1

SIGCOMM’03Low-Rate TCP-Targeted Denial of Service Attacks

A. Kuzmanovic and E. W. Knightly

Rice University

Reviewed by Haoyu Song

9/25/2003

2

Denial of Service Attack

Preventing or degrading service to legitimate users. TCP SYN Attack ICMP directed broadcasts

Target Network bandwidth Server/router CPU cycles Interrupt processing capacity Operating system/protocol data structure

3

DoS Attack Common Characteristics Exploits the bugs or features of the operating

system or inherent limitations of the networking

Involves large number of compromised computers

High-rate traffic toward victim node

Can be detected, traced back, mitigated or cleared.

Firewall, Intrusion Detect Device, Operating System Patches.

4

Low-Rate DoS Attack

Exploits the vulnerability of the TCP’s congestion control algorithm;

The rate is so low that it is hard to be detected;

Degrade the victim’s throughput significantly;

Not easy to fix.

5

Layout of the Paper

Background: TCP’s Timeout Mechanism

DoS Modeling

Extensive Simulation and Experiments

Counter-DoS Techniques

Conclusion

6

TCP Retransmission Timeout Mechanism

If less than 3 duplicate ACKs are received before RTO expires Shrink its congestion window to 1 packets (slow start). Set new RTO to 2*RTO (exponential backoff) Retransmit the lost packet.

RTO Selection is a tradeoff Spurious timeout and extraneous retransmission if too smal

l. Too slow to recover from congestion if too large.

7

RTO Estimation

SRTT – smoothed round trip time RTTVAR – round trip time variation R’ – RTT sample minRTO – lower bound for RTO, 1 second G – clock granularity

))4,max(,max(min

4/1,8/1

')1(

')1(

RTTVARGSRTTRTORTO

RSRTTSRTT

RSRTTRTTVARRTTVAR

8

The Idea of Low-rate DoS Attack

What to do Provoke a TCP flow to repeatedly enter a retransmission

timeout state Throttle the TCP throughput to near-zero

How to do Sending high-rate, RTT scale short duration bursts and

repeating periodically at RTO scale period. Low average rate is hard to be detected

9

DoS Modeling

T

RTO

T

RTOT

ni

RTTVARSRTTRTOandRTTl iii

minmin)(

.,...2,1

4min'

10

DoS TCP Throughput

Two “null” point: T=minRTO/2 and T=minRTO

11

In Practice

Periodic DoS attack are not utilizing TCP exponential backoff mechanism but rather exploit repeated timeout.

If only subset of TCP flows satisfy the conditions, only the subset obtain the degraded throughput (flow filtering)

iRTTT 21

12

Creating DoS Outages

Minimize the rate of DoS stream

12

max1 )/(

lll

CRBl

13

Impact on Long-lived Homogeneous-RTT TCP Traffic 1.5Mb/s link One way propagation delay = 6ms RTT varies from 12ms to 132 ms DoS Traffic: 1.5Mb/s peak rate, 100ms burst and 50-byte pac

ket 5 TCP flows simulation

14

Impact on Long-lived Heterogeneous-RTT TCP Traffic 20 TCP flows 10 Mb/s link RTT varies from 29 to 460 ms DoS burst traffic: 10Mb/s, 100ms burst and 1.1sec p

eriod

15

DoS Burst Length

High-RTT-pass filter As burst length increase, more TCP flows are

filtered thus the aggregate TCP throughput decreases.

16

DoS Peak Rate

Background traffic potentially lower the DoS peak rate while maintaining an effective attack

Senario: 1 DoS flow and 4 TCP flows. 3 TCP flows with long RTT serve as the background traffic

Relatively low peak rates are sufficient to filter the short-RTT flow

17

Impact on HTTP Traffic

HTTP traffic is more dynamic Have more impact on heavy load Have more impact on large file size Some flows benefit from the attack: avoid the

outages.

18

DoS on TCP Variants Effect attacks depend on the ability to create correlated packet loss

and force TCP flows to enter retransmission timeout.

19

Internet Experiments

Intra-LAN Inter-LAN WAN

20

Intra-LAN Scenario

10Mb/s Ethernet Attacker: 10Mb/s peak rate, 200ms burst leng

th. Null frequency: 1.2 sec. DoS average rate: 1.67 Mb/s if period is 1.2 s

ec. TCP flow throughput drops from 6.6 Mb/s to 7

80 kb/s

21

Inter-LAN Scenario

Attacker and TCP sender are on different 100Mb/s Ethernet

Attacked host is on a 10 Mb/s Ethernet DoS peak rate 10Mb/s, burst duration 100ms Null frequency : 1.1 sec At this time scale, DoS average rate is 909Kb/s TCP flow throughput drops from 9.8Mb/s to 800 kb/

s

22

WAN Scenario

DoS source is 8 hops away, 10Mb/s peak rate and 100ms burst duration.

T = 1.1 sec, TCP througput drops to 909Kb/s from 9.8Mb/s

23

Router-Assisted Counter-DoS Consider only dropping algorithms rather than sche

duling RED and RED-PD

24

Router-Assisted Counter-DoS cont’ Vary the DoS peak rate or burst length 9 TCP SACK flows Bottleneck Rate 1.5 Mb/s

25

End-point minRTO Randomization Counter-DoS Fact: low rate attacks exploit minRTO homogeneity Remedy: Radomize end systems minRTO to randomize their null fe

quecnies Experiment: minRTO = uniform(a,b) Result: the longest most vulnerable timescale becomes T = b

26

Conclusion

This attack can against both short and long-lived TCP flows.

In heterogeneous RTT environment, it shows to be a high-RTT pass filter.

No effective way to defend the system in the presence of this low-rate DoS attack.