1 / 34

Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly

Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly. Presented by Prasanth Kalakota & Ravi Katpelly. Outline. Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion. Introduction. DoS Attacks

nizana
Download Presentation

Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Low-rate TCP-Targeted Denial of Service AttacksAleksandar Kuzmanovic and Edward W. Knightly Presented by Prasanth Kalakota & Ravi Katpelly

  2. Outline • Introduction • TCP timeout mechanism • DOS outages • Counter DOS techniques • Conclusion

  3. Introduction • DoS Attacks • Prevent access to legitimate users • Consume resources • Various Types: TCP SYN, ICMP broadcasts, DNS flood attacks • Shrew attacks or Low Rate DoS attacks

  4. TCP Congestion Control • Uses Additive Increase Multiplicative Decrease (AIMD) • Uses Retransmission Timeout (RTO) to avoid congestion • Selection of RTO value • Case (i): If too low spurious retransmissions occurs • Case (ii): If too high, flows will wait unnecessarily long

  5. TCP Congestion Control (cntd’) • To solve the first case, time out value should be at least 1 sec. (suggested and verified by Allman and Paxson) • For the second case, TCP sender maintains two states. • Smooth Round Trip Time (SRTT) • Round Trip Time Variation (RTTVAR)

  6. Terms used • RTT • RTO • SRTT • RTTVAR • minRTO

  7. TCP’s Timeout Mechanism • Suggested in RFC 2988 • When First time RTT is measured • SRTT = R’, RTTVAR = R’/2, • RTO = SRTT + max(G, 4RTTVAR) • When subsequent RTT measurement is made • RTTVAR = (1-β)RTTVAR + β|SRTT-R’| • SRTT = (1-α)SRTT + αR’ • RTO = max(minRTO, SRTT + max(G, 4RTTVAR)). • α = 1/4 and β = 1/8

  8. Low-Rate DoS Attacks • Attackers exploit TCP Timeout mechanism • Send short duration bursts with length equal to RTT scale burst length • Repeat these things periodically at slower RTO time scales

  9. Model of DoS Attack (Simple DoS Model) • Assume single TCP flow and single DoS stream • Attacker sends short duration burst at time t=0 • The TCP sender waits 1sec and doubles RTO. • Attacker sends the second outage between 1 and 1+2RTT

  10. Model of DoS Attack (cntd’)

  11. Model of DoS Attack (cntd’) • N TCP flows with heterogeneous RTTs and single DoS flow.

  12. Model of DoS Attack (cntd’) • DoS TCP Throughput Result • Assume periodic DoS attack with period T • L’ >= RTTi • minRTO > SRTTi + 4*RTTVARi for all i=1,..,n • Normalized throughput of the aggregate TCP flow is given by

  13. Model of DoS Attack (cntd’) • DoS TCP Flow-Filtering Result • For i = 1,….,k L’ ≥RTTi and minRTO > SRTTi + 4*RTTVARi • For j = k+1,….,n L’ < RTTj and minRTO ≤ SRTTj + 4*RTTVARj

  14. Model of DoS Attack (cntd’)

  15. Creating DoS outages • Instantaneous Queue Behavior • B = Queue Size • B0 = Queue Size at the onset of an attack • RTCP Instantaneous rate of the TCP flow. • RDoS Rate of DoS flow • T = DoS burst length • L = Duration of attack • C = Bottleneck Rate • Time at which Queue becomes full is given by L1 = (B-B0)/(RDoS+RTCP-C)

  16. Creating DoS outages (cntd’) • Queue remains full for L2 = L – L1 seconds if RDoS+RTCP ≥ C • If No TCP Traffic and if B0=0, Time at which Queue becomes full is given by L1 = B/(RMAX-C) • If the buffer is full attacker reduces its rate to bottleneck rate C.

  17. Minimum Rate DoS Streams • Double rate DoS stream

  18. Impact of shrew DoS Attack on TCP flow aggregation • With homogeneous RTT • With heterogeneous RTT • On web traffic • On TCP variants

  19. Low-rate DoS stream with Homogeneous RTT

  20. Low-rate DoS stream with Heterogeneous RTT • Depends on its RTT • Shorter RTT flows use more bandwidth

  21. Low-rate DoS stream with Heterogeneous RTT (cntd’) • With increased TCP flows unused bandwidth utilized by higher RTT flows • Total TCP throughput increase

  22. Impact of DoS Burst Length • Flows with longer RTT’s filtered • Less no of non-filtered flows

  23. Impact of DoS Peak Rate on Short-RTT Flow • Throughput of short-RTT flow effected • Low peak rate sufficient to filter short-RTT flow

  24. Impact on HTTP Traffic

  25. Dos Attacks on TCP Variants

  26. Dos Attacks on TCP Variants (cntd’)

  27. DoS Experiments on Internet

  28. Results

  29. Counter-DOS Techniques • Router-Assisted Mechanisms • End-point minRTO Randomization

  30. Router-Assisted Mechanisms • Router-Based algorithms • Random early detection with preferential dropping (RED-PD)

  31. Router-Assisted Mechanisms (cntd’)

  32. Router-Assisted Mechanisms (cntd’)

  33. End-Point minRTO Randomization

  34. Conclusions • Presented DoS attacks that are able to throttle TCP flows. • Discussed impact of various DoS Attacks on TCP flow aggregation • Experiments conducted using combination of analytical modeling, extensive set of simulations and internet experiments • Discussed Counter DoS Techniques

More Related