260 likes | 428 Views
SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks. A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003. Denial of Service Attack. Preventing or degrading service to legitimate users. TCP SYN Attack ICMP directed broadcasts Target Network bandwidth
E N D
SIGCOMM’03Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003
Denial of Service Attack • Preventing or degrading service to legitimate users. • TCP SYN Attack • ICMP directed broadcasts • Target • Network bandwidth • Server/router CPU cycles • Interrupt processing capacity • Operating system/protocol data structure
DoS Attack Common Characteristics • Exploits the bugs or features of the operating system or inherent limitations of the networking • Involves large number of compromised computers • High-rate traffic toward victim node • Can be detected, traced back, mitigated or cleared. • Firewall, Intrusion Detect Device, Operating System Patches.
Low-Rate DoS Attack • Exploits the vulnerability of the TCP’s congestion control algorithm; • The rate is so low that it is hard to be detected; • Degrade the victim’s throughput significantly; • Not easy to fix.
Layout of the Paper • Background: TCP’s Timeout Mechanism • DoS Modeling • Extensive Simulation and Experiments • Counter-DoS Techniques • Conclusion
TCP Retransmission Timeout Mechanism • If less than 3 duplicate ACKs are received before RTO expires • Shrink its congestion window to 1 packets (slow start). • Set new RTO to 2*RTO (exponential backoff) • Retransmit the lost packet. • RTO Selection is a tradeoff • Spurious timeout and extraneous retransmission if too small. • Too slow to recover from congestion if too large.
RTO Estimation • SRTT – smoothed round trip time • RTTVAR – round trip time variation • R’ – RTT sample • minRTO – lower bound for RTO, 1 second • G – clock granularity
The Idea of Low-rate DoS Attack • What to do • Provoke a TCP flow to repeatedly enter a retransmission timeout state • Throttle the TCP throughput to near-zero • How to do • Sending high-rate, RTT scale short duration bursts and repeating periodically at RTO scale period. • Low average rate is hard to be detected
DoS TCP Throughput • Two “null” point: T=minRTO/2 and T=minRTO
In Practice • Periodic DoS attack are not utilizing TCP exponential backoff mechanism but rather exploit repeated timeout. • If only subset of TCP flows satisfy the conditions, only the subset obtain the degraded throughput (flow filtering)
Creating DoS Outages • Minimize the rate of DoS stream
Impact on Long-lived Homogeneous-RTT TCP Traffic • 1.5Mb/s link • One way propagation delay = 6ms • RTT varies from 12ms to 132 ms • DoS Traffic: 1.5Mb/s peak rate, 100ms burst and 50-byte packet • 5 TCP flows simulation
Impact on Long-lived Heterogeneous-RTT TCP Traffic • 20 TCP flows • 10 Mb/s link • RTT varies from 29 to 460 ms • DoS burst traffic: 10Mb/s, 100ms burst and 1.1sec period
DoS Burst Length • High-RTT-pass filter • As burst length increase, more TCP flows are filtered thus the aggregate TCP throughput decreases.
DoS Peak Rate • Background traffic potentially lower the DoS peak rate while maintaining an effective attack • Senario: 1 DoS flow and 4 TCP flows. 3 TCP flows with long RTT serve as the background traffic • Relatively low peak rates are sufficient to filter the short-RTT flow
Impact on HTTP Traffic • HTTP traffic is more dynamic • Have more impact on heavy load • Have more impact on large file size • Some flows benefit from the attack: avoid the outages.
DoS on TCP Variants • Effect attacks depend on the ability to create correlated packet loss and force TCP flows to enter retransmission timeout.
Internet Experiments • Intra-LAN • Inter-LAN • WAN
Intra-LAN Scenario • 10Mb/s Ethernet • Attacker: 10Mb/s peak rate, 200ms burst length. • Null frequency: 1.2 sec. • DoS average rate: 1.67 Mb/s if period is 1.2 sec. • TCP flow throughput drops from 6.6 Mb/s to 780 kb/s
Inter-LAN Scenario • Attacker and TCP sender are on different 100Mb/s Ethernet • Attacked host is on a 10 Mb/s Ethernet • DoS peak rate 10Mb/s, burst duration 100ms • Null frequency : 1.1 sec • At this time scale, DoS average rate is 909Kb/s • TCP flow throughput drops from 9.8Mb/s to 800 kb/s
WAN Scenario • DoS source is 8 hops away, 10Mb/s peak rate and 100ms burst duration. • T = 1.1 sec, TCP througput drops to 909Kb/s from 9.8Mb/s
Router-Assisted Counter-DoS • Consider only dropping algorithms rather than scheduling • RED and RED-PD
Router-Assisted Counter-DoS cont’ • Vary the DoS peak rate or burst length • 9 TCP SACK flows • Bottleneck Rate 1.5 Mb/s
End-point minRTO Randomization Counter-DoS • Fact: low rate attacks exploit minRTO homogeneity • Remedy: Radomize end systems minRTO to randomize their null fequecnies • Experiment: minRTO = uniform(a,b) • Result: the longest most vulnerable timescale becomes T = b
Conclusion • This attack can against both short and long-lived TCP flows. • In heterogeneous RTT environment, it shows to be a high-RTT pass filter. • No effective way to defend the system in the presence of this low-rate DoS attack.