1 / 23

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection. David K.Y.Yau CS Dept. Purdue U. Haibin Sun John C.S.Lui CSE Dept. CUHK. Introduction to the Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion.

portia
Download Presentation

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending Against Low-rate TCP Attack:Dynamic Detection and Protection David K.Y.Yau CS Dept. Purdue U. Haibin Sun John C.S.Lui CSE Dept. CUHK

  2. Introduction to the Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion Outline

  3. Introduction to the Low-rate TCP Attack • Common DoS attack • Consume resources (bandwidth, buffer …etc) • Keep legitimate users away form service • Large number of machines or agents are involved • Harmful, but relatively easy to be detected • Low-rate DoS attack • Aim to deny the bandwidth of legitimate TCP flows • Attacker sends the attack stream with low volume • Exploit the TCP congestion control feature • Attacker sends a periodicshort burst to victim/router

  4. TCP Retransmission Mechanism • TCP congestion control If under severe network congestion: • Wait until retransmission timeout (RTO) • Reduce the congestion window double the RTO retransmit the packet • If succeed, enter slow start phase else, exponential back off again • Calculation of RTO InRFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR)) • Usually, RTO = minRTO when slow start • minRTO=1 second(recommended in RFC 2988)

  5. TCP Low-rate DoS Attack to TCP Flow • A example of low-rate DoS attack Avg BW= lR/T • Sufficiently large attack burst • Packet loss at congested router • TCP time out & retransmit after RTO • Attack period = RTOof TCP flow, • TCP continually incurs loss & achieves zero or very low throughput.

  6. Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion What is the next?

  7. T S l R N Formal Description • Mathematical Description • T: Attack period • l: Length of attack burst • R: Rate of attack burst • N: Background noise • S: Time shift

  8. The periodic burst may have different patterns: Low-rate DoS Traffic Pattern • Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03) • Attack traffic is not easy to remain the same as the original at the victim router. • Attack traffic between different period may not be the same, thus T, l, R may vary. • We need a “ROBUST ” method to identify attack • Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03) • General peaks with background noise

  9. Low-rate DoS Traffic Pattern • Small Burst combination • Multiple distributed attack sources • Long Period combination

  10. Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion What is the next?

  11. Distributed Detection • Overall Idea of Distributed Detection

  12. Distributed Detection • Traffic signature Detection • Small average throughput => Throughput based IDS • No signature in packet => “per packet” approaches • Extract the essential signatureof attack traffic X X √

  13. Algorithm of Detection Samplethe traffic Samplethe traffic Filter the noise Filter the noise Extract the signature Extract the signature Pattern match Pattern match • Similarity between the template and input should be calculated. • We use the Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in the paper) • The smaller the DTW value, the more similar they are. • DTW values will be clustered; threshold can be set to distinguish them. • Autocorrelation is adopted to extract the periodic signature of input signal.periodic input => special pattern of its autocorrelation.(Autocorrelation can also mask the difference of time shift S) • Unbiased normalizationM: length of input sequencem: index of autocorrelation • The background noise of samples need to be filtered • Background noise(UDP flows and other TCP flows that less sensitive to attack) • For simplicity, a threshold filter can be used. • Sample recent instantaneous throughput at a constant rate(The rate should be frequent enough but not over burden system) • Each time of detection consists of a sequence of instantaneous throughput(The length of sequence should also be properly adjusted) • Normalization is necessary Demo in Matlab

  14. Robustness of Detection • Attack traffic simulations • DTW values for low-rate attack • Square, step, general peaks • T ,l : Uniformly distributed s.t. :l /T<=0.25 • R : 1 (full bandwidth) • N,S : Uniformly distributed • 1000 simulations /type

  15. Robustness of Detection • DTW values for Legitimate traffic • Legitimate traffic composition. • Legitimate traffic simulation: C+ Gaussian(0, N) • Run simulation 100 times for each C • Large DTW value for legitimated traffic

  16. threshold Robustness of Detection • Probability distribution of DTW values • Attack flows V.S. legitimate flows • Expect a separation between them.

  17. Introduction to the low-rate DoS Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion What is the next?

  18. Defense Mechanism • Router deployment • Pushback detection • Pushback to deployed router distributed attack • Deficit round robin (DRR) }Resource Management

  19. Quantum=1000 bytes 2000 1000 0 1500 A 500 300 B 600 600 C Head of Queue Second Round First Round Defense Mechanism • Deficit Round Robin (DRR) • 1st Round • A’s count : 1000 • B’s count : 200 (served twice) • C’s count : 400 • Classify packets according to the input port [i]. • deficit_counter[i]+= Quantum • If packet’s size<= deficit_counter[i] , serve the packet • deficit_counter[i] -=packet’s size. • If no packet[i],deficit_counter[i] =0. • 2nd Round • A’s count : 500 (served) • B’s count : 0 • C’s count : 800 (served)

  20. Experiment of Defense Mechanism • Multiple TCP flows vs. single source attacker • Eight TCP flows • Single low-rate attacker • Go through the same router • Link Capacity 5Mbps

  21. Experiment of Defense Mechanism • Network model of attack vs. Multiple TCP flows • 4 TCP flows • Single attacker • 7 routers network • R1,R2,R4,R6 may run DRR • Link capacity 5 Mb

  22. Introduction to the low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Detection Defense Mechanism Conclusion What is the next?

  23. Conclusion • Conclusions • Formal model to describe low-rate TCP attack. • Distributed detection mechanism using Dynamic Time Wrapping • The push back mechanism • DRR approach protection and isolation

More Related