1 / 26

Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)

Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman Yaniv Spring 2007. Traditional DoS attacks.

sumi
Download Presentation

Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Low-Rate TCP-Targeted Denial of Service Attacks(The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman Yaniv Spring 2007

  2. Traditional DoS attacks • Use high-rate transmission of packets (known as “sledge-hammer” approach) • Lead to lack of resources • Network bandwidth • Server or router CPU cycles • Server Interrupt processing capacity • Specific protocol data structures (TCP…) • Example DOS attacks • TCP SYN attacks (TCP based) • ICMP broadcast to a target host (IP based) • DNS flood attacks (UDP based) • Presents a statistical anomaly to network monitor • Relatively easily detectable & ,mitigated (using counter-DOS mechanisms)

  3. Outline • TCP congestion control protocol and timeout mechanism • The shrew attack • Simulation and internet experiments • DoS detection mechanisms • minRTO randomization

  4. TCP congestion control protocol • Using two timescales (Shorter vs. Longer) • Round Trip Time (RTT) - 10’s-100’s msec • Each flow transmit at the fair rate of its bottleneck link • Use Additive-Increase Multiplicative Decrease (AIMD) control • Retransmission timeout (RTO) – 1-N sec • Used on severe congestion with multiple losses • Exponential backoff phase. • RTO doubles with each subsequent timeout • Slow start mechanism • Slow RTO time-scale mechanisms are a key source of vulnerability to low rate attacks

  5. TCP timeout mechanism • TCP Reno loss detection • Timeout from non-receipt of ACKs • Receipt of less than a triple-duplicate ACK • RTO Low value vs. High value tradeoff • Low value – spurious retransmission (ACKs are delayed, not lost) • High value – late recover from congestion • RTO = max(minRTO, SRTT + max(G,4*RTTVAR)) • minRTO = 1 second (Allman and Paxton). • SRTT - Smoothed Round-Trip Time • RTTVAR - Round-Trip Time Variation • G - Clock granularity (<= 100ms) • R = RTT measurement • For small-RTT flows, RTO is set constantly as minRTO

  6. The shrew in the nature • A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite. • In other words: “Katan Aval Mamzer…”

  7. The Shrew attack strategy • Attempts to deny bandwidth to TCP flows • Uses Low average rate TCP targeted attacks • Elude detection by counter-Dos mechanisms • Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows) • Severity denial of service to legitimate users • Exploit protocol homogeneity and determinism • Protocols react in a pre-defined way • Tradeoff of vulnerability vs. predictability • Exploits the vulnerable TCP congestion control protocol

  8. The Shrew Attack • Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism • Burst rate, R, varies up to full link capacity C • Burst length l ~RTT • Inter burst period, T ~minRTO, is between two successive outages

  9. The Shrew Attack (Cont.) • Burst length induces multiple packet losses for a flow, forcing TCP switch from RTT time-scale into RTO time-scale All active flows (nearly) simultaneously enter RTO time-scale

  10. The Shrew Attack (Cont.) • When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state • Outages at RTO scale imply low average rate • Victim will be throttled to near-zero throughput

  11. The model • A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow • For any TCP flow in which • (a) l >= RTT • Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout • (b) minRTO > SRTTi + 4*RTTVARi • All TCP flows will have identical values of RTO and will thus timeout after minRTO seconds (ideal moment for an attack burst) The derived normalized throughput to link capacity (discarding slow-start phase) is given by • Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time

  12. Single TCP flow Simulation (vs. model) 1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms • Two “null frequencies” responses (minRTO/2 & minRTO) • Analytical model accurately predicts degradation • Differences between minRTO/2 to RTO due to TCP slow start mechanism (TCP not utilize full link capacity) • When T > minRTO, TCP flow obtains increasingly higher throughput between RTO expirations & attack bursts

  13. Single TCP flow Simulation (cont.) • Average attack rate is given by (R*l)/T • R Decreasing with T increasing • Attack effectiveness is clearly NOT increasing with the attacker average rate

  14. Shrew challenges • Aggregation • RTT heterogeneity • DoS peak rate (R<C) • Short-lived TCP flows (Web browsing) • TCP variants • Internet experiments • Can Shrews be successful on the Internet?

  15. Aggregation of homogenous RTTsflows 5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms • Similar to one-flow, model fits for homogeneity aggregate • RTO homogeneity introduces one vulnerable timescale • One “null frequency” response • In minRTO time, there are flows in which RTT>l • Vulnerable due to Shrew-induced flow synchronization

  16. RTT heterogeneityRTT-based Filtering 20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms • Shrews are high-RTT pass filters • Service is denied to short-RTT flows (up to RTT=180ms) • With No-DoS,shorter-RTT flows utilize more bandwidth • Despite the excess capacity, longer-RTT flows do not manage to improve their throughput • Depends on number of long-lived flows

  17. RTT heterogeneityShrew Peak Rate • Since there is a background traffic (UDP, ACKs) attacker can lower its peak rate and still maintain effective attack 4 TCP flows (1 short-RTT, 3 long-RTT) • Less-than-bottleneck bursts can damage short-RTT flows • Very low rate periodic flows, operating at on of the null TCP timescales are highly problematic for TCP traffic • Longer RTT flows play the role of background traffic

  18. Short-lived TCP traffic asHTTP traffic Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50% • Larger files (greater then 100 packets) are highly vulnerable • Some flows benefit from the attack and decrease their response time • Flow arrives into system between two attack outages and is able to transmit its entire file before next outage occurs

  19. TCP variants • Variants helps TCP flows survive multiple losses within single round trip time without incurring a retransmission timeout 4 attacks burst lengths (30, 50, 70, 90) • For short attack bust, TCP Reno is the most fragile • TCP is the most vulnerable in 1-1.2 sec time-scale region due to slow start • Sufficient pulse width ensures timeout • When burst length is severe enough => all TCP variants are equally fragile

  20. Internet LAN/WAN experiments • Intra-LAN • C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S • “Null frequency” at 1.2 sec • Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s • Inter-LAN • 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two routers & Two switches between two traverses. • “Null frequency” at 1.1 sec • Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s • WAN • R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R • “Null frequency” at 1.1 sec • Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s • Shrew attacks are efficient for both LAN & WAN

  21. Detecting ShrewsRouter-Assisted Mechanisms • Shrews have low average rate, yet send high-rate bursts on short time-scales 9 Aggregate TCP SACK flows • In “null frequency” at 1.2 sec, shrew remains effective • RED-PD Detects Shrews with unnecessarily high rate (T<0.5 sec) • Reducing RED-PD measurement time scale results in excessive false positives RED - Random Early Detection • Packets dropped with a probability dependent on the excess sending rate of the flow RED-PD – RED with Preferential Dropping mechanism • Uses packet drop history to detect high-bandwidth flows with high confidence

  22. Detecting Shrews End-point minRTO randomization • Observe • Shrews exploit protocol homogeneity and determinism • Question • Can minRTO randomization alleviate threat of Shrews? • TCP flows’ approach • Randomize the minRTO = uniform(a,b) • The longest most vulnerable timescale (“null frequency”) becomes T = b

  23. Detecting Shrews End-point minRTO randomization (cont.) • Shrews’ counter approach • Given flows randomize minRTO, the optimal Shrew pulses at time-scale T=b • Wait for all flows to recover and then pulse again • TCP throughput for T=b time-scale of the Shrew attack • a small  spurious retransmissions • b large  bad for short-lived (HTTP) traffic • Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales • Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

  24. Conclusions • Shrew principles • Exploit slow-time-scale protocol homogeneity and determinism • Real-world vulnerability to Shrew attacks • Internet experiment: 87.8% throughput loss without detection • Shrews are difficult to detect • Low average rate and “TCP friendly” • Cannot filter short bursts • Fundamental mismatch of attack/defense timescales

  25. Life conclusion Try to stay away from Shrews 

  26. Homework assignment • How does Shrew attack defer from traditional DoS attacks? • Shrew attacks are known as high-RTT pass filters. How they manage to do so? Can you consider an environment for using that capability? • Why shrew attacks are difficult to detect with existing counter-DoS mechanisms? What may be the risks of trying using bursts tuned detection? • For your opinion, does the underlying vulnerability is due to poor design of TCP timeout mechanism, or is it a consequence of other reason/s? Explain. E-mail: yanivwei@post.tau.ac.il

More Related