Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

Published byPhilippa Abigayle McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating."— Presentation transcript:

1 © 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack Chia-Wei Chang, Seungjoon Lee, Bill Lin, Jia Wang

2 Shrew Attack [Kuzmanovic03] TCP-targeted low-rate denial-of-service attack Exploits TCP’s retransmission timeout Periodic burst (with period T) synchronized with TCP minRTO – R: large enough to cause packet drops – L: long enough to induce timeouts Victims experience repeated loss of retransmissions Near-zero throughput Shrew attack TCP victim 2

3 Related Work BGP (Border Gateway Protocol) runs on top of TCP Shrew attack can cause BGP session close [Zhang07] Potentially can disrupt Internet routing Detection/Mitigation Schemes Active Queue Management, randomize minRTO Insufficient to fully mitigate attack Previous schemes to identify attack flows Periodic pattern monitoring, auto-correlation analysis, wavelet- based approach, frequency domain spectrum analysis Prohibitive to realize in high-speed networks 3

4 Outline SAP (Shrew Attack Protection) Design Overview Deployment Consideration Testbed Experiments Simulation Experiments 4

5 Shrew Attack Protection Priority-based filtering mechanism Identifies victims and prioritizes their flows – Can help external systems identify attack flows Router monitors drop rate for each potential “victim” – Low drop rate: Packets are treated normal (i.e., low priority) – High drop rate: Packets are tagged high priority, and preferentially admitted to output queue Protects victims from losing consecutive packets 5

6 SAP Components Drop Rate Collector Continuously monitors instantaneous per-aggregate drop rate – Counters for arrivals and drops for each potential victim – For the current time interval and recent history (e.g., total of 10 time intervals) Fair Drop Rate Controller P avg : Average drop rate for all monitored aggregates P fair = max(P avg, P min ) – No intervention if drop rate is under a threshold Differential Tagging & Preferential Drop Packets are tagged high-priority if instantaneous drop rate is beyond P fair – Relatively short sequence of losses can trigger differential tagging – E.g., P fair = 5%, and 9 successful transmissions and one drop Preferential dropping is implemented in modern routers (e.g., WRED) 6

7 SAP Maintains Statistics for Aggregates Maintaining per-flow statistics for all flows is typically infeasible SAP uses application-level aggregates E.g., destination port Maintaining aggregate-level information is feasible in hardware E.g., 65536 TCP ports 20 counters * 4 bytes * 60K aggregates ~ 5MB of SRAM 7

8 Discussions Different flows can be treated as a single aggregate Attacker may use protected TCP port Shrew attack may use protected TCP port Malicious flow may intentionally cause packet drops and trigger elevated priority SAP still prevents session close and improves victim’s throughput SAP can help external systems narrow down attack flows Different aggregates may vary in the number of flows SAP preserves per-flow throughput 8

9 Experiment Setup Simulation Study using FTP, HTTP, BGP flows ns-2 simulator augmented with SAP Validation using real router testbed 1 Juniper router, 2 Ethernet switches, 3 PCs BGP flow only (using Zebra and real BGP trace) SimulationTestbed 9

10 Simulation vs. Testbed T = 1sec, L = 0.3sec, R = 15, 18, 20Mbps Packet drop rates are highly close Juniper Testbedns-2 simulation Attack rateBGPAttack flowBGPAttack flow 15 Mbps17.4%33.1%18.1%35.0% 18 Mbps28.1%45.2%28.3%44.8% 20 Mbps28.2%50.3%29.0%49.8% 10

11 Simulation: Throughput and Drop Rate R = 15Mbps, T = 1sec, L = 0.3sec RED is not enough to mitigate Shrew attack BGP session is closed Throughput (in Kbps)Drop Rate (in %) FTPHTTPBGPAttackFTPHTTPBGPAttack No-attack499649954.5-0.2 5.8- RED Attack ~0 3462~100 22.7 SAP Un- protected Port Protected Port HTTP 11

12 Simulation: Throughput and Drop Rate SAP protects legitimate TCP flows from losing multiple packets Thus, enables high throughput in the presence of attack Throughput (in Kbps)Drop Rate (in %) FTPHTTPBGPAttackFTPHTTPBGPAttack No-attack499649954.5-0.2 5.8- RED Attack ~0 3462~100 22.7 SAP Un- protected Port 397538705.417843.0 6.157.0 Protected Port HTTP 12

13 Simulation: Throughput and Drop Rate Shrew attack using protected port is more effective against SAP – P avg becomes higher due to attack flow Still, SAP keeps all TCP sessions alive – SAP prevents consecutive packet drops Throughput (in Kbps)Drop Rate (in %) FTPHTTPBGPAttackFTPHTTPBGPAttack No-attack499649954.5-0.2 5.8- RED Attack ~0 3462~100 22.7 SAP Un- protected Port 397538705.417843.0 6.157.0 Protected Port 83761.834108.99.12223 HTTP 13

14 Simulation: Throughput and Drop Rate HTTP flows get higher throughput when Shrew attack uses HTTP SAP keeps all sessions alive Throughput (in Kbps)Drop Rate (in %) FTPHTTPBGPAttackFTPHTTPBGPAttack No-attack499649954.5-0.2 5.8- RED Attack ~0 3462~100 22.7 SAP Un- protected Port 397538705.417843.0 6.157.0 Protected Port 83761.834108.99.12223 HTTP 7517601.732819.01.12228 14

15 Conclusions SAP (Shrew Attack Protection) Simple counter-based filtering mechanism – Priority-tagging and preferential drop Uses application-level aggregates, not per-flow statistics – Implementable using today’s hardware Identifies and protects victims – Can help identify attack flows Mitigates Shrew attack in various attack scenarios 15

Download ppt "© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating."

Similar presentations

When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University

When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University
Using Edge-To-Edge Feedback Control to Make Assured Service More Assured in DiffServ Networks K.R.R.Kumar, A.L.Ananda, Lillykutty Jacob Centre for Internet.

Using Edge-To-Edge Feedback Control to Make Assured Service More Assured in DiffServ Networks K.R.R.Kumar, A.L.Ananda, Lillykutty Jacob Centre for Internet.
WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.

WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.
CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.
Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.
 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.

 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
CS 268: Lecture 8 Router Support for Congestion Control Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

CS 268: Lecture 8 Router Support for Congestion Control Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Network and Protocol Mechanisms: How well do they collaborate? Ageliki Tsioliaridou.

Network and Protocol Mechanisms: How well do they collaborate? Ageliki Tsioliaridou.
Selfish Behavior and Stability of the Internet: A Game-Theoretic Analysis of TCP Presented by Shariq Rizvi CS 294-4: Peer-to-Peer Systems.

Selfish Behavior and Stability of the Internet: A Game-Theoretic Analysis of TCP Presented by Shariq Rizvi CS 294-4: Peer-to-Peer Systems.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of.

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, All our slides and papers.

1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, All our slides and papers.
Explicit Congestion Notification ECN Tilo Hamann Technical University Hamburg-Harburg, Germany.

Explicit Congestion Notification ECN Tilo Hamann Technical University Hamburg-Harburg, Germany.
AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.

AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
Traffic Sensitive Active Queue Management - Mark Claypool, Robert Kinicki, Abhishek Kumar Dept. of Computer Science Worcester Polytechnic Institute Presenter.

Traffic Sensitive Active Queue Management - Mark Claypool, Robert Kinicki, Abhishek Kumar Dept. of Computer Science Worcester Polytechnic Institute Presenter.

Similar presentations

Ads by Google