1 / 39

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing. Ying Zhang Z. Morley Mao Jia Wang. BR. BR. BR. C. C. C. Attacks on the Internet. Attacks targeting end hosts Denial of Service attacks, worms, spam Attacks targeting the routing infrastructure Compromised routers

donnica-taurus
Download Presentation

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang

  2. BR BR BR C C C Attacks on the Internet • Attacks targeting end hosts • Denial of Service attacks, worms, spam • Attacks targeting the routing infrastructure • Compromised routers • Stealthy denial of service attacks Internet Bots Target link Attackers Target Destination

  3. Keepalive Keepalive BR BR BR BR C C AS 1 BGP HoldTimer expired Border Gateway ProtocolDe facto standard inter-domain routing protocol BGP session reset confirm peer liveliness; determine peer reachability BGP session AS 2 Transport: TCP connection

  4. Initial window size Low-rate TCP-targeted DoS attacks [Kuzmanovic03] • Exploiting TCP’s deterministic retransmission behavior No packet loss ACKs received packet loss No ACK received TCP Congestion Window Size (packets) minRTO 2 x minRTO 4 x minRTO Time

  5. Initial window size Low-rate TCP-targeted DoS attacks • Attack flow period approximates minRTO of TCP flows TCP congestion window size (segments) minRTO 2 x minRTO 4 x minRTO Time

  6. Impact of low-rate TCP DoS attacks • Impact on any TCP connections • TCP continuously experiences loss • TCP obtains near zero throughput • Difficult to detect due to low-rate property • Our finding: • Low-rate TCP DoS attacks can disrupt BGP (with default configurations)

  7. Impact of routing disruption • Reduced sending rate • Increasing convergence delay • BGP session reset • Routing instability • Unreachable destinations • Traffic performance degradation

  8. Outline • Description of a potential attack against Internet routing • Attack demonstration using testbed experiments • Increased attack sophistication • Using multi-host coordination • Defense solutions through prevention

  9. Receiver B Sender A BR BR C C Testbed experiments • Using high-end commercial routers • Demonstrating the attack feasibility Gigabit Ethernet Gigabit Ethernet OC3 155Mbps Router R1 (Cisco GSR) Router R2 (Cisco GSR)

  10. Receiver B Attacker A BR BR C C Router R2 Router R1 The attack to bring down a BGP session UDP-based attack flow Packet is dropped due to congestion BGP Keepalive message

  11. Receiver B Attacker A BR BR C C Router R2 Router R1 The attack to bring down a BGP session UDP-based attack flow Retransmitted BGP Keepalive message minRTO

  12. Receiver B Attacker A BR BR C C Router R2 Router R1 The attack to bring down a BGP session UDP-based attack flow 2nd Retransmitted BGP Keepalive message minRTO 2*minRTO

  13. Receiver B Attacker A BR BR C C Router R2 Router R1 The attack to bring down a BGP session UDP-based attack flow 7th retransmitted BGP Keepalive message minRTO BGP Session Reset 2*minRTO Hold Timer expired!

  14. Basic attack flow properties Burst length L Magnitude of the peak R Inter-burst period T

  15. 30% session reset probability with 42% capacity usage How likely is BGP session reset? R:185Mbps T: 600msec Min duration:216 sec

  16. Router implementation diversity

  17. Explanation of packet drops • BGP packet drop locations: • Ingress or egress line card buffer queues • Resource sharing across interfaces • Interfaces share buffers and processing time Router Interface 1 BGP pkt BGP pkt Egress line card Ingress line card Interface 2 Interface 3 Interface 4

  18. Buffer allocation in line cards • Line card memory is divided into buckets of different packet sizes • Packets cannot utilize buckets of a different size Line card buffer queues Switch fabric Full! Packet size (0,80Byte] Drop! BGP pkt [81Byte,270Byte] [271Byte, 502Byte] Empty [503Byte, 908Byte] [909Byte,1500Byte]

  19. Receiver BR BR BR BR BR BR C C C C C C Necessary conditions for session reset • Inter-burst period approximates minRTO • The attack flow’s path traverses at least one link of the BGP session • Attack flow’s bottleneck link is the target link Attack flow’s path Attacker Bottleneck link Router R2 Router R1 Multi-hop BGP Session

  20. Outline • Description of a potential attack against Internet routing • Attack demonstration using testbed experiments • Increased attack sophistication • Using multi-host coordination • Defense solutions through prevention

  21. BR BR C C Router R2 Router R1 Coordinated low-rate DoS attacks Attack host A Destination C Target BGP session Destination D Attack host B

  22. BR BR C C Router R2 Router R1 Coordinated low-rate DoS attacks Attack Host A Destination C Target BGP session Destination D Attack Host B

  23. Target BGP session Coordinated low-rate DoS attacks BR BR C C

  24. Host selection for coordinated attacks • Selecting attack host-destination pairs to traverse target link • Identify the target link’s geographic location and ASes • Identify prefixes with AS-level path through the target link • Identify IP-level paths

  25. Wide-area experiments • Internet bottleneck link available bandwidth measurement • 160 peering links • 330 customer and provider links • Attack host selection • PlanetLab hosts as potential attack hosts • Attack hosts geographically close to the target link • Attacks targeting a local BGP session

  26. Wide-area coordinated attacks against a local BGP session R=5Mbps L=300msec T=1s Average Rate = 1.5Mbps UW1 (US) 10Mbps 100Mbps Targeted UW2 WAN BGP session Software router 1 Software router 2 THU1(China) THU2

  27. Conditions for Coordinated attacks a single attack flow • 1. Inter-burst period approximates minRTO • 1’. Sufficiently strong combined attack flows to cause congestion • 2. The attack flow’s path traverses the BGP session • 3. Attack flow’s bottleneck link is the target link • 3’. Identify the target link location

  28. Outline • Description of a potential attack against Internet routing • Attack demonstration using testbed experiments • Increased attack sophistication • Using multi-host coordination • Defense solutions through prevention

  29. Attack prevention: hiding information • Randomize minRTO [Kuzmanovic03] • minRTO is any value within range [a,b] • Does not eliminate BGP session reset • Hide network topology from end-hosts • Disabling ICMP TTL Time Exceeded replies at routers

  30. Attack prevention: prioritize routing traffic • Weighted Random Early Detection (WRED) • Prevent TCP synchronization • Selectively drop packets • Drop low-priority packets first when the queue size exceeds defined thresholds • Assumption of WRED • The IP precedence field is not spoofed • We need to police the IP precedence markings

  31. Support from existing commercial routers • Router supported policing features • Committed Access Rate (CAR) • Class-based policing • Traffic marking • Reset the incoming packets to be low priority • Class-based queuing • Drop the packets with low priority when the traffic burst is high Effective in isolating BGP packets from attack traffic!

  32. Conclusion • Feasibility of attacks against Internet routing infrastructure • Lack of protection of routing traffic • Prevention solution using existing router configurations • Ubiquitous deployment is challenging • Difficulties in detecting and defending against coordinated attacks • may affect any network infrastructure

  33. Thank you!

  34. Backup slides

  35. Attack flow notations • Periodic, on-off square-wave flow • Burst period length L • Inter-burst period T • Burst magnitude of the peak R Burst Length L Magnitude of the peak R Inter-burst period T

  36. Attack inter-burst period’s impact on table transfer duration(R=185Mbps,L=200msec)

  37. Attack peak magnitude’s impact on session reset and table transfer duration(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200msec) Normalized avg rate 0.48 Normalized avg rate 0.24

  38. Synchronization accuracy

  39. BGP table transfer with WRED enabled under attack

More Related