Low-Rate TCP-Targeted Denial of

Service Attacks(The Shrew vs. the Mice and

Elephants)Written by: Aleksandar Kuzmanovic

Edward W. Knightly

SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany

Weizman Yaniv Spring 2007

Traditional DoS attacks

Use high-rate transmission of packets (known as “sledge-hammer” approach)

Lead to lack of resources Network bandwidth Server or router CPU cycles Server Interrupt processing capacity Specific protocol data structures (TCP…)

Example DOS attacks TCP SYN attacks (TCP based) ICMP broadcast to a target host (IP based) DNS flood attacks (UDP based)

Presents a statistical anomaly to network monitor

Relatively easily detectable & ,mitigated (using counter-DOS mechanisms)

Outline

TCP congestion control protocol and timeout mechanism

The shrew attack

Simulation and internet experiments

DoS detection mechanisms

minRTO randomization

TCP congestion control protocol

Using two timescales (Shorter vs. Longer)

• Round Trip Time (RTT) - 10’s-100’s msec• Each flow transmit at the fair rate of its bottleneck link• Use Additive-Increase Multiplicative Decrease (AIMD)

control

• Retransmission timeout (RTO) – 1-N sec• Used on severe congestion with multiple losses• Exponential backoff phase. • RTO doubles with each subsequent timeout • Slow start mechanism

Slow RTO time-scale mechanisms are a key source of vulnerability to low rate attacks

TCP timeout mechanism

TCP Reno loss detection Timeout from non-receipt of ACKs Receipt of less than a triple-duplicate ACK

RTO Low value vs. High value tradeoff Low value – spurious retransmission (ACKs are delayed, not lost) High value – late recover from congestion

RTO = max(minRTO, SRTT + max(G,4*RTTVAR))

minRTO = 1 second (Allman and Paxton). SRTT - Smoothed Round-Trip Time RTTVAR - Round-Trip Time Variation G - Clock granularity (<= 100ms) R = RTT measurement

For small-RTT flows, RTO is set constantly as minRTO

The shrew in the nature

A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite.

In other words: “Katan Aval Mamzer…”

The Shrew attack strategy

Attempts to deny bandwidth to TCP flows

Uses Low average rate TCP targeted attacks Elude detection by counter-Dos mechanisms Detecting Shrews may have unacceptably many false

alarms (due to legitimate bursty flows) Severity denial of service to legitimate users

Exploit protocol homogeneity and determinism Protocols react in a pre-defined way Tradeoff of vulnerability vs. predictability

Exploits the vulnerable TCP congestion control protocol

The Shrew Attack

Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism

Burst rate, R, varies up to full link capacity C Burst length l ~RTT Inter burst period, T ~minRTO, is between two successive

outages

DoSrate burst rate R

period T

burst length l

The Shrew Attack (Cont.)

Burst length induces multiple packet losses for a flow, forcing TCP switch from RTT time-scale into RTO time-scale

Co

ng

es

tio

n W

ind

ow

Tim e

m inRTO

All active flows (nearly) simultaneously enter RTO time-scale

The Shrew Attack (Cont.)

When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state

Outages at RTO scale imply low average rate Victim will be throttled to near-zero throughput

DoSrate burst rate R

period T

burst length l

Co

ng

esti

on

Win

do

w

Tim e

minRTO minRTO

The model

A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow

For any TCP flow in which (a) l >= RTT

• Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout

(b) minRTO > SRTTi + 4*RTTVARi • All TCP flows will have identical values of RTO and will thus timeout

after minRTO seconds (ideal moment for an attack burst)

The derived normalized throughput to link capacity (discarding slow-start phase) is given by

Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time

Single TCP flow Simulation (vs. model)

1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms

Two “null frequencies” responses (minRTO/2 & minRTO)

Analytical model accurately predicts degradation• Differences between minRTO/2 to RTO due to TCP

slow start mechanism (TCP not utilize full link capacity) When T > minRTO, TCP flow obtains increasingly higher

throughput between RTO expirations & attack bursts

Null TCP tim e-scales( m inRTO/ 2; m inRTO)

Single TCP flow Simulation (cont.)

Average attack rate is given by (R*l)/T R Decreasing with T increasing Attack effectiveness is clearly NOT increasing with

the attacker average rate

Shrew 's Average Rate

Shrew challenges

Aggregation

RTT heterogeneity

DoS peak rate (R<C)

Short-lived TCP flows (Web browsing)

TCP variants

Internet experiments Can Shrews be successful on the Internet?

Aggregation of homogenous RTTs flows

5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms

Similar to one-flow, model fits for homogeneity aggregate RTO homogeneity introduces one vulnerable timescale One “null frequency” response

In minRTO time, there are flows in which RTT>l Vulnerable due to Shrew-induced flow synchronization

RTT heterogeneity RTT-based Filtering

20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms

Shrews are high-RTT pass filters Service is denied to short-RTT flows (up to RTT=180ms)

With No-DoS, shorter-RTT flows utilize more bandwidth Despite the excess capacity, longer-RTT flows do not manage to

improve their throughput Depends on number of long-lived flows

RTT heterogeneity Shrew Peak Rate

Since there is a background traffic (UDP, ACKs) attacker can lower its peak rate and still maintain effective attack

4 TCP flows (1 short-RTT, 3 long-RTT)

Less-than-bottleneck bursts can damage short-RTT flows Very low rate periodic flows, operating at on of the null TCP

timescales are highly problematic for TCP traffic Longer RTT flows play the role of background traffic

DoS fl ow :peak rate: C/ 3average rate: C/ 30 ( 3 .3% )

Short-lived TCP traffic asHTTP traffic

Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50%

Larger files (greater then 100 packets) are highly vulnerable Some flows benefit from the attack and decrease their response

time• Flow arrives into system between two attack outages and is able to

transmit its entire file before next outage occurs

TCP variants Variants helps TCP flows survive multiple losses within single round trip

time without incurring a retransmission timeout

4 attacks burst lengths (30, 50, 70, 90)

For short attack bust, TCP Reno is the most fragile TCP is the most vulnerable in 1-1.2 sec time-scale region due to slow

start Sufficient pulse width ensures timeout When burst length is severe enough => all TCP variants are equally

fragile

Internet LAN/WAN experiments

Intra-LAN C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S “Null frequency” at 1.2 sec Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s

Inter-LAN 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two

routers & Two switches between two traverses. “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s

WAN R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s

Shrew attacks are efficient for both LAN & WAN

W AN LAN1

LAN2

LAN3

TCP-S

DoS-A

DoS-B

DoS-C

TCP-R

Detecting Shrews Router-Assisted Mechanisms

Shrews have low average rate, yet send high-rate bursts on short time-scales

9 Aggregate TCP SACK flows

In “null frequency” at 1.2 sec, shrew remains effective RED-PD Detects Shrews with unnecessarily high rate (T<0.5

sec) Reducing RED-PD measurement time scale results in

excessive false positives

RED - Random Early Detection Packets dropped with a

probability dependent on the excess sending rate of the flow

RED-PD – RED with Preferential Dropping mechanism

Uses packet drop history to detect high-bandwidth flows with high confidence

Detecting Shrews End-point minRTO randomization

Observe Shrews exploit protocol homogeneity and determinism

Question Can minRTO randomization alleviate threat of Shrews?

TCP flows’ approach Randomize the minRTO = uniform(a,b)

The longest most vulnerable timescale (“null frequency”) becomes T = b

Detecting Shrews End-point minRTO randomization (cont.)

Shrews’ counter approach Given flows randomize minRTO, the optimal Shrew pulses at

time-scale T=b• Wait for all flows to recover and then pulse again

TCP throughput for T=b time-scale of the Shrew attack

• a small spurious retransmissions• b large bad for short-lived (HTTP) traffic

Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales

Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains

n - num ber of TCP flowsa,b - param . of unif. dist.b

ab

n

nbT

1

)(

Conclusions

Shrew principles Exploit slow-time-scale protocol homogeneity and

determinism

Real-world vulnerability to Shrew attacks Internet experiment: 87.8% throughput loss without

detection

Shrews are difficult to detect Low average rate and “TCP friendly” Cannot filter short bursts Fundamental mismatch of attack/defense timescales

Life conclusion

Try to stay away from Shrews

Homework assignment

1. How does Shrew attack defer from traditional DoS attacks?

2. Shrew attacks are known as high-RTT pass filters. How they manage to do so? Can you consider an environment for using that capability?

3. Why shrew attacks are difficult to detect with existing counter-DoS mechanisms? What may be the risks of trying using bursts tuned detection?

4. For your opinion, does the underlying vulnerability is due to poor design of TCP timeout mechanism, or is it a consequence of other reason/s? Explain.

E-mail: yanivwei@post.tau.ac.il