Presentation is loading. Please wait.

Presentation is loading. Please wait.

PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov

Published byTyrone Quinn Modified over 5 years ago

Similar presentations

Presentation on theme: "PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov"— Presentation transcript:

1 PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov
Emulation versus Simulation: A Case Study with DoS Attacks PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University September 28th, 2005

2 Why? Simulators cannot execute real applications, and only approximate various appliances. Testbeds and especially emulation provides a convenient way to use real appliances and applications, but is constrained by the number of nodes, types of appliances, and difficulty in configuration/management/reproducibility. When to use each? How to compare and interpret results? The goal of EMIST is to develop rigorous testing methodologies, tools, and benchmarks for important classes of Internet attacks and defenses. It is crucial to understand the effectiveness of defense mechanisms on real networks. Results obtained on testbeds can be used to develop more accurate models. Refs: Kohler and Floyd, … others.

3 An Emulation Experiment
Create a topology via a topology generator or based on available data (e.g., RocketFuel). If applicable, create BGP/OSPF router configurations Create disk images on DETER with the desired tools Trigger actions at experimental nodes Repeat experiments with different parameters Collect data and analyze it by scripts, or interactively, e.g., in ESVT

4 Tools A key goal of the EMIST project is to conduct realistic experiments with Internet attacks and defenses. Large scale experiments on an emulation testbed require topology generation, extensive router configuration, and automated node control. Hence, it is important to create an infrastructure for fast experiment creation and automation, including complex BGP/OSPF scenarios.

5 Topology/Routing Tools
Many sources for AS-level topologies, e.g., RouteViews RocketFuel provides router-level topologies. For intra- domain links, it provides inferred OSPF weights However, no BGP policies; we infer/assign some of them by L. Gao’s inference algorithms OR: Create a topology with a topology generator, e.g., GT- ITM Assign ASes to router nodes Configure all border and non-border routers Students: David Bettis, Abdallah Kreishah, Pankaj Kumar

6 Available Tools Can be found at Scriptable Event System (SES): Allows using a script to repeat experiments while changing parameters As tasks can take arbitrary time to complete, an event completion callback is required Software link monitor Ref: EMIST/ISI technical notes Measurement and data integration tools, and other useful scripts

7 Scriptable Event System
A master server runs either on the main users account or on one of the test nodes. The communication between the master and the zombies is done via the control network which is free of experimental traffic. The server runs a script that determines the experiment. Start measurements and configure software Launch attack/benchmark Once the benchmark is complete, stop the attack Copy local measurement logs to a central location

8 Sample Event Script 0 node0 node2 node3 r1 r2 "./tmeas -f /usr/local/tmeas.out" 1 "pause" 0 node2 "/usr/bin/ttcp -r > /dev/null" 0 node0 node2 "rm /usr/local/dump.dmp" 0 node0 node2 r1 r2 "sh /proj/DDoSImpact/exp/bell/scripts/dump.sh" 5 node3 "./flood node1 -U -s10 -W D80000" 9 node0 "/usr/bin/ttcp -v -t node2 < /usr/local/f30m >/usr/local/ttcp.out!" 0 node0 node1 node2 node3 r1 r2 "stop" 0 node0 node2 r1 r2 "killall tcpdump" 0 node0 "cp /usr/local/dump.dmp /proj/DDoSImpact/exp/bell/data/dump.node0" 0 node2 "cp /usr/local/dump.dmp /proj/DDoSImpact/exp/bell/data/dump.node2" 0 node0 "cp /usr/local/ttcp.out /proj/DDoSImpact/exp/bell/data" 0 node0 "cp /usr/local/tmeas.out /proj/DDoSImpact/exp/bell/data/tmeas.out.node0" 0 node3 "cp /usr/local/tmeas.out /proj/DDoSImpact/exp/bell/data/tmeas.out.node3" 0 node1 "cp /usr/local/tmeas.out /proj/DDoSImpact/exp/bell/data/tmeas.out.node1"

9 Measurement and Integration
Measurement of systems statistics at different points in the network can yield an understanding of what events are occurring in the entire network A tool based on a 1 sec timer records CPU, PPSin, PPSout, BPSin, BPSout, RTO, Memory. The collected logs (plus routing logs) are aggregated and used to plot graphs via a collection of scripts Congestion Window is recorded on per connection basis by reading the system files. Alternatively, it can be estimated from tcpdump files using tcptrace The data can also be displayed by ESVT upon experiment completion, allowing easy graphical examination Future scripts will have an ability to correlate events between system measurements/ routing log files

10 Link Monitor An easy way to monitor links is to run tcpdump and drop counters on individual PCs Tcpdump requires additional CPU processing Drop counters are not always accurate as they depend on the driver accuracy A software solution similar to a delay node can be placed on a link between two nodes Two monitors can be used to find out what was dropped by comparing traffic in and traffic out High traffic volumes require the logger to be much faster than the test nodes Extensive tests have shown that the logger can keep up with 148 Kpps, but tcpdump cannot

11 TCP-Targeted Attacks Why? Easy to launch, damaging, and stealthy attack A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of service attacks. SIGCOMM 2003. H. Sun et al. Defending against low-rate TCP attacks: Dynamic detection and protection. ICNP 2004. M. Guirguis et al. Exploiting the transients of adaptation for RoQ attacks on Internet resources. ICNP 2004. Studied only via simulation and limited experiments Tricky as it strongly relies on timing Vary: Attacker, burst length l, sleep period T-l, pkt size, RTT, bfr size Objective: Understand attack effectiveness (damage versus effort) Compare emulation to simulation to analysis l l Rate T-l R Time

12 Experimental Scenario
Original TCP-targeted attacks are tuned to RTO frequency for near zero throughput Can exploit Additive Increase Multiplicative Decrease congestion avoidance of TCP without tuning period to RTO, and hence throttle TCP’s throughput at any predetermined level Simple dumbbell topology with single file transfer flow is easiest to interpret

13 Experimental Setup All nodes run a zombie process that connects to the master, thus forming our Scriptable Event System SES script informs the nodes to start measurements A file transfer and TCP-targeted attack are initiated When the file transfer is complete, the SES is informed and it stops the attack and instructs the nodes to copy the logs to a central location The same topology with similar events is simulated in ns-2 Besides using default OS routing, routing nodes on DETER were configured with the Click modular software router [Kohler et al., ACM TOCS 2000] Data from DETER, Emulab, and ns-2 is compared to a simple throughput degradation model

14 Throughput Degradation
Loss occurs during each pulse. Connection does not RTO. There is no packet loss during attack sleep periods. is the Cwnd growth during a sleep period time between two loss events

15 Analysis vs. Simulation
Simulation results are closest to the analysis when the attack pulse length is equal to the flow RTT.

16 Congestion Window The irregular peaks in this ns-2 Cwnd plot indicate that not every pulse of the attack causes Cwnd to get halved This causes ns-2’s average Cwnd to be higher than the one predicted by the analysis when buffer sizes are large or attack pulse length is shorter than the RTT

17 Forward Direction Analysis corresponds to ns-2 results when attack pulse length is greater or equal to TCP flow RTT and when buffer sizes are not too large Emulab results not too far from analysis and ns-2 DETER is not as significantly affected by the attack This is in the forward direction

18 Reverse Direction Since ns-2 does not model CPU/bus/devices, and opposing flows do not interfere at a router with output buffering, data for ns-2 is not shown for reverse direction (Cwnd has no cuts)

19 Emulation vs. Emulation
Attack on Emulab has weaker parameters (83 byte versus 2 byte payload) On Emulab routers are faster than on DETER (850 MHz versus 733 MHz) Attacking machine on Emulab is slower (600 MHz versus 733 MHz) One would expect the routers on DETER to be affected more

20 Emulab vs. DETER Emulab router experiences a much higher load than a DETER router Why?

21 Router Nodes To avoid slowdown in the Linux kernel, the machine can be configured to run SMP enabled Click modular router with polling drivers. Polling reduces CPU overhead by reducing interrupts. Bypassing the Linux protocol stack speeds up packet processing. It is important to configure network device buffers as well, since some of them may be quite large by default.

22 Results with Click The results indicate that device buffer size variation has a higher impact on the final results than Click buffers. It is important to understand device drivers so that accurate comparisons can be made.

23 Summary of Results An attack pulse length of one RTT is the most effective. Large queue sizes can effectively dampen the attack when the TCP flow has not reached its full transfer rate. Discrepancies between DETER and Emulab testbed results are attributed to differences in the underlying hardware and system software, especially device drivers and buses. Click experiments demonstrate the importance of device driver settings.

24 More Complex Benchmark

25 Throughput

26 Web Clients/Server

27 Attack Parameters vs. RTT
Better setup: delays, routing, simpler experiment. The following two graphs show a relation between RTT and the square attack. Clients with higher RTT seem to suffer more and a more susceptible to stealthier attacks which are less aggressive. 0.38 Mbps without an attack 0.75 Mbps without an attack Client with 63 ms RTT to the server

28 Short RTT 1.00 Mbps without an attack 1.40 Mbps without an attack
It can be observed that the slope is much steeper than in the previous experiment. This means that the attack parameters have to be more aggressive than previously to decrease throughput. 1.00 Mbps without an attack 1.40 Mbps without an attack Client with 12.6 ms RTT to the server

29 Conclusions TCP congestion control can be successfully exploited by a pulsating attack with a fraction of needed attack traffic when compared to a flooding attack; attack frequency need not be tuned to RTO With a single flow under attack, attack pulse must be longer or equal to RTT and buffer sizes must not exceed 100 packets; attack packet size also an important parameter Simulation and emulation can produce very different results for very similar experiments Same experiment on different emulation testbeds (or same testbed before and after hw/sw upgrades) can yield different results Same experiment on the same emulation testbed can yield different results depending on driver settings Such differences are important as they allow us to identify real vulnerabilities and fundamental limits. The Internet is an evolving, heterogeneous entity with protocol implementation errors and resource constraints, and not a modeling approximation in a simulator Need to study other scenarios with multiple flows and attackers, and different hw/sw routers with different buffer sizes

30 Other Work… What is the relationship between topology, routing, and attacks? Experiment scale down RouteViews/RocketFuel/policy inferenceDETER tools GT-ITMDETER tools Link virtualization More benchmarks Slides and movies on above topics are available

Download ppt "PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov"

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
1 Sonia Fahmy Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

1 Sonia Fahmy Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Transparent Checkpoint of Closed Distributed Systems in Emulab Anton Burtsev, Prashanth Radhakrishnan, Mike Hibler, and Jay Lepreau University of Utah,

Transparent Checkpoint of Closed Distributed Systems in Emulab Anton Burtsev, Prashanth Radhakrishnan, Mike Hibler, and Jay Lepreau University of Utah,
1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, All our slides and papers.

1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, All our slides and papers.
1 PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University.

1 PIs: Sonia Fahmy Ness B. Shroff PhD Student: Roman Chertov Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University.
1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
The War Between Mice and Elephants By Liang Guo (Graduate Student) Ibrahim Matta (Professor) Boston University ICNP’2001 Presented By Preeti Phadnis.

The War Between Mice and Elephants By Liang Guo (Graduate Student) Ibrahim Matta (Professor) Boston University ICNP’2001 Presented By Preeti Phadnis.
Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.

Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.
Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.

Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.
Ns Simulation Final presentation Stella Pantofel 304026354 Igor Berman 313879942 Michael Halperin 317321982.

Ns Simulation Final presentation Stella Pantofel Igor Berman Michael Halperin
1 Sonia Fahmy, Roman Chertov, Ness B. Shroff, and a group of M.S. students Center for Education and Research in Information Assurance and Security (CERIAS)

1 Sonia Fahmy, Roman Chertov, Ness B. Shroff, and a group of M.S. students Center for Education and Research in Information Assurance and Security (CERIAS)
Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.

Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.
ICOM 6115: Computer Systems Performance Measurement and Evaluation August 11, 2006.

ICOM 6115: Computer Systems Performance Measurement and Evaluation August 11, 2006.
Architectures and Algorithms for Future Wireless Local Area Networks  1 Chapter12345678910 Architectures and Algorithms for Future Wireless Local Area.

Architectures and Algorithms for Future Wireless Local Area Networks  1 Chapter Architectures and Algorithms for Future Wireless Local Area.
EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.

EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.

Similar presentations

Ads by Google