Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang...
-
Upload
prosper-parker -
Category
Documents
-
view
224 -
download
0
Transcript of Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang...
![Page 1: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/1.jpg)
Low-Rate TCP-Targeted Low-Rate TCP-Targeted DoS Attack Disrupts DoS Attack Disrupts
Internet RoutingInternet Routing
Ying Zhang Z. Morley Mao Jia Ying Zhang Z. Morley Mao Jia Wang Wang
Presented in Presented in NDSS07NDSS07
Prepared by : Hale IsmetPrepared by : Hale Ismet
![Page 2: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/2.jpg)
The attacksThe attacks
Attacks targeting end hostsAttacks targeting end hosts Denial of Service attacks, worms, spamDenial of Service attacks, worms, spam
Attacks targeting the routing Attacks targeting the routing infrastructureinfrastructure
![Page 3: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/3.jpg)
Border Gateway ProtocolBorder Gateway Protocolstandard inter-domain routing standard inter-domain routing
protocolprotocol
There are two types of BGP sessions:
eBGP iBGP sessions. It is former are
between routers withindifferent autonomous systems (ASes) or networks
AS 2
![Page 4: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/4.jpg)
To ensure liveness of the neighbor in a To ensure liveness of the neighbor in a BGP session, routers periodically BGP session, routers periodically exchange keepalive messagesexchange keepalive messages
CBRBRAS 1 AS 2
BGP session
Transport: TCP connectionCBRBR
Keepalive Keepalive
confirm peer liveliness; determine peer confirm peer liveliness; determine peer reachabilityreachability
BGP HoldTimer expired
BGP session reset
![Page 5: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/5.jpg)
Low-rate TCP-targeted DoS Low-rate TCP-targeted DoS attacksattacks
minRTO 2 x minRTO 4 x minRTO
Time
TCP congestion window size(segments)
Initial windowsize
Attack flow period approximates minRTO of TCP flowsAttack flow period approximates minRTO of TCP flows
![Page 6: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/6.jpg)
the attacker can indeed bring the attacker can indeed bring down the BGP sessiondown the BGP session
1-Burst Length L needs 1-Burst Length L needs to be long enough to to be long enough to cause cause congestioncongestion
2-Peak magnitude R 2-Peak magnitude R also needs to be also needs to be large to cause large to cause congestioncongestion..
3- Inter-burst period T 3- Inter-burst period T needs to be minRTO needs to be minRTO to cause to cause session session resetreset
![Page 7: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/7.jpg)
To effect of this attack on To effect of this attack on BGPBGP
1.1. that attack traffic lowers the that attack traffic lowers the sending rate of the TCP connection sending rate of the TCP connection carrying BGP traffic ; this increased carrying BGP traffic ; this increased convergence convergence
2.2. the more severe effect on the BGP the more severe effect on the BGP session is the possibility of BGP session is the possibility of BGP session reset caused by all packets session reset caused by all packets dropped within a time interval dropped within a time interval exceeding the hold timer value.exceeding the hold timer value.
![Page 8: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/8.jpg)
TestbedTestbed experimentsexperiments
the high-end Cisco router GSR (It is widely the high-end Cisco router GSR (It is widely used in Internet and is very powerful )used in Internet and is very powerful )
Demonstrating the attack feasibility by Demonstrating the attack feasibility by two computerstwo computers
![Page 9: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/9.jpg)
UDP-based attack flow
Attacker A Receiver B
Router R1
CBR
Router R2
CBR
minRTO 2*minRTO
7th retransmitted BGP Keepalive message
BGP Session Reset
Take 3 minTake 3 min
![Page 10: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/10.jpg)
Kind of routersKind of routers
![Page 11: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/11.jpg)
the probability of session the probability of session reset.reset.
the burst the burst length of 225 length of 225 msec, the msec, the attacker has attacker has around 30% around 30% probability to probability to reset the reset the session with session with 42% 42% available available bandwidthbandwidth
![Page 12: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/12.jpg)
Attack peak magnitude’s Attack peak magnitude’s impact on session reset and impact on session reset and
table transfer durationtable transfer duration
![Page 13: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/13.jpg)
Necessary conditions for Necessary conditions for single attacksingle attack
Inter-burst period approximates Inter-burst period approximates minRTOminRTO
The attack flow’s path traverses at The attack flow’s path traverses at least one link of the BGP sessionleast one link of the BGP session
Attack flow’s bottleneck link is the Attack flow’s bottleneck link is the target linktarget link
![Page 14: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/14.jpg)
bring down the BGP sessionbring down the BGP session
To avoid sending too much traffic from each node, we perform time synchronization designed
![Page 15: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/15.jpg)
Conditions for Coordinated Conditions for Coordinated attacksattacks
1’. Sufficiently strong combined 1’. Sufficiently strong combined attack flows to cause congestionattack flows to cause congestion
2. The attack flow’s path traverses 2. The attack flow’s path traverses the BGP sessionthe BGP session
3’. Identify the target link location3’. Identify the target link location
![Page 16: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/16.jpg)
AttackAttack preventionprevention hiding informationhiding information-Kuzmanovic03 :Randomize minRTO-Kuzmanovic03 :Randomize minRTO-Hide network topology from end-hosts.-Hide network topology from end-hosts. prioritize routing trafficprioritize routing traffic Weighted Random Early Detection Weighted Random Early Detection
(WRED) [It is a mechanism ](WRED) [It is a mechanism ] Prevent TCP synchronizationPrevent TCP synchronization Selectively drop packets : Drop low-priority Selectively drop packets : Drop low-priority
packets first when the queue size exceeds packets first when the queue size exceeds defined thresholdsdefined thresholds
** ** WRED relies on the IP precedence field in WRED relies on the IP precedence field in the packet header the packet header
![Page 17: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/17.jpg)
BGP table transfer with BGP table transfer with WREDWRED enabled under attackenabled under attack
![Page 18: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/18.jpg)
ConclusionConclusion
Feasibility of attacks against Internet Feasibility of attacks against Internet routing infrastructurerouting infrastructure
Prevention solution using Prevention solution using existing existing router configurationsrouter configurations
Difficulties in detecting and Difficulties in detecting and defending against coordinated defending against coordinated attacksattacks
![Page 19: Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.](https://reader035.fdocuments.net/reader035/viewer/2022062301/5697bfdf1a28abf838cb2748/html5/thumbnails/19.jpg)
Thanks Thanks
Any Questions?Any Questions?
Attacker A
Receiver B
BGP Session Reset