220 likes | 317 Views
Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It. Xiaobing Zhang, S. Felix Wu, Zhi Fu, and Tsung-Li Wu International Conference on Network Protocol 2000 2003. 6. 3 Presented by Jeon, Sang-Uk. Contents. Introduction TCP Packet Dropping Patterns
E N D
Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It Xiaobing Zhang, S. Felix Wu, Zhi Fu, and Tsung-Li Wu International Conference on Network Protocol 2000 2003. 6. 3 Presented by Jeon, Sang-Uk
Contents • Introduction • TCP Packet Dropping Patterns • Simulation of Packet Dropping • Impact of Packet Dropping • Detection of Packet Dropping Attack • Conclusion & Future work
Introduction(1/2) • Reliable data transmission of TCP • Slow start • Congestion avoidance • Packet dropping • Malicious dropping of packet by an intruder • Degrades QoS of the application • Few studies have been done
Introduction(2/2) • This paper presents • The impact of TCP packet dropping attacks • The attacker can control the rate of dropping • Simulation of an “uncompromised” router to drop a small amount of traffic • Design & implementation of a statistic-based analysis module • Detects TCP dropping attacks
TCP Packet Dropping Patterns • Types of attack • Persistent • Intermittent • Types of dropping patterns (parameters) • Periodic packet dropping (PerPD) : (K, I, S) • e.g) (5, 10, 4) : 4th, 14th, 24th, 34th, 44th packet • Retransmission packet dropping (RetPD) : (K, S) • e.g) (5, 10) : 10th packet drops • Random packet dropping (RanPD) : K
congestion TCP Packet Dropping Method Internet NATd FTP Server fire Heidelberg FTP Data FTP Client 192.168.75/24 redwing bone 172.16/16 UDP flood light … 192.168.1/24 TFN target air TFN master TFN agents
Packet dropping – Result(2/2) Damage = {delay(flood) – delay(normal)} / delay(normal)
Impact of Packet Dropping Attacks(1/5) • FTP servers used in the experiment
Impact of Packet Dropping Attacks(2/5) • Session delay for the NCU Site under 3 dropping patterns
Impact of Packet Dropping Attacks(3/5) • Session delay with K, given a fixed I, S
Impact of Packet Dropping Attacks(4/5) • Session delay with I, given a fixed K, S
Impact of Packet Dropping Attacks(5/5) • Session delay with S, given a fixed K, I
TCP-Dropping Statistic Analysis Module(1/4) • NIDES/STAT Algorithm • Describes subjects’ behavior by means of profiles • Short-term , long-term profiles • Monitors a subject’s behavior on a computer system • Raises alarm flags when it deviates significantly from expected behavior (long-term profile) • Based on 2-like probability distribution test • Measured value • Position : position of out-of-order packets • Delay : session delay • Number of packet reordering
Number of bin = 5 -> bin width = 800 1 800 801 1600 1601 2400 2401 3200 3201 4000 … … … … … bin1 bin2 bin3 bin4 bin0 Probability TCP-Dropping Statistic Analysis Module(2/4) • Binning procedure ………………….. 1 2 4000 Packet Length 20th , 2600th packets are delivered out-of-order -> counts for bin0, bin3 are incremented by 1
TCP-Dropping Statistic Analysis Module(3/4) • Hypothesis test • Event : E1, E2, …, Ek • Probability : p1, p2, …, pk • Number of random experiment : N • Number of occurrences for Ei : Yi • Hypothesis • H0 : pi’ = pi, i = 1,2,…k • H1 : H0 is not true
TCP-Dropping Statistic Analysis Module(4/4) • Q Distribution for position measure when nbin = 5
Intrusion Detection Experiment • Long-term profile establishment • Formed by running 20000 FTP connections • Non-attacked short-term profile and Q distribution establishment • Short-term data from 5000 FTP connections • Collection of short-term profiles under dropping patterns • Intrusion detection by the statistic module
Intrusion Detection Result(1/3) • Position Measure
Intrusion Detection Result(1/3) • Delay Measure
Intrusion Detection Result(1/3) • NPR measure
Conclusion & Future work • Investigated the impact of a set of packet dropping attack patterns • Retransmission packet dropping attack severely degrades TCP’s performance • Random packet dropping attack causes the least damage • Proposed a statistic-based approach to detect attack • Future work • Find the way of defending the QoS against packet dropping attacks