Low-Rate TCP-Targeted Denial of Service Attacks

Low-Rate TCP-Targeted Denial of Service Attacks

Presenter: Juncao Li

Authors: Aleksandar Kuzmanovic Edward W. Knightly

Computer Science, Portland State University 2 juncao@cs.pdx.edu

Contributions

• Present a denial of service attack – Shrew– throttle TCP flows to a small fraction

• Show the mechanism of Shrew attacks– Exploit TCP’s retransmission timeout

mechanism

• Develop several DoS traffic patterns for attacking

Computer Science, Portland State University 3 juncao@cs.pdx.edu

Agenda

• TCP Congestion Control and Shrew Attacks

• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and

Conclusions

Computer Science, Portland State University 4 juncao@cs.pdx.edu

Denial of Service

• From Wikipedia– an attempt to make a computer resource

unavailable to its intended users

• Damage– Network bandwidth– CPU cycles– Server interrupt processing capacity– Specific protocol data structures

Computer Science, Portland State University 5 juncao@cs.pdx.edu

TCP Congestion Control

• To avoid or reduce the congestion• Small Round Trip Time (RTT) 10ms –

100ms– Additive-Increase Multiplicative-Decrease

(AIMD) control

• Severe congestion– Retransmission Time Out (RTO)– RTO is doubly increased when failure

happens

Computer Science, Portland State University 6 juncao@cs.pdx.edu

TCP Congestion Control

• Smoothed Round-Trip Time (SRTT) • Round-Trip Time Variation (RTTVAR)

Computer Science, Portland State University 7 juncao@cs.pdx.edu

TCP Retransmission Timer

Multiplicative decrease

Exponentioal backoff

1. Reduce congestion window to one

2. Doubles RTO

Package Loss

Computer Science, Portland State University 8 juncao@cs.pdx.edu

Shrew Attacks

• Low-rate DoS attacks that exploit the slow-timescale dynamics of retransmission timers

• Provoke a TCP flow to repeatedly enter a retransmission timeout state– Sending high-rate, but short-duration bursts– The bursts must have RTT-scale– Repeating periodically at slower RTO timescales

• Outage: short durations of the attacker’s loss-inducing bursts

Computer Science, Portland State University 9 juncao@cs.pdx.edu

Square-Wave DoS Stream

Outage

• Burst duration is long enough to induce transmission loss

• Average DoS rate is still low

Computer Science, Portland State University 10 juncao@cs.pdx.edu

DoS Scenario and System Model

Bottleneck Rate

Computer Science, Portland State University 11 juncao@cs.pdx.edu

DoS Model

• Given condition

• DoS TCP Throughput Model

Computer Science, Portland State University 12 juncao@cs.pdx.edu

Flow Filtering

• Flow Filtering Behavior– Only TCP flow that satisfies the condition

could be influenced by the shrew attacks

Computer Science, Portland State University 13 juncao@cs.pdx.edu

DoS TCP Throughput: Model and Simulation

• Depending on how well the attack can induce transmission loss

• Model does not consider the slow-start

Zero throughput

Computer Science, Portland State University 14 juncao@cs.pdx.edu

Agenda

• TCP Congestion Control and Shrew Attacks

• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and

Conclusions

Computer Science, Portland State University 15 juncao@cs.pdx.edu

Instantaneous Bottleneck Queue Behavior

• Define B as the queue size and B0 as the queue size at the start of an attack

• Time to fill the queue:

Computer Science, Portland State University 16 juncao@cs.pdx.edu

Minimum Rate DoS Streams

• Double-Rate DoS Stream

Fill the queueKeep the queue full

• Use square-wave for DoS streams– Behaves the same– Simple, does not need knowledge of network params

Computer Science, Portland State University 17 juncao@cs.pdx.edu

Agenda

• TCP Congestion Control and Shrew Attacks

• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and

Conclusions

Computer Science, Portland State University 18 juncao@cs.pdx.edu

DoS and Aggregated TCP Flows

Five long-lived homogeneity TCP flows

• RTT homogeneity introduces a single vulnerable timescale

• DoS induces the synchronization of RTO

Computer Science, Portland State University 19 juncao@cs.pdx.edu

RTT-Based Filtering

• 20 long-lived TCP flows on a 10 MB/s link• Range of round-trip time is 20 to 460 ms

Most short RTT TCP flows are influenced

Computer Science, Portland State University 20 juncao@cs.pdx.edu

High Aggregation with Heterogeneous RTT

High-RTT flows are not influenced much

Computer Science, Portland State University 21 juncao@cs.pdx.edu

Impact of DoS Burst Length

As the burst length increases, more TCP flows with high RTT are influenced

Computer Science, Portland State University 22 juncao@cs.pdx.edu

Impact of DoS Peak Rate

Low peak rates are sufficient to filter the short-RTT flow

• 1 TCP Flow with RTT: 12ms to 134ms• 3 TCP Flow with RTT: 108ms to 230ms

Computer Science, Portland State University 23 juncao@cs.pdx.edu

Impact on HTTP Flows

Attacks have greater impact on

larger files

Computer Science, Portland State University 24 juncao@cs.pdx.edu

TCP Variants

Computer Science, Portland State University 25 juncao@cs.pdx.edu

TCP Variants (Cont.)

Burst length L has a great influence on the throughput

Computer Science, Portland State University 26 juncao@cs.pdx.edu

Agenda

• TCP Congestion Control and Shrew Attacks

• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and

Conclusions

Computer Science, Portland State University 27 juncao@cs.pdx.edu

DoS Attack Scenario

Intra-LAN ScenarioInter-LAN ScenarioWAN Scenario

Computer Science, Portland State University 28 juncao@cs.pdx.edu

Experiment Results

Shrew attacks can come from both remote sites or near by LANs

Computer Science, Portland State University 29 juncao@cs.pdx.edu

Agenda

• TCP Congestion Control and Shrew Attacks

• Creating DoS Outages• Aggregation and Heterogeneity• Internet Experiments• Counter-DoS Techniques and

Conclusions

Computer Science, Portland State University 30 juncao@cs.pdx.edu

Impact of RED and RED-PD routers

• For Router-Assisted Mechanisms: relatively long-timescale measurements are required to determine with confidence that a flow is transmitting at excessively high rate and should be dropped.

RED: Random Early DetectionRED-PD: RED with Preferential Dropping

Computer Science, Portland State University 31 juncao@cs.pdx.edu

Detecting DoS Streams

Computer Science, Portland State University 32 juncao@cs.pdx.edu

DoS under Randomized RTO

• Randomized minRTO shifts and smoothes TCP’s null frequencies

• It will influence the TCP performance• Helps but not very much to defend the attack

Computer Science, Portland State University 33 juncao@cs.pdx.edu

Conclusions

• Low-rate DoS attacks are successful against both short- and long-lived TCP aggregates

• In a heterogeneous-RTT environment, the success of the attack is weighted towards shorter-RTT flows

• All low-rate periodic open-loop streams could be harmful

• Shrew attacks can only be mitigated, but not eliminated, it is a tradeoff between performance

Computer Science, Portland State University 34 juncao@cs.pdx.edu

Questions ?