Post on 17-Jan-2016
1
SIGCOMM’03Low-Rate TCP-Targeted Denial of Service Attacks
A. Kuzmanovic and E. W. Knightly
Rice University
Reviewed by Haoyu Song
9/25/2003
2
Denial of Service Attack
Preventing or degrading service to legitimate users. TCP SYN Attack ICMP directed broadcasts
Target Network bandwidth Server/router CPU cycles Interrupt processing capacity Operating system/protocol data structure
3
DoS Attack Common Characteristics Exploits the bugs or features of the operating
system or inherent limitations of the networking
Involves large number of compromised computers
High-rate traffic toward victim node
Can be detected, traced back, mitigated or cleared.
Firewall, Intrusion Detect Device, Operating System Patches.
4
Low-Rate DoS Attack
Exploits the vulnerability of the TCP’s congestion control algorithm;
The rate is so low that it is hard to be detected;
Degrade the victim’s throughput significantly;
Not easy to fix.
5
Layout of the Paper
Background: TCP’s Timeout Mechanism
DoS Modeling
Extensive Simulation and Experiments
Counter-DoS Techniques
Conclusion
6
TCP Retransmission Timeout Mechanism
If less than 3 duplicate ACKs are received before RTO expires Shrink its congestion window to 1 packets (slow start). Set new RTO to 2*RTO (exponential backoff) Retransmit the lost packet.
RTO Selection is a tradeoff Spurious timeout and extraneous retransmission if too smal
l. Too slow to recover from congestion if too large.
7
RTO Estimation
SRTT – smoothed round trip time RTTVAR – round trip time variation R’ – RTT sample minRTO – lower bound for RTO, 1 second G – clock granularity
))4,max(,max(min
4/1,8/1
')1(
')1(
RTTVARGSRTTRTORTO
RSRTTSRTT
RSRTTRTTVARRTTVAR
8
The Idea of Low-rate DoS Attack
What to do Provoke a TCP flow to repeatedly enter a retransmission
timeout state Throttle the TCP throughput to near-zero
How to do Sending high-rate, RTT scale short duration bursts and
repeating periodically at RTO scale period. Low average rate is hard to be detected
9
DoS Modeling
T
RTO
T
RTOT
ni
RTTVARSRTTRTOandRTTl iii
minmin)(
.,...2,1
4min'
10
DoS TCP Throughput
Two “null” point: T=minRTO/2 and T=minRTO
11
In Practice
Periodic DoS attack are not utilizing TCP exponential backoff mechanism but rather exploit repeated timeout.
If only subset of TCP flows satisfy the conditions, only the subset obtain the degraded throughput (flow filtering)
iRTTT 21
12
Creating DoS Outages
Minimize the rate of DoS stream
12
max1 )/(
lll
CRBl
13
Impact on Long-lived Homogeneous-RTT TCP Traffic 1.5Mb/s link One way propagation delay = 6ms RTT varies from 12ms to 132 ms DoS Traffic: 1.5Mb/s peak rate, 100ms burst and 50-byte pac
ket 5 TCP flows simulation
14
Impact on Long-lived Heterogeneous-RTT TCP Traffic 20 TCP flows 10 Mb/s link RTT varies from 29 to 460 ms DoS burst traffic: 10Mb/s, 100ms burst and 1.1sec p
eriod
15
DoS Burst Length
High-RTT-pass filter As burst length increase, more TCP flows are
filtered thus the aggregate TCP throughput decreases.
16
DoS Peak Rate
Background traffic potentially lower the DoS peak rate while maintaining an effective attack
Senario: 1 DoS flow and 4 TCP flows. 3 TCP flows with long RTT serve as the background traffic
Relatively low peak rates are sufficient to filter the short-RTT flow
17
Impact on HTTP Traffic
HTTP traffic is more dynamic Have more impact on heavy load Have more impact on large file size Some flows benefit from the attack: avoid the
outages.
18
DoS on TCP Variants Effect attacks depend on the ability to create correlated packet loss
and force TCP flows to enter retransmission timeout.
19
Internet Experiments
Intra-LAN Inter-LAN WAN
20
Intra-LAN Scenario
10Mb/s Ethernet Attacker: 10Mb/s peak rate, 200ms burst leng
th. Null frequency: 1.2 sec. DoS average rate: 1.67 Mb/s if period is 1.2 s
ec. TCP flow throughput drops from 6.6 Mb/s to 7
80 kb/s
21
Inter-LAN Scenario
Attacker and TCP sender are on different 100Mb/s Ethernet
Attacked host is on a 10 Mb/s Ethernet DoS peak rate 10Mb/s, burst duration 100ms Null frequency : 1.1 sec At this time scale, DoS average rate is 909Kb/s TCP flow throughput drops from 9.8Mb/s to 800 kb/
s
22
WAN Scenario
DoS source is 8 hops away, 10Mb/s peak rate and 100ms burst duration.
T = 1.1 sec, TCP througput drops to 909Kb/s from 9.8Mb/s
23
Router-Assisted Counter-DoS Consider only dropping algorithms rather than sche
duling RED and RED-PD
24
Router-Assisted Counter-DoS cont’ Vary the DoS peak rate or burst length 9 TCP SACK flows Bottleneck Rate 1.5 Mb/s
25
End-point minRTO Randomization Counter-DoS Fact: low rate attacks exploit minRTO homogeneity Remedy: Radomize end systems minRTO to randomize their null fe
quecnies Experiment: minRTO = uniform(a,b) Result: the longest most vulnerable timescale becomes T = b
26
Conclusion
This attack can against both short and long-lived TCP flows.
In heterogeneous RTT environment, it shows to be a high-RTT pass filter.
No effective way to defend the system in the presence of this low-rate DoS attack.