1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly...
-
Upload
ernest-spencer -
Category
Documents
-
view
213 -
download
0
Transcript of 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly...
![Page 1: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/1.jpg)
1
SIGCOMM’03Low-Rate TCP-Targeted Denial of Service Attacks
A. Kuzmanovic and E. W. Knightly
Rice University
Reviewed by Haoyu Song
9/25/2003
![Page 2: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/2.jpg)
2
Denial of Service Attack
Preventing or degrading service to legitimate users. TCP SYN Attack ICMP directed broadcasts
Target Network bandwidth Server/router CPU cycles Interrupt processing capacity Operating system/protocol data structure
![Page 3: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/3.jpg)
3
DoS Attack Common Characteristics Exploits the bugs or features of the operating
system or inherent limitations of the networking
Involves large number of compromised computers
High-rate traffic toward victim node
Can be detected, traced back, mitigated or cleared.
Firewall, Intrusion Detect Device, Operating System Patches.
![Page 4: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/4.jpg)
4
Low-Rate DoS Attack
Exploits the vulnerability of the TCP’s congestion control algorithm;
The rate is so low that it is hard to be detected;
Degrade the victim’s throughput significantly;
Not easy to fix.
![Page 5: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/5.jpg)
5
Layout of the Paper
Background: TCP’s Timeout Mechanism
DoS Modeling
Extensive Simulation and Experiments
Counter-DoS Techniques
Conclusion
![Page 6: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/6.jpg)
6
TCP Retransmission Timeout Mechanism
If less than 3 duplicate ACKs are received before RTO expires Shrink its congestion window to 1 packets (slow start). Set new RTO to 2*RTO (exponential backoff) Retransmit the lost packet.
RTO Selection is a tradeoff Spurious timeout and extraneous retransmission if too smal
l. Too slow to recover from congestion if too large.
![Page 7: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/7.jpg)
7
RTO Estimation
SRTT – smoothed round trip time RTTVAR – round trip time variation R’ – RTT sample minRTO – lower bound for RTO, 1 second G – clock granularity
))4,max(,max(min
4/1,8/1
')1(
')1(
RTTVARGSRTTRTORTO
RSRTTSRTT
RSRTTRTTVARRTTVAR
![Page 8: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/8.jpg)
8
The Idea of Low-rate DoS Attack
What to do Provoke a TCP flow to repeatedly enter a retransmission
timeout state Throttle the TCP throughput to near-zero
How to do Sending high-rate, RTT scale short duration bursts and
repeating periodically at RTO scale period. Low average rate is hard to be detected
![Page 9: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/9.jpg)
9
DoS Modeling
T
RTO
T
RTOT
ni
RTTVARSRTTRTOandRTTl iii
minmin)(
.,...2,1
4min'
![Page 10: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/10.jpg)
10
DoS TCP Throughput
Two “null” point: T=minRTO/2 and T=minRTO
![Page 11: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/11.jpg)
11
In Practice
Periodic DoS attack are not utilizing TCP exponential backoff mechanism but rather exploit repeated timeout.
If only subset of TCP flows satisfy the conditions, only the subset obtain the degraded throughput (flow filtering)
iRTTT 21
![Page 12: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/12.jpg)
12
Creating DoS Outages
Minimize the rate of DoS stream
12
max1 )/(
lll
CRBl
![Page 13: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/13.jpg)
13
Impact on Long-lived Homogeneous-RTT TCP Traffic 1.5Mb/s link One way propagation delay = 6ms RTT varies from 12ms to 132 ms DoS Traffic: 1.5Mb/s peak rate, 100ms burst and 50-byte pac
ket 5 TCP flows simulation
![Page 14: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/14.jpg)
14
Impact on Long-lived Heterogeneous-RTT TCP Traffic 20 TCP flows 10 Mb/s link RTT varies from 29 to 460 ms DoS burst traffic: 10Mb/s, 100ms burst and 1.1sec p
eriod
![Page 15: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/15.jpg)
15
DoS Burst Length
High-RTT-pass filter As burst length increase, more TCP flows are
filtered thus the aggregate TCP throughput decreases.
![Page 16: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/16.jpg)
16
DoS Peak Rate
Background traffic potentially lower the DoS peak rate while maintaining an effective attack
Senario: 1 DoS flow and 4 TCP flows. 3 TCP flows with long RTT serve as the background traffic
Relatively low peak rates are sufficient to filter the short-RTT flow
![Page 17: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/17.jpg)
17
Impact on HTTP Traffic
HTTP traffic is more dynamic Have more impact on heavy load Have more impact on large file size Some flows benefit from the attack: avoid the
outages.
![Page 18: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/18.jpg)
18
DoS on TCP Variants Effect attacks depend on the ability to create correlated packet loss
and force TCP flows to enter retransmission timeout.
![Page 19: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/19.jpg)
19
Internet Experiments
Intra-LAN Inter-LAN WAN
![Page 20: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/20.jpg)
20
Intra-LAN Scenario
10Mb/s Ethernet Attacker: 10Mb/s peak rate, 200ms burst leng
th. Null frequency: 1.2 sec. DoS average rate: 1.67 Mb/s if period is 1.2 s
ec. TCP flow throughput drops from 6.6 Mb/s to 7
80 kb/s
![Page 21: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/21.jpg)
21
Inter-LAN Scenario
Attacker and TCP sender are on different 100Mb/s Ethernet
Attacked host is on a 10 Mb/s Ethernet DoS peak rate 10Mb/s, burst duration 100ms Null frequency : 1.1 sec At this time scale, DoS average rate is 909Kb/s TCP flow throughput drops from 9.8Mb/s to 800 kb/
s
![Page 22: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/22.jpg)
22
WAN Scenario
DoS source is 8 hops away, 10Mb/s peak rate and 100ms burst duration.
T = 1.1 sec, TCP througput drops to 909Kb/s from 9.8Mb/s
![Page 23: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/23.jpg)
23
Router-Assisted Counter-DoS Consider only dropping algorithms rather than sche
duling RED and RED-PD
![Page 24: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/24.jpg)
24
Router-Assisted Counter-DoS cont’ Vary the DoS peak rate or burst length 9 TCP SACK flows Bottleneck Rate 1.5 Mb/s
![Page 25: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/25.jpg)
25
End-point minRTO Randomization Counter-DoS Fact: low rate attacks exploit minRTO homogeneity Remedy: Radomize end systems minRTO to randomize their null fe
quecnies Experiment: minRTO = uniform(a,b) Result: the longest most vulnerable timescale becomes T = b
![Page 26: 1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.](https://reader030.fdocuments.us/reader030/viewer/2022013101/5697bfa51a28abf838c97fcb/html5/thumbnails/26.jpg)
26
Conclusion
This attack can against both short and long-lived TCP flows.
In heterogeneous RTT environment, it shows to be a high-RTT pass filter.
No effective way to defend the system in the presence of this low-rate DoS attack.