1 / 22

Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It

Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It. Xiaobing Zhang, S. Felix Wu, Zhi Fu, and Tsung-Li Wu International Conference on Network Protocol 2000 2003. 6. 3 Presented by Jeon, Sang-Uk. Contents. Introduction TCP Packet Dropping Patterns

talia
Download Presentation

Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Packet Dropping : How It Might Impact the TCP Performance and How We Can Detect It Xiaobing Zhang, S. Felix Wu, Zhi Fu, and Tsung-Li Wu International Conference on Network Protocol 2000 2003. 6. 3 Presented by Jeon, Sang-Uk

  2. Contents • Introduction • TCP Packet Dropping Patterns • Simulation of Packet Dropping • Impact of Packet Dropping • Detection of Packet Dropping Attack • Conclusion & Future work

  3. Introduction(1/2) • Reliable data transmission of TCP • Slow start • Congestion avoidance • Packet dropping • Malicious dropping of packet by an intruder • Degrades QoS of the application • Few studies have been done

  4. Introduction(2/2) • This paper presents • The impact of TCP packet dropping attacks • The attacker can control the rate of dropping • Simulation of an “uncompromised” router to drop a small amount of traffic • Design & implementation of a statistic-based analysis module • Detects TCP dropping attacks

  5. TCP Packet Dropping Patterns • Types of attack • Persistent • Intermittent • Types of dropping patterns (parameters) • Periodic packet dropping (PerPD) : (K, I, S) • e.g) (5, 10, 4) : 4th, 14th, 24th, 34th, 44th packet • Retransmission packet dropping (RetPD) : (K, S) • e.g) (5, 10) : 10th packet drops • Random packet dropping (RanPD) : K

  6. congestion TCP Packet Dropping Method Internet NATd FTP Server fire Heidelberg FTP Data FTP Client 192.168.75/24 redwing bone 172.16/16 UDP flood light … 192.168.1/24 TFN target air TFN master TFN agents

  7. Packet dropping – Result(1/2)

  8. Packet dropping – Result(2/2) Damage = {delay(flood) – delay(normal)} / delay(normal)

  9. Impact of Packet Dropping Attacks(1/5) • FTP servers used in the experiment

  10. Impact of Packet Dropping Attacks(2/5) • Session delay for the NCU Site under 3 dropping patterns

  11. Impact of Packet Dropping Attacks(3/5) • Session delay with K, given a fixed I, S

  12. Impact of Packet Dropping Attacks(4/5) • Session delay with I, given a fixed K, S

  13. Impact of Packet Dropping Attacks(5/5) • Session delay with S, given a fixed K, I

  14. TCP-Dropping Statistic Analysis Module(1/4) • NIDES/STAT Algorithm • Describes subjects’ behavior by means of profiles • Short-term , long-term profiles • Monitors a subject’s behavior on a computer system • Raises alarm flags when it deviates significantly from expected behavior (long-term profile) • Based on 2-like probability distribution test • Measured value • Position : position of out-of-order packets • Delay : session delay • Number of packet reordering

  15. Number of bin = 5 -> bin width = 800 1 800 801 1600 1601 2400 2401 3200 3201 4000 … … … … … bin1 bin2 bin3 bin4 bin0 Probability TCP-Dropping Statistic Analysis Module(2/4) • Binning procedure ………………….. 1 2 4000 Packet Length 20th , 2600th packets are delivered out-of-order -> counts for bin0, bin3 are incremented by 1

  16. TCP-Dropping Statistic Analysis Module(3/4) • Hypothesis test • Event : E1, E2, …, Ek • Probability : p1, p2, …, pk • Number of random experiment : N • Number of occurrences for Ei : Yi • Hypothesis • H0 : pi’ = pi, i = 1,2,…k • H1 : H0 is not true

  17. TCP-Dropping Statistic Analysis Module(4/4) • Q Distribution for position measure when nbin = 5

  18. Intrusion Detection Experiment • Long-term profile establishment • Formed by running 20000 FTP connections • Non-attacked short-term profile and Q distribution establishment • Short-term data from 5000 FTP connections • Collection of short-term profiles under dropping patterns • Intrusion detection by the statistic module

  19. Intrusion Detection Result(1/3) • Position Measure

  20. Intrusion Detection Result(1/3) • Delay Measure

  21. Intrusion Detection Result(1/3) • NPR measure

  22. Conclusion & Future work • Investigated the impact of a set of packet dropping attack patterns • Retransmission packet dropping attack severely degrades TCP’s performance • Random packet dropping attack causes the least damage • Proposed a statistic-based approach to detect attack • Future work • Find the way of defending the QoS against packet dropping attacks

More Related