attack: Why? Bus, NIC, software, settings?  Experiments with WAIL show that PC routers outperform Cisco 3600s dep. on settings (consistent with results reported by several companies).  Such differences are important as they allow us to identify real vulnerabilities and fundamental limits.  The Internet is an evolving, heterogeneous entity with implementation errors and resource constraints, and not an approximation in a simulator are not too large DETER is not as significantly affected

12 Reverse Direction  Since ns-2 does not model CPU/bus/devices, and opposing flows do not interfere; data for ns-2 is not shown for reverse direction (Cwnd has no cuts)

13 Router Nodes  To avoid slowdown in the Linux kernel, the machine can be configured to run SMP enabled Click modular router with polling drivers. Polling reduces CPU overhead by reducing interrupts. Bypassing the Linux protocol stack speeds up packet processing. It is important to carefully select and configure delay nodes to ensure no drops.  It is important to configure network device buffers in addition to Click buffers, since default values are unreliable.

14 Results with Click The results indicate that device buffer size variation has a higher impact on the final results than Click buffers. It is important to understand device drivers so that accurate comparisons with real routers can be made. Differences between different routers need to be modeled!

15 Challenges with WAIL Original topologies give access to 2 ports of each router; new topologies were created for us Heterogeneity of link speeds; cannot repeat identical experiments with different routers Configuration/reconfiguration issues Proprietary architectural details: HOL blocking? Preliminary results: Interesting differences due to TCP versus UDP attacker; impact of attack packet size Can we use Click and device driver options as well as relative node capabilities to quickly and approximately emulate DDoS scenarios with popular routers on the Internet today, e.g., Cisco 3600s, 7000s, 12000s, Junipers, … etc?

16 Summary of Results An attack pulse length of one RTT is the most effective while still being stealthy. Large queue sizes can effectively dampen the attack when the TCP flow has not reached its full transfer rate. Results are sensitive to attack and scenario parameters Differences between DETER, WAIL, and Emulab testbed results with similar configurations and identical scripts are attributed to differences in the underlying hardware and system software, especially NICs, device drivers, and buses. Click experiments demonstrate the importance of device driver settings.

17 Ongoing/Planned Work Measurement-driven models of routers for higher fidelity RocketFuel/RouteViews/policy/traceroute  DETER tools GT-ITM  DETER tools with link virtualization What is the relationship between topology, routing, and attacks? More benchmarks; synergies with other projects Methodology document, especially regarding (i) fidelity and (ii) topology generation New recorded demos for topology/routing tools