340 likes | 464 Views
Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly. Presented by Prasanth Kalakota & Ravi Katpelly. Outline. Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion. Introduction. DoS Attacks
E N D
Low-rate TCP-Targeted Denial of Service AttacksAleksandar Kuzmanovic and Edward W. Knightly Presented by Prasanth Kalakota & Ravi Katpelly
Outline • Introduction • TCP timeout mechanism • DOS outages • Counter DOS techniques • Conclusion
Introduction • DoS Attacks • Prevent access to legitimate users • Consume resources • Various Types: TCP SYN, ICMP broadcasts, DNS flood attacks • Shrew attacks or Low Rate DoS attacks
TCP Congestion Control • Uses Additive Increase Multiplicative Decrease (AIMD) • Uses Retransmission Timeout (RTO) to avoid congestion • Selection of RTO value • Case (i): If too low spurious retransmissions occurs • Case (ii): If too high, flows will wait unnecessarily long
TCP Congestion Control (cntd’) • To solve the first case, time out value should be at least 1 sec. (suggested and verified by Allman and Paxson) • For the second case, TCP sender maintains two states. • Smooth Round Trip Time (SRTT) • Round Trip Time Variation (RTTVAR)
Terms used • RTT • RTO • SRTT • RTTVAR • minRTO
TCP’s Timeout Mechanism • Suggested in RFC 2988 • When First time RTT is measured • SRTT = R’, RTTVAR = R’/2, • RTO = SRTT + max(G, 4RTTVAR) • When subsequent RTT measurement is made • RTTVAR = (1-β)RTTVAR + β|SRTT-R’| • SRTT = (1-α)SRTT + αR’ • RTO = max(minRTO, SRTT + max(G, 4RTTVAR)). • α = 1/4 and β = 1/8
Low-Rate DoS Attacks • Attackers exploit TCP Timeout mechanism • Send short duration bursts with length equal to RTT scale burst length • Repeat these things periodically at slower RTO time scales
Model of DoS Attack (Simple DoS Model) • Assume single TCP flow and single DoS stream • Attacker sends short duration burst at time t=0 • The TCP sender waits 1sec and doubles RTO. • Attacker sends the second outage between 1 and 1+2RTT
Model of DoS Attack (cntd’) • N TCP flows with heterogeneous RTTs and single DoS flow.
Model of DoS Attack (cntd’) • DoS TCP Throughput Result • Assume periodic DoS attack with period T • L’ >= RTTi • minRTO > SRTTi + 4*RTTVARi for all i=1,..,n • Normalized throughput of the aggregate TCP flow is given by
Model of DoS Attack (cntd’) • DoS TCP Flow-Filtering Result • For i = 1,….,k L’ ≥RTTi and minRTO > SRTTi + 4*RTTVARi • For j = k+1,….,n L’ < RTTj and minRTO ≤ SRTTj + 4*RTTVARj
Creating DoS outages • Instantaneous Queue Behavior • B = Queue Size • B0 = Queue Size at the onset of an attack • RTCP Instantaneous rate of the TCP flow. • RDoS Rate of DoS flow • T = DoS burst length • L = Duration of attack • C = Bottleneck Rate • Time at which Queue becomes full is given by L1 = (B-B0)/(RDoS+RTCP-C)
Creating DoS outages (cntd’) • Queue remains full for L2 = L – L1 seconds if RDoS+RTCP ≥ C • If No TCP Traffic and if B0=0, Time at which Queue becomes full is given by L1 = B/(RMAX-C) • If the buffer is full attacker reduces its rate to bottleneck rate C.
Minimum Rate DoS Streams • Double rate DoS stream
Impact of shrew DoS Attack on TCP flow aggregation • With homogeneous RTT • With heterogeneous RTT • On web traffic • On TCP variants
Low-rate DoS stream with Heterogeneous RTT • Depends on its RTT • Shorter RTT flows use more bandwidth
Low-rate DoS stream with Heterogeneous RTT (cntd’) • With increased TCP flows unused bandwidth utilized by higher RTT flows • Total TCP throughput increase
Impact of DoS Burst Length • Flows with longer RTT’s filtered • Less no of non-filtered flows
Impact of DoS Peak Rate on Short-RTT Flow • Throughput of short-RTT flow effected • Low peak rate sufficient to filter short-RTT flow
Counter-DOS Techniques • Router-Assisted Mechanisms • End-point minRTO Randomization
Router-Assisted Mechanisms • Router-Based algorithms • Random early detection with preferential dropping (RED-PD)
Conclusions • Presented DoS attacks that are able to throttle TCP flows. • Discussed impact of various DoS Attacks on TCP flow aggregation • Experiments conducted using combination of analytical modeling, extensive set of simulations and internet experiments • Discussed Counter DoS Techniques