270 likes | 412 Views
Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman Yaniv Spring 2007. Traditional DoS attacks.
E N D
Low-Rate TCP-Targeted Denial of Service Attacks(The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman Yaniv Spring 2007
Traditional DoS attacks • Use high-rate transmission of packets (known as “sledge-hammer” approach) • Lead to lack of resources • Network bandwidth • Server or router CPU cycles • Server Interrupt processing capacity • Specific protocol data structures (TCP…) • Example DOS attacks • TCP SYN attacks (TCP based) • ICMP broadcast to a target host (IP based) • DNS flood attacks (UDP based) • Presents a statistical anomaly to network monitor • Relatively easily detectable & ,mitigated (using counter-DOS mechanisms)
Outline • TCP congestion control protocol and timeout mechanism • The shrew attack • Simulation and internet experiments • DoS detection mechanisms • minRTO randomization
TCP congestion control protocol • Using two timescales (Shorter vs. Longer) • Round Trip Time (RTT) - 10’s-100’s msec • Each flow transmit at the fair rate of its bottleneck link • Use Additive-Increase Multiplicative Decrease (AIMD) control • Retransmission timeout (RTO) – 1-N sec • Used on severe congestion with multiple losses • Exponential backoff phase. • RTO doubles with each subsequent timeout • Slow start mechanism • Slow RTO time-scale mechanisms are a key source of vulnerability to low rate attacks
TCP timeout mechanism • TCP Reno loss detection • Timeout from non-receipt of ACKs • Receipt of less than a triple-duplicate ACK • RTO Low value vs. High value tradeoff • Low value – spurious retransmission (ACKs are delayed, not lost) • High value – late recover from congestion • RTO = max(minRTO, SRTT + max(G,4*RTTVAR)) • minRTO = 1 second (Allman and Paxton). • SRTT - Smoothed Round-Trip Time • RTTVAR - Round-Trip Time Variation • G - Clock granularity (<= 100ms) • R = RTT measurement • For small-RTT flows, RTO is set constantly as minRTO
The shrew in the nature • A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite. • In other words: “Katan Aval Mamzer…”
The Shrew attack strategy • Attempts to deny bandwidth to TCP flows • Uses Low average rate TCP targeted attacks • Elude detection by counter-Dos mechanisms • Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows) • Severity denial of service to legitimate users • Exploit protocol homogeneity and determinism • Protocols react in a pre-defined way • Tradeoff of vulnerability vs. predictability • Exploits the vulnerable TCP congestion control protocol
The Shrew Attack • Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism • Burst rate, R, varies up to full link capacity C • Burst length l ~RTT • Inter burst period, T ~minRTO, is between two successive outages
The Shrew Attack (Cont.) • Burst length induces multiple packet losses for a flow, forcing TCP switch from RTT time-scale into RTO time-scale All active flows (nearly) simultaneously enter RTO time-scale
The Shrew Attack (Cont.) • When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state • Outages at RTO scale imply low average rate • Victim will be throttled to near-zero throughput
The model • A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow • For any TCP flow in which • (a) l >= RTT • Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout • (b) minRTO > SRTTi + 4*RTTVARi • All TCP flows will have identical values of RTO and will thus timeout after minRTO seconds (ideal moment for an attack burst) The derived normalized throughput to link capacity (discarding slow-start phase) is given by • Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time
Single TCP flow Simulation (vs. model) 1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms • Two “null frequencies” responses (minRTO/2 & minRTO) • Analytical model accurately predicts degradation • Differences between minRTO/2 to RTO due to TCP slow start mechanism (TCP not utilize full link capacity) • When T > minRTO, TCP flow obtains increasingly higher throughput between RTO expirations & attack bursts
Single TCP flow Simulation (cont.) • Average attack rate is given by (R*l)/T • R Decreasing with T increasing • Attack effectiveness is clearly NOT increasing with the attacker average rate
Shrew challenges • Aggregation • RTT heterogeneity • DoS peak rate (R<C) • Short-lived TCP flows (Web browsing) • TCP variants • Internet experiments • Can Shrews be successful on the Internet?
Aggregation of homogenous RTTsflows 5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms • Similar to one-flow, model fits for homogeneity aggregate • RTO homogeneity introduces one vulnerable timescale • One “null frequency” response • In minRTO time, there are flows in which RTT>l • Vulnerable due to Shrew-induced flow synchronization
RTT heterogeneityRTT-based Filtering 20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms • Shrews are high-RTT pass filters • Service is denied to short-RTT flows (up to RTT=180ms) • With No-DoS,shorter-RTT flows utilize more bandwidth • Despite the excess capacity, longer-RTT flows do not manage to improve their throughput • Depends on number of long-lived flows
RTT heterogeneityShrew Peak Rate • Since there is a background traffic (UDP, ACKs) attacker can lower its peak rate and still maintain effective attack 4 TCP flows (1 short-RTT, 3 long-RTT) • Less-than-bottleneck bursts can damage short-RTT flows • Very low rate periodic flows, operating at on of the null TCP timescales are highly problematic for TCP traffic • Longer RTT flows play the role of background traffic
Short-lived TCP traffic asHTTP traffic Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50% • Larger files (greater then 100 packets) are highly vulnerable • Some flows benefit from the attack and decrease their response time • Flow arrives into system between two attack outages and is able to transmit its entire file before next outage occurs
TCP variants • Variants helps TCP flows survive multiple losses within single round trip time without incurring a retransmission timeout 4 attacks burst lengths (30, 50, 70, 90) • For short attack bust, TCP Reno is the most fragile • TCP is the most vulnerable in 1-1.2 sec time-scale region due to slow start • Sufficient pulse width ensures timeout • When burst length is severe enough => all TCP variants are equally fragile
Internet LAN/WAN experiments • Intra-LAN • C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S • “Null frequency” at 1.2 sec • Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s • Inter-LAN • 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two routers & Two switches between two traverses. • “Null frequency” at 1.1 sec • Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s • WAN • R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R • “Null frequency” at 1.1 sec • Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s • Shrew attacks are efficient for both LAN & WAN
Detecting ShrewsRouter-Assisted Mechanisms • Shrews have low average rate, yet send high-rate bursts on short time-scales 9 Aggregate TCP SACK flows • In “null frequency” at 1.2 sec, shrew remains effective • RED-PD Detects Shrews with unnecessarily high rate (T<0.5 sec) • Reducing RED-PD measurement time scale results in excessive false positives RED - Random Early Detection • Packets dropped with a probability dependent on the excess sending rate of the flow RED-PD – RED with Preferential Dropping mechanism • Uses packet drop history to detect high-bandwidth flows with high confidence
Detecting Shrews End-point minRTO randomization • Observe • Shrews exploit protocol homogeneity and determinism • Question • Can minRTO randomization alleviate threat of Shrews? • TCP flows’ approach • Randomize the minRTO = uniform(a,b) • The longest most vulnerable timescale (“null frequency”) becomes T = b
Detecting Shrews End-point minRTO randomization (cont.) • Shrews’ counter approach • Given flows randomize minRTO, the optimal Shrew pulses at time-scale T=b • Wait for all flows to recover and then pulse again • TCP throughput for T=b time-scale of the Shrew attack • a small spurious retransmissions • b large bad for short-lived (HTTP) traffic • Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales • Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains
Conclusions • Shrew principles • Exploit slow-time-scale protocol homogeneity and determinism • Real-world vulnerability to Shrew attacks • Internet experiment: 87.8% throughput loss without detection • Shrews are difficult to detect • Low average rate and “TCP friendly” • Cannot filter short bursts • Fundamental mismatch of attack/defense timescales
Life conclusion Try to stay away from Shrews
Homework assignment • How does Shrew attack defer from traditional DoS attacks? • Shrew attacks are known as high-RTT pass filters. How they manage to do so? Can you consider an environment for using that capability? • Why shrew attacks are difficult to detect with existing counter-DoS mechanisms? What may be the risks of trying using bursts tuned detection? • For your opinion, does the underlying vulnerability is due to poor design of TCP timeout mechanism, or is it a consequence of other reason/s? Explain. E-mail: yanivwei@post.tau.ac.il