Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It
description
Transcript of Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It
11/17/2000 IEEE ICNP'2000, Osaka, Japan 1
Malicious Packet Dropping: How It Might Impact the TCP Performance
& How We Can Detect It
Xiao-Bing Zhang, EricssonFelix Wu, UC DavisZhi Fu, NC State UniversityTsung-Li Wu, CCIT
http://www.cs.ucdavis.edu/[email protected]
full paper:http://www.cs.ucdavis.edu/publications/PDALong.ps
11/17/2000 IEEE ICNP'2000, Osaka, Japan 2
Outline
Packet DroppingAnomaly DetectionEvaluation
11/17/2000 IEEE ICNP'2000, Osaka, Japan 3
Packet Dropping Attacks
Maliciously drop a small portion of packets e.g., the first 20 packets in a connection
Selectively drop some important packets e.g., retransmission packets, signaling packets
in IP telephony
Degrade QoS
Difficult to detect packet loss could be due to network congestion
11/17/2000 IEEE ICNP'2000, Osaka, Japan 4
Attack Types
Persistentattack every connection between two
TCP ends.
Intermittentattack some of the connectionse.g., 1 of every 5 connections
11/17/2000 IEEE ICNP'2000, Osaka, Japan 5
Dropping Patterns
Periodical Packet Dropping (PerPD)
Retransmission Packet Dropping (RetPD)
Random Packet Dropping (RanPD)
11/17/2000 IEEE ICNP'2000, Osaka, Japan 6
Periodical Packet Dropping
Parameters (K, I, S) K, the total number of dropped packets in a connection I, the interval between two consecutive dropped packets S, the position of the first dropped packet.
Example (5, 10, 4) 5 packets dropped in total 1 every 10 packets start from the 4th packet The 4th, 14th, 24th, 34th and 44th packet will be dropped
11/17/2000 IEEE ICNP'2000, Osaka, Japan 7
Retransmission Packet Dropping
Parameters (K, S) K, the times of dropping the packet's
retransmissions S, the position of the dropped packet
Example (5, 10) first, drops the 10th packet then, drops the retransmissions of the 10th
packet 5 times
11/17/2000 IEEE ICNP'2000, Osaka, Japan 8
Random Packet Dropping
Parameters (K) K, the total number of packets to be dropped
in a connection
Example (5) randomly drops 5 packets in a connection
11/17/2000 IEEE ICNP'2000, Osaka, Japan 9
Dropper Model
P%P% Per (K,I,S)Ret (K,S)Ran (K)
11/17/2000 IEEE ICNP'2000, Osaka, Japan 10
How can this happen?
Unintentional: ill-configuration aggressive traffic control or
managementIntentional:
compromised packet forwarding engine selectively-flooded routers/switches
11/17/2000 IEEE ICNP'2000, Osaka, Japan 11
How to Practice Dropping Attacks
Compromise intermediate routers easy to manipulate victim's traffic hard to detect difficult to practice
Congest intermediate routers hard to manipulate victim's traffic cause more attention easy to practice
11/17/2000 IEEE ICNP'2000, Osaka, Japan 12
Impacts of Packet Dropping
Delay
Response time
Quality
Bandwidth
Throughput...
11/17/2000 IEEE ICNP'2000, Osaka, Japan 13
Experiment Setting
4 FTP Servers across the Internet
FTP client runs Linux 2.0.36 in SHANG lab
Size of downloaded file is 5.5MB
Attack Agent runs on the same
host as FTP client act as on a
compromised router
FTP
Internet
Divert Socket
FTP Client on Linux 2.0.36
xyz.zip 5.5M
FTP Server
Attack Agent
Data Packets
11/17/2000 IEEE ICNP'2000, Osaka, Japan 14
FTP Severs and Clients
FTP Client
SHANG
FTP Servers
Heidelberg
NCU
SingNet
UIUC
11/17/2000 IEEE ICNP'2000, Osaka, Japan 15
FTP Severs
Name FTP Server IP Address Location
Heidelberg ftp.uni-heidelberg.de 129.206.100.134 Europe
NCU ftp.ncu.edu.tw 140.115.1.71 Asia
SingNet ftp.singnet.com.sg 165.21.5.14 Asia
UIUC ftp.cso.uiuc.edu 128.174.5.14 North America
11/17/2000 IEEE ICNP'2000, Osaka, Japan 16
Impacts of Packet Dropping On Session Delay
5663.4 66
218.4
98.6108.2
125.8
250.9
62.6
77.186.9
260.3
23.6 26.5
44.6
183.9
0
50
100
150
200
250
300
Ses
sio
n D
elay
(s)
Heidelberg NCU SingNet UIUC
Normal
RanPD(7)
PerPD(7, 4, 5)
RetPD(7, 5)
11/17/2000 IEEE ICNP'2000, Osaka, Japan 17
Compare Impacts of Dropping Patterns
0
500
-10 40
Number
Sess
ion
Heidelberg
0
50
100
150
200
250
300
350
400
450
500
0 10 20 30 40
Number of victim packets
Sess
ion
dela
y
PerPD
RanPD
RetPD
NCU
0
50
100
150
200
250
300
350
400
450
500
0 10 20 30 40
Number of victim packets
Sess
ion
dela
y
PerPD
RanPD
RetPD
SingNet
0
50
100
150
200
250
300
350
400
450
500
0 10 20 30 40
Number of victim packets
Sess
ion
dela
y
PerPD
RanPD
RetPD
UIUC
0
50
100
150
200
250
300
350
400
450
500
0 10 20 30 40
Number of victim packets
Sess
ion
dela
y
PerPD
RanPD
RetPD
PerPD: I=4, S=5
RetPD: S=5
11/17/2000 IEEE ICNP'2000, Osaka, Japan 18
Different K, I, S for PerPD
(a) I=4, S=5
0
50
100
150
200
250
0 10 20 30 40
Number of Victim Packets, K
Sess
ion
Del
ay
Heidelberg
NCU
SingNet
UIUC
(b) K=20, S=5
0
50
100
150
200
250
0 20 40 60 80 100
Dropping Interval, I
Heidelberg
NCU
SingNet
UIUC
(c) K=20, I=50
0
50
100
150
200
250
0 50 100 150 200
Dropping start point, S
Heidelberg
NCU
SingNet
UIUC
11/17/2000 IEEE ICNP'2000, Osaka, Japan 19
On Interval
If Interval is extremely small (< 4), PerPD is similar to RetPD.
If Interval is larger, if RTT is small, session delay will be
smaller if the interval is also smaller (but not too small).
11/17/2000 IEEE ICNP'2000, Osaka, Japan 20
Compare Impacts of Dropping Patterns (cont.)
Periodical Packet Dropping session delay linearly increases with an increase of K packet loss is repaired by fast retransmit or timeout
Random Packet Dropping comparatively small damage, relating to RTT session delay increases linearly when increasing K packet loss is usually repaired by fast retransmit
Retransmission Packet Dropping severe damage, relating to RTO session delay increases exponentially when increasing K
11/17/2000 IEEE ICNP'2000, Osaka, Japan 21
The Plain DDOS Model (1999-2000)
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
11/17/2000 IEEE ICNP'2000, Osaka, Japan 22
Congestion Tools: Tribe Flood Network
Distributed Denial Of Service (DDOS) attack tools
Master a host running an application called Client Client initiates attacks by sending commands to Agents
Agent a host running a Daemon Daemon receives and carries out commands issued by a Client.
Attack UDP flood, ICMP echo reply (ping), SYN flood, and TARGA3
11/17/2000 IEEE ICNP'2000, Osaka, Japan 23
Congestion Experiment Setting
bone
fire
redwing
light
152.1.75.0
192.168.1.0
172.16.0.0
UDP flood
FTP data
TFN agents
TFN target
FTP client
FTP server
congestion
air
TFN master
Networks are in SHANG lab
All machines are PCs
Bone with 500MHz Intel Pentium CPU acts as a router
Downloaded file size: 44MB
11/17/2000 IEEE ICNP'2000, Osaka, Japan 24
Congestion Experiment Results
flood 1, Stop 20
0
2
4
6
8
10
12
0 20 40 60 80 100
Time (s)
Nu
mb
er o
f L
ost
Pac
ket
sflood 1, Stop 5
0
2
4
6
8
10
12
0 20 40 60 80 100Time (s)
Nu
mb
er o
f L
ost
Pac
ket
s
flood 5, Stop 10
0
2
4
6
8
10
12
0 20 40 60 80 100
Time (s)
Nu
mb
er o
f L
ost
Pac
ket
s
flood 5, Stop 2
0
2
4
6
8
10
12
0 20 40 60 80 100
Time (s)
Nu
mb
er o
f L
ost
Pac
ket
s
11/17/2000 IEEE ICNP'2000, Osaka, Japan 25
Congestion Experiment Results (cont.)
0
38.3
123 126.4
387.5
0
50
100
150
200
250
300
350
400
450
Number of Lost Packets
118.4131.4
161.1
185.4
323.2
0
50
100
150
200
250
300
350
400
Session Delay (seconds)
NormalF1,S20F1,S5F5,S10F5,S2
Attack mode(flood m , stop n )
Number ofpacket loss per
connection
Sessiondelay(sec.)
Damage
Normal 0.9 31.7 -Flood 1, stop 20 18.5 470.5 27.8%Flood 1, stop 5 57.4 58.4 84.5%
Flood 5, stop 10 62.1 67.3 112.6%Flood 5, stop 2 124.4 164.5 418.9%
damage = (delayflood – delaynormal) / delaynormal
11/17/2000 IEEE ICNP'2000, Osaka, Japan 26
Intrusion Detection: TDSAM
TCP-Dropping Statistic Analysis Module (TDSAM) run on the protected asset, e.g., the FTP client
Expected Behavior described in long-term profile e.g., the average session delay is 50 seconds
Observed Behavior described in short-term profile e.g., the average session delay becomes 100
seconds
11/17/2000 IEEE ICNP'2000, Osaka, Japan 27
Intrusion Detection: TDSAM (cont.)
Statistic MeasuresPosition Measure: position of each
packet re-orderingDelay Measure: session delayNPR Measure: number of packet
reordering
11/17/2000 IEEE ICNP'2000, Osaka, Japan 28
TDSAM Experiment Setting
FTP
Internet
Divert Socket
FTP Client on Linux 2.0.36
xyz.zip 5.5M
FTP Server
Attack Agent
TDSAM
Data Packets
p1, p2, p3, p5, p4max
reordering counting
11/17/2000 IEEE ICNP'2000, Osaka, Japan 29
Long-term Profile
Category, C-Training learn the aggregate distribution of a
statistic measure
Q Statistics, Q-Training
learn how much deviation is considered normal
Threshold
11/17/2000 IEEE ICNP'2000, Osaka, Japan 30
Long-term Profile: C-Training
For each sample of the statistic measure, X
(0, 50]
20%
(50, 75]
30%
(75, 90]
40%
(90, +)
10%
k bins Expected Distribution, P1 P2 ... Pk , where Training time: months
ki ip1 1
11/17/2000 IEEE ICNP'2000, Osaka, Japan 31
Long-term Profile: Q-Training (1)
For each sample of the statistic measure, X
(0, 50]
20%
(50, 75]
40%
(75, 90]
20%
(90, +)
20%
k bins, samples fall into bin samples in total ( ) Weighted Sum Scheme with the fading factor s
iY thiN k
i i NY1
11/17/2000 IEEE ICNP'2000, Osaka, Japan 32
Long-term Profile: Q-Training (2)
Deviation:
Example:
Qmax
the largest value among all Q values
k
i i
ii
pN
pNYQ
1
2)(
33.21.010
)1.0102(
4.010
)4.0102(
3.010
)3.0104(
2.010
)2.0102( 2222
Q
11/17/2000 IEEE ICNP'2000, Osaka, Japan 33
Long-term Profile: Q-Training (3)
Q Distribution [0, Qmax) is equally divided into 31 bins
and the last bin is [Qmax, +)distribute all Q values into the 32 bins
11/17/2000 IEEE ICNP'2000, Osaka, Japan 34
Threshold
Predefined threshold, If Prob(Q>q) < , raise alarm
0
0.08
0 5 10 15 20 25 30
Q bins
Pro
bab
ilit
y
TH_redTH_yellow
11/17/2000 IEEE ICNP'2000, Osaka, Japan 35
Q-Distribution for Position M.Heidelberg
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
0 5 10 15 20 25 30 35Q bins
Prob
abilit
y
NCU
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
0 5 10 15 20 25 30 35Q bins
Prob
abilit
y
SingNet
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
0 5 10 15 20 25 30 35Q bins
Prob
abilit
y
UIUC
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
0 5 10 15 20 25 30 35Q bins
Prob
abilit
y
11/17/2000 IEEE ICNP'2000, Osaka, Japan 36
Q-Distribution for Delay M.Heidelberg
0
0.05
0.1
0.15
0.2
0.25
0.3
0 5 10 15 20 25 30 35
Q bins
Prob
abilit
y
NCU
0
0.05
0.1
0.15
0.2
0.25
0.3
0 5 10 15 20 25 30 35
Q bins
Prob
abilit
y
SingNet
0
0.05
0.1
0.15
0.2
0.25
0.3
0 5 10 15 20 25 30 35
Q bins
Prob
abilit
y
UIUC
0
0.05
0.1
0.15
0.2
0.25
0.3
0 5 10 15 20 25 30 35
Q bins
Prob
abilit
y
11/17/2000 IEEE ICNP'2000, Osaka, Japan 37
Detect Malicious Dropping
For each Observed Distributioncompares it to the Expected Distribution
(calculate a Q value) if the Q value falls into alarm zone, raise
alarm
Short-term profile is updated using Weighted Sum Scheme
11/17/2000 IEEE ICNP'2000, Osaka, Japan 38
Long-term Profile Update
Update when no attacks occurs during the a period of time
Update Expected Distribution and Q Distributionweighted sum scheme fading factor equals l
11/17/2000 IEEE ICNP'2000, Osaka, Japan 39
TDSAM Performance Analysis: Experiment Setting
FTP
Internet
Divert Socket
FTP Client on Linux 2.0.36
njcom210.zip 5.5M
FTP Server
Attack Agent
TDSAM
Data Packets
Persistent Atk.
PerPD: (10, 4,
5), ... (100, 40, 5)
RetPD: (5, 5)
RanPD: (10),
(40)
Intermittent Atk. PerPD (10, 4, 5)
with attack period 5 and 50
11/17/2000 IEEE ICNP'2000, Osaka, Japan 40
Example
Long-Term profile nbin = 5, bin-width =800 p1=0.194339, p2=0.200759, p3=0.197882,
p4=0.204260, p5=0.202760.
PerPD(20,4,5) drop packets only in the first 85. p1=0.837264, p2=0.039390, p3=0.043192,
p4=0.041045, p5=0.039109.
11/17/2000 IEEE ICNP'2000, Osaka, Japan 41
Results: Position Measure
Heidelberg NCU SingNet UIUCPosition
nbin=5 DR MR DR MR DR MR DR MR
Normal* - 4.0% - 5.4% - 3.5% - 6.5% -
(10, 4, 5) 99.7% 0.3% 100% 0% 100% 0.0% 100% 0%
(20, 4, 5) 100% 0% 98.1% 1.9% 99.2% 0.8% 100% 0%
(40, 4, 5) 96.6% 3.4% 100% 0% 100% 0% 98.5% 1.5%
(20, 20, 5) 100% 0% 100% 0% 100% 0 % 100% 0%
(20, 100, 5) 98.9% 1.1%. 99.2% 0.8% 99.6% 0.4% 99.1% 0.9%
(20, 200, 5) 0% 100% 76.5% 23.5% 1.5% 98.5% 98.3% 1.7%
PerPD
(100, 40, 5) 0.2% 99.8% 0% 100% 0% 100% 100% 0%
RetPD (5, 5) 84.9% 15.1% 81.1% 18.9% 94.3% 5.7% 97.4% 2.6%
10 0% 100% 42.3% 57.7% 0% 100% 0% 100%RanPD
40 0% 100% 0% 100% 0% 100% 0% 100%
5 98.6% 1.4% 100% 0% 98.2% 1.8% 100% 0%Intermittent
(10, 4, 5) 50 34.1% 65.9% 11.8% 88.2% 89.4% 10.6% 94.9% 5.1%
11/17/2000 IEEE ICNP'2000, Osaka, Japan 42
Results: Delay Measure
Heidelberg NCU SingNet UIUCDelay
nbin=3 DR MR DR MR DR MR DR MR
Normal* - 1.6% - 7.5% - 2.1% - 7.9% -
(10, 4, 5) 97.4% 2.6% 95.2% 4.8% 94.5% 5.5% 99.2% 0.8%
(20, 4, 5) 99.2% 0.8% 98.5% 1.5% 100% 0% 100% 0%
(40, 4, 5) 100% 0% 100% 0% 100% 0% 100% 0%
(20, 20, 5) 96.3% 3.7% 100% 0% 92.6% 7.4% 98.9% 1.1%
(20, 100, 5) 100% 0% 95.3% 4.7% 98.7% 1.3% 100% 0%
(20, 200, 5) 98.6% 1.4% 99% 1% 97.1% 2.9% 100% 0%
PerPD
(100, 40, 5) 100% 0% 100% 0% 100% 0% 100% 0%
RetPD (5, 5) 100% 0% 100% 0% 100% 0% 100% 0%
10 74.5% 25.5% 26.8% 73.2% 67.9% 32.1% 99.5% 0.5%RanPD
40 100% 0% 100% 0% 100% 0% 100% 0%
5 25.6% 74.4% 0% 100% 0% 100% 97.3% 2.7%Intermittent
(10, 4, 5) 50 0% 100% 24.9% 75.1% 0% 100% 3.7% 96.3%
11/17/2000 IEEE ICNP'2000, Osaka, Japan 43
Results: NPR Measure
Heidelberg NCU SingNet UIUCNPR
nbin=2 DR MR DR MR DR MR DR MR
Normal* - 4.5% - 5.8% - 8.2% - 2.9% -
(10, 4, 5) 0% 100% 14.4% 85.6% 29.1% 70.9% 100% 0%
(20, 4, 5) 83.1% 16.9% 94.2% 5.8% 95.2% 4.8% 100% 0%
(40, 4, 5) 100% 0% 97.4% 2.6% 100% 0% 100% 0%
(20, 20, 5) 91.6% 8.4% 92% 8% 93.5% 6.5% 100% 0%
(20, 100, 5) 94.3% 5.7% 92.2% 7.8% 96.4% 3.6% 100% 0%
(20, 200, 5) 0% 100% 96.5% 3.5% 94.8% 5.2% 100% 0%
PerPD
(100, 40, 5) 100% 0% 100% 0% 100% 0% 100% 0%
RetPD (5, 5) 0% 100% 84.7% 15.3% 23.9% 76.1% 46.5% 53.5%
10 0% 100% 0% 100% 100% 0% 100% 0%RanPD
40 100% 0% 100% 0% 100% 0% 100% 0%
5 0% 100% 0% 100% 82.2% 17.8% 100% 0%Intermittent
(10, 4, 5) 50 0% 100% 1% 99% 40% 60% 64.8% 35.2%
11/17/2000 IEEE ICNP'2000, Osaka, Japan 44
TDSAM Performance Analysis: Results (good or bad!!)
False Alarm Rate less than 10% in most cases, the highest is 17.4%
Detection Rate Position: good on RetPD and most of PerPD
at NCU, 98.7% for PerPD(20,4,5), but 0% for PerPD(100, 40, 5) in which dropped packets are evenly distributed
Delay: good on those significantly change session delay, e.g., RetPD, PerPD with a large value of K
at SingNet, 100% for RetPD(5,5), but 67.9% for RanPD(10)
NPR: good on those dropping many packets at Heidelberg, 0% for RanPD(10), but 100% for RanPD(40)
11/17/2000 IEEE ICNP'2000, Osaka, Japan 45
TDSAM Performance Analysis: Results (cont.)
Good sites correspond to a high detection rate. stable and small session delay or packet reordering
e.g., using Delay Measure for RanPD(10): UIUC (99.5%)
> Heidelberg(74.5%) > SingNet (67.9%) > NCU (26.8%)
How to choose the value of nbin is site-specific e.g., using Position Measure, lowest false alarm rate
occurs when nbin= 5 at Heidelberg(4.0%) and
NCU(5.4%), 10 at UIUC(4.5%) and 20 at SingNet(1.6%)
11/17/2000 IEEE ICNP'2000, Osaka, Japan 46
Conclusion
TDSAM with a single measure able to detect dropping attacks has weakness in identifying some malicious
droppings
Combines the 3 measures works well on most of the attacks except for those causing very limited damages
RanPD with a small value of Kintermittent attacks with a large attack interval
Limitations….
11/17/2000 IEEE ICNP'2000, Osaka, Japan 47
Future….
Detect Non-TCP Packet Dropping Attackschoose appropriate statistic measures
Service Level Agreement Monitoringbuild long-term profile statistically
monitoring the quality of servicee.g., evaluate the DNS response time
11/17/2000 IEEE ICNP'2000, Osaka, Japan 48
Contributions
Packet Dropping AttacksStudied how to practice the attacksStudied the impacts of dropping attacks Implemented the Attack Agent
Intrusion Detection Implementation of TDSAMTDSAM performance analysis over the
real Internet
11/17/2000 IEEE ICNP'2000, Osaka, Japan 49
Thanks
Any questions?
full paper:http://www.cs.ucdavis.edu/publications/PDALong.ps
11/17/2000 IEEE ICNP'2000, Osaka, Japan 50
Weighted Sum Scheme
Problems of Sliding Window Scheme Keep the most recent N pieces of audit records
required resource and computing time are O(N)
12
,2
12
1
NYN
ijYY
YY
ki i
jj
ii
Assume K: number of bins Yi: count of audit
records falls into ith bin N: total number of
audit records : fading factor
When Ei occurs, update