DoS Resilience in Ad Hoc Networks€¦ · TCP congest. window minRTO n x minRTO Time JF Outage:...
88
DoS Resilience in Ad Hoc Networks I. Aad, J.-P. Hubaux and E. Knightly MobiCom 2004, Sept. 29 th 2004, Philadelphia - PA, USA 1
Transcript of DoS Resilience in Ad Hoc Networks€¦ · TCP congest. window minRTO n x minRTO Time JF Outage:...
DoS Resilience in Ad Hoc Networks
I. Aad, J.-P. Hubaux and E. Knightly
MobiCom 2004, Sept. 29th 2004,
Philadelphia - PA, USA
1
Outline
Introduction and system model
DoS attacks:“Protocol-compliant” attacks: JellyFishBlackHole
The cost of counter-measures
Network performance under DoS attacks
Conclusion
2
Introduction
Significant work has been made in:
Key Establ.
General
Authentication
Group / Multic
ast
Arms ra
ce
Localisation
Cooperation
Routing
Intrusion detectio
n
Reputation
32P
erce
nta
ge
26
12
7 65 4 3
2 2
3
Introduction
Significant work has been made in:
Key Establ.
General
Authentication
Group / Multic
ast
Arms ra
ce
Localisation
Cooperation
Routing
Intrusion detectio
n
Reputation
32P
erce
nta
ge
We are here
0
DoS assessment
26
12
7 65 4 3
2 2
Our goal: quantify the damage of a DoS attack on anad-hoc network
3
Introduction
Significant work has been made in:
Key Establ.
General
Authentication
Group / Multic
ast
Arms ra
ce
Localisation
Cooperation
Routing
Intrusion detectio
n
Reputation
32P
erce
nta
ge
We are here
0
DoS assessment
26
12
7 65 4 3
2 2
Design (and study) a new class of “protocol-compliant”attacks
3
System model
Ad-hoc multi-hop network, Mobile nodes, Secure routing,
Node Authentication, 1 ID/node, Packet Authentication and
Encryption...4
System model
JF
JF: JellyFishBH: BlackHole
BH
JF
The dual role of hosts as routers introduces a criticalvulnerability!
4
Outline
Introduction and system model
DoS attacks:
“Protocol-compliant” attacks: JellyFishBlackHole
The cost of counter-measures
Network performance under DoS attacks
Conclusion
5
What is a "protocol-compliant" attack?
Just like any IP service, it can:
Drop packets
Reorder packets
Delay / jitter packets
6
What is a "protocol-compliant" attack?
Just like any IP service, it can:
Drop packets
Reorder packets
Delay / jitter packets
BUT!in a MALICIOUS way...
6
What is a "protocol-compliant" attack?
Just like any IP service, it can:
Drop packets
Reorder packets
Delay / jitter packets
Why use "protocol-compliant" attacks ?Detection and diagnosis are time consuming!
6
Example: the JellyFish
� �� �� �� �� ���
���
� �� �� �� �� ���
���
� �� �� �� �� ���
���
Buffer size
JF−reordering node
Pkt Recv
SrcJF
Dst
Random select
Pkt Send
� �� �� �� �� ���
���
7
Example: the JellyFish
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
1 1.5 2 2.5 3 3.5 4 4.5 5
Goo
dput
(M
b/s)
Reordering buffer size
2 hops3 hops4 hops5 hops
Reordering >3 packets reduces TCP throughput to ≈zero!7
The JellyFish
For closed-loop traffic:TCP, TFRC-like...
Passive
Hard to detect...... until after the "sting"
End-to-end control protocols infer network status fromfeedback measurements.
JF interferes with these measurements...
... to attenuate the traffic flows.8
The JellyFish
For closed-loop traffic:TCP, TFRC-like...
Passive
Hard to detect...... until after the "sting"
Species:
JF-Reorder → “multipath”
JF-drop → “congestion, buffer overflow...”
JF-Jitter (variable RTT) → “variable loads” 8
JF-drop
For wired networks: the Shrew [Kuzmanovic & Knightly]
Dropping 5% of the packets periodically (@T = 1sec)
T
Time
SrcJF
Dst
T x d%
9
JF-drop
Dropping 5% of the packets periodically (@T = 1sec)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0 0.5 1 1.5 2 2.5 3
Goo
dput
(M
b/s)
Time period (s)
2 hops3 hops4 hops5 hops
... reduces TCP throughput to zero!9
JF-drop
TC
P c
on
ges
t. w
ind
ow
Time
JF Outage: ~RTT
9
JF-drop
TC
P c
on
ges
t. w
ind
ow
minRTO
Time
JF Outage: ~RTT
9
JF-drop
TC
P c
on
ges
t. w
ind
ow
minRTO n x minRTO
Time
JF Outage: ~RTT
9
JF-drop
TC
P c
on
ges
t. w
ind
ow
1 sec n x 1 sec
Time
RFC 2988
JF Outage: ~RTT
9
JF-drop
TC
P c
on
ges
t. w
ind
ow
1 sec n x 1 sec
Time
RFC 2988
JF Outage: ~RTT
9
JF-jitter
������ �� �� �� �� �� �� �� ��� �����
JF−jitter−delay node
time
IDLE
Server with vacations
JFDst
Src
10
JF-jitter
TCP infers network/congestion status using RTT...
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0 1 2 3 4 5
Goo
dput
(M
b/s)
Idle period (s)
JF-jitter
JF interferes with RTT to attenuate the TCP flow!10
The BlackHole
For non-responsive / open-loop traffic...
Passive
Forwards routing packets
"Absorbs" all data packets
Hard to detect...11
The BlackHole
MAC/PHY
UpstreamBH
DstMAC/PHY
IP IP
Data
MAC−ACK
Drop!
of MAC layerfailure
Detection
neighbor
MAC ACK avoids immediate diagnosing
11
The BlackHole
MAC/PHY
UpstreamBH
DstMAC/PHY
IP IP
Data
MAC−ACK
Drop!
of MAC layerfailure
Detection
neighbor
(zero throughput)
11
Passive ACK (PACK) [DSR]
A is sending a packet to C via B
A B C
12
Passive ACK (PACK) [DSR]
A overhears B’s transmission/forward to C
A B C
12
Passive ACK (PACK) [DSR]
PACK can be fooled by low-power transmissions...
A B C
12
Passive ACK (PACK) [DSR]
... Or by using directional antennas!
A B C
12
Outline
Introduction and system model
DoS attacks:“Protocol-compliant” attacks: JellyFishBlackHole
The cost of counter-measures
Network performance under DoS attacks
Conclusion
13
Non-goal: escalating the “arms race”
Diagnosis are inevitableLocally ?End-to-end ?
Our goal: how do they perform ?14
The cost of counter-measures
Counter-measure parameters:
Diagnosis time → E(T ndiag)
(re)Route request → E(T nRR)
Routing protocol limitations:
Rate limiter → E(T nRL)
Let:
Flow lifetime → E(TL)
Proportion of JF → p
Path length (for recvd. pkts.) → h
15
The cost of counter-measures
Goodput = E(TL)
E(TL)+(E(T ndiag
)+E(T nRL
)+E(T nRR
))(1−p)−h
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6
Goo
dput
Fraction of JellyFish Nodes
3 relay nodes6 relay nodes9 relay nodes
Diagnosis and rerouting times get magnified by (1 − p)−h.
(h: average hop-count, p: proportion of JF)15
The cost of counter-measures
Goodput = E(TL)
E(TL)+(E(T ndiag
)+E(T nRL
)+E(T nRR
))(1−p)−h
Mobility
Network size
“PACK++”
Watchdog, path-rater [Marti et al.]
Identifying “Byzantine nodes” [Awerbuch et al.]
Reputation systems [Buchegger et al., Michiardi et al.]
Rushing attack [Hu et al.]
15
Rushing attack [Hu et al.]
16
Rushing attack [Hu et al.]
JF
The malicious node increases its transmission range
16
Rushing attack [Hu et al.]
JF
... to "attract" more flows, therefore increasing p!
16
Rushing attack [Hu et al.]
Goodput = E(TL)
E(TL)+(E(T ndiag
)+E(T nRL
)+E(T nRR
))(1−p)−h
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6
Goo
dput
Fraction of JellyFish Nodes
no rushing attack2x rushing4x rushing
The rushing attack makes things even worse,exponentiating the effect with hop length!
(h: average hop-count, p: proportion of JF) 16
Rushing attack [Hu et al.]
Goodput = E(TL)
E(TL)+(E(T ndiag
)+E(T nRL
)+E(T nRR
))(1−p)−h
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6
Goo
dput
Fraction of JellyFish Nodes
no rushing attack2x rushing4x rushing
The goodput collapses under 10% of attackers!
16
Outline
Introduction and system model
DoS attacks:“Protocol-compliant” attacks: JellyFishBlackHole
The cost of counter-measures
Network performance under DoS attacks
Conclusion
17
What about the network resistance?
Simulation setup:
2000m × 2000m topology
200 mobile nodes
Velocity: 0 to 10m/s
Average pause time: 10s
50 UDP flows: 500B packets / 5s, (800b/s)
Clear non-fading channel
Simulation: 100s warmup + 500s simulation
(50 simulations, 18 topologies) / point, 95% conf.intervals
18
What about the network resistance?
System-wide total throughput = sum of E-2-E throughputs:
%
Sys
tem
Th
rpt.
Percentage of JF
18
What about the network resistance?
System-wide total throughput = sum of E-2-E throughputs:
100%
Sys
tem
Th
rpt.
Percentage of JF
18
What about the network resistance?
System-wide total throughput = sum of E-2-E throughputs:
100%
Sys
tem
Th
rpt.
Percentage of JF
18
What about the network resistance?
System-wide total throughput = sum of E-2-E throughputs:
100%
Sys
tem
Th
rpt.
Percentage of JF
18
again ?
DoS increases the capacity of ad-hoc networks!
19
Path length for received packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0 5 10 15 20
Pro
babi
lity
Number of hops
0 JF / 200 nodes16 JF, Grid. plac. / 200 nodes25 JF, Grid. plac. / 200 nodes49 JF, Grid. plac. / 200 nodes
After DoS: → Long paths are extinguished...
→ Short paths will survive...20
Path length for received packets
− End−to−End throughput = channel capacity− Less interference− More channel reuse
After DoS: → Long paths are extinguished...
→ Short paths will survive...20
Path length for received packets
− End−to−End throughput = channel capacity− Less interference− More channel reuse
− E2E throughput = ch. capacity / 3− More interference− Less channel reuse
After DoS: → Long paths are extinguished...
→ Short paths will survive...20
Path length for received packets
− End−to−End throughput = channel capacity− Less interference− More channel reuse
− E2E throughput = ch. capacity / 3− More interference− Less channel reuse
System throughput maximizer
After DoS: → Long paths are extinguished...
→ Short paths will survive...20
Path length for received packets
− End−to−End throughput = channel capacity− Less interference− More channel reuse
− E2E throughput = ch. capacity / 3− More interference− Less channel reuse
System throughput maximizer
and this is what JF and BlackHoles are doing!20
System throughput
0
0.5
1
1.5
2
2.5
0 5 10 15 20 25
Nor
mal
ized
sys
tem
thro
ughp
ut
Percentage of JFs
50 1Mb/s CBR flows250 1Mb/s CBR flows
5 TCP flows
System throughput often increases after DoS!21
BUT!
0
0.2
0.4
0.6
0.8
1
0 5 10 15 20 25
Jain
’s in
dex
of fa
irnes
s
Percentage of JF
50 1Mb/s CBR flows250 1Mb/s CBR flows
5 TCP50 TCP
System becomes unfair, in favor of short paths.22
After DoS...
Network gets severely partitioned
Short flows survive
Long flows are attenuated
Aggregated system throughput may increase!
23
More in the paper...
We analyze the performance of the system when varyingthe:
Offered load
Network size
Node density
Node mobility
JF placement strategy
24
Outline
Introduction and system model
DoS attacks:“Protocol-compliant” attacks: JellyFishBlackHole
The cost of counter-measures
Network performance under DoS attacks
Conclusion
25
Conclusion
TCP collapses with malicious:Dropping, reordering, jitter ...
More generally, all closed-loop mechanisms arevulnerable to malicious tampering
“Protocol-compliance” makes defense moreproblematic
First paper to quantify DoS effects on ad-hoc networks:DoS increases capacity! BUT!Network gets partitionedFairness decreases→ System throughput, alone, is not enough tomeasure DoS impacts
26
PACK
PACK power
i j k i j k
27
PACK
PACK fool
i j k i j k
27
PACK
PACK directional antenna
i j k i j k
27
Reminder on TCP
TimersCong. Window
Pkt Recv(ACK recv)
Sender Receiver
Data Pkt
ACK
8x
8x
9x
Sender Receiver
Slow Start (SS)
Congest. Avoid. (CA)(cwnd > ssthresh)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
cwnd += 1/cwnd (CA)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)
1 RTT
28
Reminder on TCP
TimersCong. Window
Pkt Recv(ACK recv)
Data Pkt
Sender Receiver
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)
1 RTT
Data Pkt
ACK
Sender Receiver
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)
1 RTT
Data Pkt
ACK
Sender Receiver
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)
1 RTT
Data Pkt
ACK
Sender Receiver
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)cwnd += 1/cwnd (CA)
1 RTT
Data Pkt
ACK
8x
8x
Sender Receiver
Slow Start (SS)
28
Reminder on TCP
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt Recv(ACK recv)
cwnd += 1 (SS)cwnd += 1/cwnd (CA)
1 RTT
Data Pkt
ACK
8x
8x
9x
Sender Receiver
Slow Start (SS)
28
Reminder on TCP
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
Timers
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
cwnd = 1
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
ssthresh = cwnd / 2
Timers
RTO = RTO x 2
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
cwnd = 1
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
ssthresh = cwnd / 2
Timers
RTO = RTO x 2
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
/ T.O. ?
28
Reminder on TCP
1 RTT
Data Pkt
ACK
Sender Receiver
Slow Start (SS)
b |SRTT−RTT|
SRTT = (1−a) SRTT + a RTT
cwnd = 1
RTTVAR = (1−b) RTTVAR +
SRTT+ max(G, 4 RTTVAR))
ssthresh = cwnd / 2
Timers
RTO = RTO x 2
cwnd += 1/cwnd (CA)cwnd += 1 (SS)
ssthresh
RTO = max(minRTO ,
Cong. Window
Pkt loss
Pkt Recv
T.O.)
(dup. ACKs,
(ACK recv)
Duplicate ACK
/ T.O. ?
28
JF-drop
TimerRetx
1s
Time
TimersCong. Window
Pkt Recv
Pkt loss
29
JF-drop
TimerRetx
1s−RTT1s
Time1s
1s
TimersCong. Window
Pkt Recv
Pkt losscwnd = 1 RTO = RTO x 2
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+R
TT
Timers
Pkt loss
Pkt Recv
Cong. Window
SRTT+ max(G, 4 RTTVAR))
RTO = max(minRTO,cwnd +=1 (SS)
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
Timers
SRTT+ max(G, 4 RTTVAR))cwnd +=1 (SS)
RTO = max(minRTO,
Pkt Recv
Pkt loss
Cong. Window
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
Timers
SRTT+ max(G, 4 RTTVAR))cwnd +=1 (SS)
RTO = max(minRTO,
Cong. Window
Pkt Recv
Pkt loss
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
Timers
SRTT+ max(G, 4 RTTVAR))
RTO = max(minRTO,cwnd +=1 (SS)
Pkt Recv
Pkt loss
Cong. Window
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
t 0
Timers
cwnd = 1 RTO = RTO x 2Pkt loss
Pkt Recv
Cong. Window
29
JF-drop
TimerRetx
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
t t +2s0
Timers
cwnd = 1 RTO = RTO x 2
0
Pkt loss
Pkt Recv
Cong. Window
29
JF-drop
TimerRetx
SRTT+ max(G, 4 RTTVAR))
RTO = max(minRTO,cwnd +=1 (SS)
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
t t +2s0
Timers
RTO = RTO x 2
0
cwnd = 1
Pkt Recv
Pkt loss
Cong. Window
29
JF-drop
TimerRetx
SRTT+ max(G, 4 RTTVAR))
RTO = max(minRTO,cwnd +=1 (SS)
2s−RTT
1s−RTT1s
2s
Time1s
1s 1s+2
RT
T1s
+RT
T
t t +2s0
Timers
RTO = RTO x 2
0
cwnd = 1
Pkt Recv
Pkt loss
Cong. Window
t +1s0
29
Simulation results: Number of hops
0
1
2
3
4
5
6
7
502512.580
Ave
rage
num
ber
of h
ops
Percentage of JF
Baseline: 50 1Mb/s CBR flows
30
