Post on 22-Dec-2015
Low-Rate TCP Denial of Low-Rate TCP Denial of Service DefenseService Defense
Johnny TsaoPetros Efstathopoulos
Tutor: Guang Yang
UCLA 2003
What is a Low-Rate DoS Attack?What is a Low-Rate DoS Attack?
Floods bottleneck with packets to overflow Floods bottleneck with packets to overflow queues and produce dropped packetsqueues and produce dropped packetsTCP connections senses congestion and waits TCP connections senses congestion and waits retransmission timeout (one second)retransmission timeout (one second)While TCP connections are waiting the timeout, While TCP connections are waiting the timeout, the attacker does not need to attackthe attacker does not need to attackIt then resumes attacking after waiting the RTOIt then resumes attacking after waiting the RTOThe attacker has a low throughput relative to The attacker has a low throughput relative to traditional DoS attackers so it can avoid traditional DoS attackers so it can avoid detectiondetection
Proposed SolutionProposed Solution
Randomize the RTO so that we start Randomize the RTO so that we start retransmitting in between attacksretransmitting in between attacks
This should help improve throughputThis should help improve throughput
Various possible randomization Various possible randomization techniques: simulations show that choice techniques: simulations show that choice doesn’t make significant differencedoesn’t make significant difference
Related WorksRelated Works
A. Kuzmanovic and E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal DraftThese papers run simulations only, we will test These papers run simulations only, we will test their findings with experimentstheir findings with experiments
Our TaskOur Task
Analyze the effectiveness of randomized Analyze the effectiveness of randomized RTO against a low-rate TCP DoS attackRTO against a low-rate TCP DoS attack
Evaluate effectiveness by performing Evaluate effectiveness by performing experiments on a TCP testbed using experiments on a TCP testbed using DummyNet to simulate an internet DummyNet to simulate an internet bottleneckbottleneck
Compare experimental results to Compare experimental results to simulation resultssimulation results
The Linux KernelThe Linux Kernel
Linux implements TCP New RenoLinux implements TCP New Reno
The Linux kernel actually uses a minimum The Linux kernel actually uses a minimum RTO of 200ms (max is 120sec)RTO of 200ms (max is 120sec)
This reduces the effectiveness of a low-This reduces the effectiveness of a low-rate attack since it must transmit more rate attack since it must transmit more often, leaving it more susceptible to often, leaving it more susceptible to detectiondetection
The Linux Kernel The Linux Kernel (cont)(cont)
Linux uses the value of RTOmin to Linux uses the value of RTOmin to initialize the value of rttvar when a new initialize the value of rttvar when a new connection is establisedconnection is establised
Setting RTOmin to 1sec heavily affected Setting RTOmin to 1sec heavily affected rttvarrttvar
Solution: bound the value of RTO Solution: bound the value of RTO dynamically without changing the defined dynamically without changing the defined values that affect rttvarvalues that affect rttvar
Linux Kernel ModificationsLinux Kernel Modifications
Kernel 1: make minimum RTO = 1sec in Kernel 1: make minimum RTO = 1sec in order to match the papers by Knightly and order to match the papers by Knightly and YangYang
Kernel 2: Randomize RTO around 1sec to Kernel 2: Randomize RTO around 1sec to see if randomization can defend against a see if randomization can defend against a low rate attacklow rate attack
Experiment SetupExperiment Setup
Sender, ReceiverSender, Receiver- iperf client and server to produce TCP traffic- iperf client and server to produce TCP trafficAttackerAttacker- Custom UDP traffic generator: 3MBit/s attack, - Custom UDP traffic generator: 3MBit/s attack, 50 byte packets50 byte packetsDummyNet simulates internet bottleneckDummyNet simulates internet bottleneck- 1.5MBit/s link- 1.5MBit/s link- 40ms propagation delay- 40ms propagation delay- 50 slot queue- 50 slot queue
The Square Wave AttackThe Square Wave Attack(approximates a Low-rate TCP DoS Attack)(approximates a Low-rate TCP DoS Attack)
Burst Length
Inter-burst Period
ExperimentsExperiments
4 sets of experiments4 sets of experiments Set 1: standard Linux kernel behaviorSet 1: standard Linux kernel behavior Set 2: modified “1sec” Linux kernel behaviorSet 2: modified “1sec” Linux kernel behavior Set 3: modified “1sec – randomized RTO” Set 3: modified “1sec – randomized RTO”
Linux kernel behaviorLinux kernel behavior For each set we measured throughput for interburst For each set we measured throughput for interburst
periods (IBPs) ranging from 0.3sec to 5sec (burst periods (IBPs) ranging from 0.3sec to 5sec (burst length and network parameters were kept constant)length and network parameters were kept constant)
Set 4: all kernels measured under attack for Set 4: all kernels measured under attack for different burst lengthsdifferent burst lengths
Experimental Results – IExperimental Results – I
The standard Linux kernel is vulnerable, but a high rate attack is The standard Linux kernel is vulnerable, but a high rate attack is needed (minRTO is 200ms)needed (minRTO is 200ms)
Linux kernel throughput (no attack VS under attack)
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5
IBP (sec)
Th
rou
gh
pu
t (b
ytes
/sec
)
Under Attack
No Attack
Experimental Results – IIExperimental Results – II
Changing the minimum value of RTO to 1sec makes the attack very Changing the minimum value of RTO to 1sec makes the attack very effective!effective!
"1sec" kernel throughput (no attack VS under attack)
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5
IBP (s)
Th
rou
gh
pu
t (b
yte
s/s
ec
)
Under Attack
No attack
Experimental Results – IIIExperimental Results – III
Randomizing the value of RTO in the “1sec” kernel (randomization Randomizing the value of RTO in the “1sec” kernel (randomization ranges from -0.5 to +0.5) significantly improves performance ranges from -0.5 to +0.5) significantly improves performance (connection NOT throttled for IBPs of 0.5s and 1s)(connection NOT throttled for IBPs of 0.5s and 1s)
"1sec-randomized RTO" kernel throughput (no attack VS under attack)
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5
IBP (s)
Th
rou
gh
pu
t (b
ytes
/sec
)
Under Attack
No Attack
Experimental Results – IVExperimental Results – IVRandomization eliminates the throughput throttling problem Randomization eliminates the throughput throttling problem for IBP values of minRTO/2 and minRTOfor IBP values of minRTO/2 and minRTOExperimental results confirm simulation resultsExperimental results confirm simulation results
Throughput vs IBP
00.10.20.30.40.50.60.70.80.9
1
0 1 2 3 4 5 6
Inter-burst Period (seconds)
Th
rou
gh
pu
t (%
)
Linux
1s RTO
randomRTO
Experimental Results – VExperimental Results – V
The burst length greatly affects the effectiveness The burst length greatly affects the effectiveness of the attackof the attack
Throughput VS burst length (interburst period = 1s)
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
50 100 150 200
Burst length (ms)
Th
rou
gh
pu
t (b
ytes
/sec
)
Linux kernel
1sec kernel
randomized kernel
Throughput VS burst length (interburst period = 0.5s)
0
20000
40000
60000
80000
100000
120000
50 100 150 200
Burst length (ms)
Thro
ugpu
t (by
tes/
sec)
Linux kernel
1sec kernel
randomized kernel
Experimental Results – V Experimental Results – V (cont.)(cont.)
Average throughput VS burst length (for IBPs 0.5s and 1s)
0
20000
40000
60000
80000
100000
120000
140000
160000
50 100 150 200
Burst length (ms)
Th
rou
gh
pu
t (b
yte
s/s
ec
)
Linux kernel
1sec kernel
randomized kernel
Our FindingsOur Findings
Low-Rate TCP DoS attack relies heavily Low-Rate TCP DoS attack relies heavily on RTO synchronizationon RTO synchronization
Attack targets low RTT connectionsAttack targets low RTT connections
Randomization of RTO improves Randomization of RTO improves throughput greatly (especially in the throughput greatly (especially in the vulnerable cases of 0.5s and 1s)vulnerable cases of 0.5s and 1s)
Our Findings - IIOur Findings - II
The effectiveness of the attack depends a The effectiveness of the attack depends a lot on the synchronization of the sender lot on the synchronization of the sender and the attackerand the attackerPerformance results for certain cases Performance results for certain cases fluctuated greatly for consecutive runs of fluctuated greatly for consecutive runs of the same experiment. Possible reasons: the same experiment. Possible reasons: Dummynet buffer management, Dummynet buffer management, synchronization issues between the synchronization issues between the attacker and the senderattacker and the sender
ConclusionsConclusions
The experimental results coincide with the The experimental results coincide with the findings of papers by Knightly and Yangfindings of papers by Knightly and Yang
Randomization is an effective way to Randomization is an effective way to reduce the damage done by a Low-Rate reduce the damage done by a Low-Rate TCP DoS attackTCP DoS attack
Such an attack may not be realistic if Such an attack may not be realistic if modern systems implement a low RTO modern systems implement a low RTO
(ie. Linux’s 200ms RTO)(ie. Linux’s 200ms RTO)
Future WorkFuture Work
Determine the fairness of the RTO Determine the fairness of the RTO randomization schemerandomization scheme
Explore probing as a defense against a Explore probing as a defense against a Low Rate TCP DoS attackLow Rate TCP DoS attack
Examine the attack and defense results Examine the attack and defense results with multiple TCP flowswith multiple TCP flows
ReferencesReferences
A. Kuzmanovic and E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal DraftPasi Sarolathi, Alexey Kuznetsov, Congestion Control in Linux TCPD. Bovet and M. Cesati, Understanding the Linux kernel, O’Reilly press 2003