Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U."— Presentation transcript:

1 Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

2 .2. Outline Introduction to the Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion

3 .3. Introduction to the Low-rate TCP Attack  Common DoS attack  Consume resources (bandwidth, buffer …etc)  Keep legitimate users away form service  Large number of machines or agents are involved  Harmful, but relatively easy to be detected  Consume resources (bandwidth, buffer …etc)  Keep legitimate users away form service  Large number of machines or agents are involved  Harmful, but relatively easy to be detected  Low-rate DoS attack  Aim to deny the bandwidth of legitimate TCP flows  Attacker sends the attack stream with low volume  Exploit the TCP congestion control feature  Attacker sends a periodic short burst to victim/router  Aim to deny the bandwidth of legitimate TCP flows  Attacker sends the attack stream with low volume  Exploit the TCP congestion control feature  Attacker sends a periodic short burst to victim/router

4 .4. TCP Retransmission Mechanism  TCP congestion control If under severe network congestion:  Wait until retransmission timeout (RTO)  Reduce the congestion window double the RTO retransmit the packet  If succeed, enter slow start phase else, exponential back off again If under severe network congestion:  Wait until retransmission timeout (RTO)  Reduce the congestion window double the RTO retransmit the packet  If succeed, enter slow start phase else, exponential back off again  Calculation of RTO In RFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR))  Usually, RTO = minRTO when slow start  minRTO=1 second (recommended in RFC 2988) In RFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR))  Usually, RTO = minRTO when slow start  minRTO=1 second (recommended in RFC 2988)

5 .5. Low-rate DoS Attack to TCP Flow  A example of low-rate DoS attack  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput.  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput. TCP Avg BW= lR/T

6 .6. What is the next? Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion

7 .7.  T: Attack period  l: Length of attack burst  R: Rate of attack burst  N: Background noise  S: Time shift  T: Attack period  l: Length of attack burst  R: Rate of attack burst  N: Background noise  S: Time shift l Formal Description  Mathematical Description N R T S

8 .8. Low-rate DoS Traffic Pattern The periodic burst may have different patterns:  Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)  Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)  General peaks with background noise Attack traffic is not easy to remain the same as the original at the victim router. Attack traffic between different period may not be the same, thus T, l, R may vary. We need a “ ROBUST ” method to identify attack

9 .9. Low-rate DoS Traffic Pattern Multiple distributed attack sources  Long Period combination  Small Burst combination

10 .10. What is the next? Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion

11 .11. Distributed Detection  Overall Idea of Distributed Detection

12 .12. Distributed Detection  Traffic signature Detection  Small average throughput => Throughput based IDS  No signature in packet => “per packet” approaches  Extract the essential signature of attack traffic  Small average throughput => Throughput based IDS  No signature in packet => “per packet” approaches  Extract the essential signature of attack traffic X X √

13 .13.  Sample recent instantaneous throughput at a constant rate (The rate should be frequent enough but not over burden system)  Each time of detection consists of a sequence of instantaneous throughput (The length of sequence should also be properly adjusted)  Normalization is necessary  Sample recent instantaneous throughput at a constant rate (The rate should be frequent enough but not over burden system)  Each time of detection consists of a sequence of instantaneous throughput (The length of sequence should also be properly adjusted)  Normalization is necessary  Similarity between the template and input should be calculated.  We use the Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in the paper)  The smaller the DTW value, the more similar they are.  DTW values will be clustered; threshold can be set to distinguish them.  Similarity between the template and input should be calculated.  We use the Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in the paper)  The smaller the DTW value, the more similar they are.  DTW values will be clustered; threshold can be set to distinguish them.  Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. (Autocorrelation can also mask the difference of time shift S)  Unbiased normalization M: length of input sequence m: index of autocorrelation  Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. (Autocorrelation can also mask the difference of time shift S)  Unbiased normalization M: length of input sequence m: index of autocorrelation  The background noise of samples need to be filtered  Background noise (UDP flows and other TCP flows that less sensitive to attack)  For simplicity, a threshold filter can be used.  The background noise of samples need to be filtered  Background noise (UDP flows and other TCP flows that less sensitive to attack)  For simplicity, a threshold filter can be used. Pattern match Extract the signature Filter the noise Sample the traffic Demo in Matlab Algorithm of Detection

14 .14.  Square, step, general peaks  T,l : Uniformly distributed s.t. :l /T<=0.25  R : 1 (full bandwidth)  N,S : Uniformly distributed  1000 simulations /type  Square, step, general peaks  T,l : Uniformly distributed s.t. :l /T<=0.25  R : 1 (full bandwidth)  N,S : Uniformly distributed  1000 simulations /type Robustness of Detection DTW Value of Low-rate TCP Attack Squar e General Peaks Step Max 39.4829.8957.10 Min 0.250.220.49 Mea n 5.735.117.97 Stdv 6.934.6111.39 Attack traffic simulations  DTW values for low-rate attack

15 .15. Robustness of Detection  Legitimate traffic composition.  Legitimate traffic simulation: C+ Gaussian(0, N)  Run simulation 100 times for each C  Large DTW value for legitimated traffic  Legitimate traffic composition.  Legitimate traffic simulation: C+ Gaussian(0, N)  Run simulation 100 times for each C  Large DTW value for legitimated traffic Max286.60 Min62.51 Mea n 205.24 Stdv66.63  DTW values for Legitimate traffic

16 .16. Robustness of Detection  Attack flows V.S. legitimate flows  Expect a separation between them.  Attack flows V.S. legitimate flows  Expect a separation between them.  Probability distribution of DTW values threshold

17 .17. What is the next? Introduction to the low-rate DoS Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion

18 .18.  Pushback detection  Pushback to deployed router distributed attack  Deficit round robin (DRR)  Pushback detection  Pushback to deployed router distributed attack  Deficit round robin (DRR) Defense Mechanism  Router deployment } Resource Management

19 .19.  Classify packets according to the input port [i].  deficit_counter[i] += Quantum  If packet’s size<= deficit_counter[i], serve the packet  deficit_counter[i] -=packet’s size.  If no packet[i], deficit_counter[i] =0.  Classify packets according to the input port [i].  deficit_counter[i] += Quantum  If packet’s size<= deficit_counter[i], serve the packet  deficit_counter[i] -=packet’s size.  If no packet[i], deficit_counter[i] =0.  Deficit Round Robin (DRR) Defense Mechanism 1500 300 600 500 20001000 Second Round First Round Head of Queue A B C 0 Quantum=1000 bytes 1st Round A’s count : 1000 B’s count : 200 (served twice) C’s count : 400 2nd Round A’s count : 500 (served) B’s count : 0 C’s count : 800 (served)

20 .20. Experiment of Defense Mechanism  Multiple TCP flows vs. single source attacker Drop TailDRR Throughput (Kbps)% of link capacityThroughput (Kbps)% of link capacity Attack 928.7618.58%343.096.86% TCP1 8.71 0.17%965.9119.32% TCP2 210.77 4.22%645.7912.92% TCP3 4.75 0.10%629.1512.58% TCP4 11.09 0.22%618.0512.36% TCP5 5.54 0.11%468.39.37% TCP6 267.82 5.36%356.577.13% TCP7 72.11 1.44%293.975.88% TCP8 3.17 0.06%194.933.90% TCP Sum 583.9611.68%4172.6783.45%  Eight TCP flows  Single low-rate attacker  Go through the same router  Link Capacity 5Mbps  Eight TCP flows  Single low-rate attacker  Go through the same router  Link Capacity 5Mbps

21 .21. Experiment of Defense Mechanism  Network model of attack vs. Multiple TCP flows Drop TailDRR on R6 DRR on R6,R4 DRR on R6,R4,R2 DRR on R6,R4,R2,R1 ρ(Kbps) Attack640.00561.00453.00419.00404.00 TCP1386.00358.00311.00314.00778.00 TCP2264.00329.00282.00874.00763.00 TCP3324.00251.001245.00924.00788.00 TCP4425.001719.001154.00966.00765.00 Total TCP 1399.002657.002992.003078.003094.00  4 TCP flows  Single attacker  7 routers network  R1,R2,R4,R6 may run DRR  Link capacity 5 Mb  4 TCP flows  Single attacker  7 routers network  R1,R2,R4,R6 may run DRR  Link capacity 5 Mb

22 .22. What is the next? Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion

23 .23. Conclusion  Conclusions  Formal model to describe low-rate TCP attack.  Distributed detection mechanism using Dynamic Time Wrapping  The push back mechanism  DRR approach protection and isolation  Formal model to describe low-rate TCP attack.  Distributed detection mechanism using Dynamic Time Wrapping  The push back mechanism  DRR approach protection and isolation

Download ppt "Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U."

Similar presentations

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.
TCP Vegas: New Techniques for Congestion Detection and Control.

TCP Vegas: New Techniques for Congestion Detection and Control.
WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.

WHITE – Achieving Fair Bandwidth Allocation with Priority Dropping Based on Round Trip Time Name : Choong-Soo Lee Advisors : Mark Claypool, Robert Kinicki.
CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.
24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.

24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.
Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.

Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.
5/17/20151 Adaptive RED: An Algorithm for Increasing the Robustness of RED’s Active Queue Management or How I learned to stop worrying and love RED Presented.

5/17/20151 Adaptive RED: An Algorithm for Increasing the Robustness of RED’s Active Queue Management or How I learned to stop worrying and love RED Presented.
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.
Ion Stoica, Scott Shenker, and Hui Zhang SIGCOMM’98, Vancouver, August 1998 subsequently IEEE/ACM Transactions on Networking 11(1), 2003, pp. 33-46. Presented.

Ion Stoica, Scott Shenker, and Hui Zhang SIGCOMM’98, Vancouver, August 1998 subsequently IEEE/ACM Transactions on Networking 11(1), 2003, pp Presented.
The War Between Mice and Elephants Liang Guo and Ibrahim Matta Boston University ICNP 2001 Presented by Thangam Seenivasan 1.

The War Between Mice and Elephants Liang Guo and Ibrahim Matta Boston University ICNP 2001 Presented by Thangam Seenivasan 1.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Advanced Computer Networks: RED 1 Random Early Detection Gateways for Congestion Avoidance * Sally Floyd and Van Jacobson, IEEE Transactions on Networking,

Advanced Computer Networks: RED 1 Random Early Detection Gateways for Congestion Avoidance * Sally Floyd and Van Jacobson, IEEE Transactions on Networking,
1 Equation-Based Congestion Control for Unicast Applications Sally Floyd, Mark Handley, Jitendra Padhye & Jorg Widmer August 2000, ACM SIGCOMM Computer.

1 Equation-Based Congestion Control for Unicast Applications Sally Floyd, Mark Handley, Jitendra Padhye & Jorg Widmer August 2000, ACM SIGCOMM Computer.
AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.

AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
Buffer Sizing for Congested Internet Links Chi Yin Cheung Cs 395 Advanced Networking.

Buffer Sizing for Congested Internet Links Chi Yin Cheung Cs 395 Advanced Networking.
RAP: An End-to-End Rate-Based Congestion Control Mechanism for Realtime Streams in the Internet Reza Rejai, Mark Handley, Deborah Estrin U of Southern.

RAP: An End-to-End Rate-Based Congestion Control Mechanism for Realtime Streams in the Internet Reza Rejai, Mark Handley, Deborah Estrin U of Southern.

Similar presentations

Ads by Google