1 / 26

SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks

SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks. A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003. Denial of Service Attack. Preventing or degrading service to legitimate users. TCP SYN Attack ICMP directed broadcasts Target Network bandwidth

hvandenbosch
Download Presentation

SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIGCOMM’03Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003

  2. Denial of Service Attack • Preventing or degrading service to legitimate users. • TCP SYN Attack • ICMP directed broadcasts • Target • Network bandwidth • Server/router CPU cycles • Interrupt processing capacity • Operating system/protocol data structure

  3. DoS Attack Common Characteristics • Exploits the bugs or features of the operating system or inherent limitations of the networking • Involves large number of compromised computers • High-rate traffic toward victim node • Can be detected, traced back, mitigated or cleared. • Firewall, Intrusion Detect Device, Operating System Patches.

  4. Low-Rate DoS Attack • Exploits the vulnerability of the TCP’s congestion control algorithm; • The rate is so low that it is hard to be detected; • Degrade the victim’s throughput significantly; • Not easy to fix.

  5. Layout of the Paper • Background: TCP’s Timeout Mechanism • DoS Modeling • Extensive Simulation and Experiments • Counter-DoS Techniques • Conclusion

  6. TCP Retransmission Timeout Mechanism • If less than 3 duplicate ACKs are received before RTO expires • Shrink its congestion window to 1 packets (slow start). • Set new RTO to 2*RTO (exponential backoff) • Retransmit the lost packet. • RTO Selection is a tradeoff • Spurious timeout and extraneous retransmission if too small. • Too slow to recover from congestion if too large.

  7. RTO Estimation • SRTT – smoothed round trip time • RTTVAR – round trip time variation • R’ – RTT sample • minRTO – lower bound for RTO, 1 second • G – clock granularity

  8. The Idea of Low-rate DoS Attack • What to do • Provoke a TCP flow to repeatedly enter a retransmission timeout state • Throttle the TCP throughput to near-zero • How to do • Sending high-rate, RTT scale short duration bursts and repeating periodically at RTO scale period. • Low average rate is hard to be detected

  9. DoS Modeling

  10. DoS TCP Throughput • Two “null” point: T=minRTO/2 and T=minRTO

  11. In Practice • Periodic DoS attack are not utilizing TCP exponential backoff mechanism but rather exploit repeated timeout. • If only subset of TCP flows satisfy the conditions, only the subset obtain the degraded throughput (flow filtering)

  12. Creating DoS Outages • Minimize the rate of DoS stream

  13. Impact on Long-lived Homogeneous-RTT TCP Traffic • 1.5Mb/s link • One way propagation delay = 6ms • RTT varies from 12ms to 132 ms • DoS Traffic: 1.5Mb/s peak rate, 100ms burst and 50-byte packet • 5 TCP flows simulation

  14. Impact on Long-lived Heterogeneous-RTT TCP Traffic • 20 TCP flows • 10 Mb/s link • RTT varies from 29 to 460 ms • DoS burst traffic: 10Mb/s, 100ms burst and 1.1sec period

  15. DoS Burst Length • High-RTT-pass filter • As burst length increase, more TCP flows are filtered thus the aggregate TCP throughput decreases.

  16. DoS Peak Rate • Background traffic potentially lower the DoS peak rate while maintaining an effective attack • Senario: 1 DoS flow and 4 TCP flows. 3 TCP flows with long RTT serve as the background traffic • Relatively low peak rates are sufficient to filter the short-RTT flow

  17. Impact on HTTP Traffic • HTTP traffic is more dynamic • Have more impact on heavy load • Have more impact on large file size • Some flows benefit from the attack: avoid the outages.

  18. DoS on TCP Variants • Effect attacks depend on the ability to create correlated packet loss and force TCP flows to enter retransmission timeout.

  19. Internet Experiments • Intra-LAN • Inter-LAN • WAN

  20. Intra-LAN Scenario • 10Mb/s Ethernet • Attacker: 10Mb/s peak rate, 200ms burst length. • Null frequency: 1.2 sec. • DoS average rate: 1.67 Mb/s if period is 1.2 sec. • TCP flow throughput drops from 6.6 Mb/s to 780 kb/s

  21. Inter-LAN Scenario • Attacker and TCP sender are on different 100Mb/s Ethernet • Attacked host is on a 10 Mb/s Ethernet • DoS peak rate 10Mb/s, burst duration 100ms • Null frequency : 1.1 sec • At this time scale, DoS average rate is 909Kb/s • TCP flow throughput drops from 9.8Mb/s to 800 kb/s

  22. WAN Scenario • DoS source is 8 hops away, 10Mb/s peak rate and 100ms burst duration. • T = 1.1 sec, TCP througput drops to 909Kb/s from 9.8Mb/s

  23. Router-Assisted Counter-DoS • Consider only dropping algorithms rather than scheduling • RED and RED-PD

  24. Router-Assisted Counter-DoS cont’ • Vary the DoS peak rate or burst length • 9 TCP SACK flows • Bottleneck Rate 1.5 Mb/s

  25. End-point minRTO Randomization Counter-DoS • Fact: low rate attacks exploit minRTO homogeneity • Remedy: Radomize end systems minRTO to randomize their null fequecnies • Experiment: minRTO = uniform(a,b) • Result: the longest most vulnerable timescale becomes T = b

  26. Conclusion • This attack can against both short and long-lived TCP flows. • In heterogeneous RTT environment, it shows to be a high-RTT pass filter. • No effective way to defend the system in the presence of this low-rate DoS attack.

More Related