Upload
sumi
View
27
Download
0
Embed Size (px)
DESCRIPTION
Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). Written by: Aleksandar Kuzmanovic Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany Weizman YanivSpring 2007. Traditional DoS attacks. - PowerPoint PPT Presentation
Citation preview
Low-Rate TCP-Targeted Denial of
Service Attacks(The Shrew vs. the Mice and
Elephants)Written by: Aleksandar Kuzmanovic
Edward W. Knightly
SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany
Weizman Yaniv Spring 2007
Traditional DoS attacks
Use high-rate transmission of packets (known as “sledge-hammer” approach)
Lead to lack of resources Network bandwidth Server or router CPU cycles Server Interrupt processing capacity Specific protocol data structures (TCP…)
Example DOS attacks TCP SYN attacks (TCP based) ICMP broadcast to a target host (IP based) DNS flood attacks (UDP based)
Presents a statistical anomaly to network monitor
Relatively easily detectable & ,mitigated (using counter-DOS mechanisms)
Outline
TCP congestion control protocol and timeout mechanism
The shrew attack
Simulation and internet experiments
DoS detection mechanisms
minRTO randomization
TCP congestion control protocol
Using two timescales (Shorter vs. Longer)
• Round Trip Time (RTT) - 10’s-100’s msec• Each flow transmit at the fair rate of its bottleneck link• Use Additive-Increase Multiplicative Decrease (AIMD)
control
• Retransmission timeout (RTO) – 1-N sec• Used on severe congestion with multiple losses• Exponential backoff phase. • RTO doubles with each subsequent timeout • Slow start mechanism
Slow RTO time-scale mechanisms are a key source of vulnerability to low rate attacks
TCP timeout mechanism
TCP Reno loss detection Timeout from non-receipt of ACKs Receipt of less than a triple-duplicate ACK
RTO Low value vs. High value tradeoff Low value – spurious retransmission (ACKs are delayed, not lost) High value – late recover from congestion
RTO = max(minRTO, SRTT + max(G,4*RTTVAR))
minRTO = 1 second (Allman and Paxton). SRTT - Smoothed Round-Trip Time RTTVAR - Round-Trip Time Variation G - Clock granularity (<= 100ms) R = RTT measurement
For small-RTT flows, RTO is set constantly as minRTO
The shrew in the nature
A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite.
In other words: “Katan Aval Mamzer…”
The Shrew attack strategy
Attempts to deny bandwidth to TCP flows
Uses Low average rate TCP targeted attacks Elude detection by counter-Dos mechanisms Detecting Shrews may have unacceptably many false
alarms (due to legitimate bursty flows) Severity denial of service to legitimate users
Exploit protocol homogeneity and determinism Protocols react in a pre-defined way Tradeoff of vulnerability vs. predictability
Exploits the vulnerable TCP congestion control protocol
The Shrew Attack
Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism
Burst rate, R, varies up to full link capacity C Burst length l ~RTT Inter burst period, T ~minRTO, is between two successive
outages
DoSrate burst rate R
period T
burst length l
The Shrew Attack (Cont.)
Burst length induces multiple packet losses for a flow, forcing TCP switch from RTT time-scale into RTO time-scale
Co
ng
es
tio
n W
ind
ow
Tim e
m inRTO
All active flows (nearly) simultaneously enter RTO time-scale
The Shrew Attack (Cont.)
When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state
Outages at RTO scale imply low average rate Victim will be throttled to near-zero throughput
DoSrate burst rate R
period T
burst length l
Co
ng
esti
on
Win
do
w
Tim e
minRTO minRTO
The model
A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow
For any TCP flow in which (a) l >= RTT
• Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout
(b) minRTO > SRTTi + 4*RTTVARi • All TCP flows will have identical values of RTO and will thus timeout
after minRTO seconds (ideal moment for an attack burst)
The derived normalized throughput to link capacity (discarding slow-start phase) is given by
Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time
Single TCP flow Simulation (vs. model)
1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms
Two “null frequencies” responses (minRTO/2 & minRTO)
Analytical model accurately predicts degradation• Differences between minRTO/2 to RTO due to TCP
slow start mechanism (TCP not utilize full link capacity) When T > minRTO, TCP flow obtains increasingly higher
throughput between RTO expirations & attack bursts
Null TCP tim e-scales( m inRTO/ 2; m inRTO)
Single TCP flow Simulation (cont.)
Average attack rate is given by (R*l)/T R Decreasing with T increasing Attack effectiveness is clearly NOT increasing with
the attacker average rate
Shrew 's Average Rate
Shrew challenges
Aggregation
RTT heterogeneity
DoS peak rate (R<C)
Short-lived TCP flows (Web browsing)
TCP variants
Internet experiments Can Shrews be successful on the Internet?
Aggregation of homogenous RTTs flows
5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms
Similar to one-flow, model fits for homogeneity aggregate RTO homogeneity introduces one vulnerable timescale One “null frequency” response
In minRTO time, there are flows in which RTT>l Vulnerable due to Shrew-induced flow synchronization
RTT heterogeneity RTT-based Filtering
20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms
Shrews are high-RTT pass filters Service is denied to short-RTT flows (up to RTT=180ms)
With No-DoS, shorter-RTT flows utilize more bandwidth Despite the excess capacity, longer-RTT flows do not manage to
improve their throughput Depends on number of long-lived flows
RTT heterogeneity Shrew Peak Rate
Since there is a background traffic (UDP, ACKs) attacker can lower its peak rate and still maintain effective attack
4 TCP flows (1 short-RTT, 3 long-RTT)
Less-than-bottleneck bursts can damage short-RTT flows Very low rate periodic flows, operating at on of the null TCP
timescales are highly problematic for TCP traffic Longer RTT flows play the role of background traffic
DoS fl ow :peak rate: C/ 3average rate: C/ 30 ( 3 .3% )
Short-lived TCP traffic asHTTP traffic
Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50%
Larger files (greater then 100 packets) are highly vulnerable Some flows benefit from the attack and decrease their response
time• Flow arrives into system between two attack outages and is able to
transmit its entire file before next outage occurs
TCP variants Variants helps TCP flows survive multiple losses within single round trip
time without incurring a retransmission timeout
4 attacks burst lengths (30, 50, 70, 90)
For short attack bust, TCP Reno is the most fragile TCP is the most vulnerable in 1-1.2 sec time-scale region due to slow
start Sufficient pulse width ensures timeout When burst length is severe enough => all TCP variants are equally
fragile
Internet LAN/WAN experiments
Intra-LAN C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S “Null frequency” at 1.2 sec Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s
Inter-LAN 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two
routers & Two switches between two traverses. “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s
WAN R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s
Shrew attacks are efficient for both LAN & WAN
W AN LAN1
LAN2
LAN3
TCP-S
DoS-A
DoS-B
DoS-C
TCP-R
Detecting Shrews Router-Assisted Mechanisms
Shrews have low average rate, yet send high-rate bursts on short time-scales
9 Aggregate TCP SACK flows
In “null frequency” at 1.2 sec, shrew remains effective RED-PD Detects Shrews with unnecessarily high rate (T<0.5
sec) Reducing RED-PD measurement time scale results in
excessive false positives
RED - Random Early Detection Packets dropped with a
probability dependent on the excess sending rate of the flow
RED-PD – RED with Preferential Dropping mechanism
Uses packet drop history to detect high-bandwidth flows with high confidence
Detecting Shrews End-point minRTO randomization
Observe Shrews exploit protocol homogeneity and determinism
Question Can minRTO randomization alleviate threat of Shrews?
TCP flows’ approach Randomize the minRTO = uniform(a,b)
The longest most vulnerable timescale (“null frequency”) becomes T = b
Detecting Shrews End-point minRTO randomization (cont.)
Shrews’ counter approach Given flows randomize minRTO, the optimal Shrew pulses at
time-scale T=b• Wait for all flows to recover and then pulse again
TCP throughput for T=b time-scale of the Shrew attack
• a small spurious retransmissions• b large bad for short-lived (HTTP) traffic
Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales
Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains
n - num ber of TCP flowsa,b - param . of unif. dist.b
ab
n
nbT
1
)(
Conclusions
Shrew principles Exploit slow-time-scale protocol homogeneity and
determinism
Real-world vulnerability to Shrew attacks Internet experiment: 87.8% throughput loss without
detection
Shrews are difficult to detect Low average rate and “TCP friendly” Cannot filter short bursts Fundamental mismatch of attack/defense timescales
Life conclusion
Try to stay away from Shrews
Homework assignment
1. How does Shrew attack defer from traditional DoS attacks?
2. Shrew attacks are known as high-RTT pass filters. How they manage to do so? Can you consider an environment for using that capability?
3. Why shrew attacks are difficult to detect with existing counter-DoS mechanisms? What may be the risks of trying using bursts tuned detection?
4. For your opinion, does the underlying vulnerability is due to poor design of TCP timeout mechanism, or is it a consequence of other reason/s? Explain.
E-mail: [email protected]