Defending Against Low-rate TCP Attack: Dynamic Detection and Protection
description
Transcript of Defending Against Low-rate TCP Attack: Dynamic Detection and Protection
Defending Against Low-rate TCP Attack:Dynamic Detection and Protection
Prof. John C.S. LuiCSE Dept. CUHK
.2.
Outline
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.3.
Introduction to the Low-rate TCP Attack
Common DoS attackConsume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Consume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Low-rate DoS attackAim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
Aim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
.4.
TCP Retransmission Mechanism
TCP congestion control
If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
Calculation of RTO
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
.5.
Low-rate DoS Attack to TCP Flow A example of low-rate DoS attack
Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
TCP
Avg BW= lR/T
.6.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.7.
T: Attack period
l: Length of burst
R: Rate of burst
N: Background noise
S: Time shift
T: Attack period
l: Length of burst
R: Rate of burst
N: Background noise
S: Time shift
l
Formal Description
Mathematical Description
N
R
T
S
.8.
Low-rate DoS Traffic Pattern The periodic burst may have different patterns:
Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)
Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)
General peaks with background noise
.9.
Low-rate DoS Traffic Pattern
Attack traffic is not easy to remain the same as the original at the victim router.Attack traffic between different period may not be the same, thus T, l, R may vary.
We need a “We need a “ROBUST ROBUST ” method ” method to identify all possible forms to identify all possible forms of attackof attack
.10.
Low-rate DoS Traffic Pattern Multiple distributed attack sources
Long Period combination
Small Burst combination
.11.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.12.
Dynamic DetectionOverall Idea of Dynamic Detection
.13.
Dynamic Detection
Traffic signature DetectionSmall average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
Small average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
X
X
√√
.15.
Pattern
match
Pattern
matchPattern
match
Pattern
matchExtract the
signature
Extract the
signatureExtract the
signature
Extract the
signatureFilter the
noise
Filter the
noiseFilter the
noise
Filter the
noiseSample
the traffic
Sample
the trafficSample
the traffic
Sample
the traffic
Algorithm of Detection
Sample the throughput of link interface at a
constant rate(The rate should be frequent enough but not over burden
system)
Each time of detection consists of a sequence of
sampled throughput(The length of sequence should also be properly adjusted)
Normalization is necessary
€
Normalized _Throughput =Instantaneous_ throughput
Maximum _ link _bandwidth
The background noise of samples need to be filtered
Background noise(UDP flows and other TCP flows that less sensitive to attack)
For simplicity, a threshold filter can be used.
Autocorrelation is adopted to extract the periodic signature of input signal.periodic input => special pattern of its autocorrelation.Autocorrelation can also mask the difference of time shift SUnbiased normalizationM: length of input sequencem: index of autocorrelation
n
mM
nnmx XX
mMmA ×
−= ∑
+−
=+
1
0
1)(
)min(),(1∑=
=K
kkwInputTemplateDTW
Similarity between the template and input should
be calculated.
We use Dynamic Time Warping (DTW).
(The detail algorithm of DTW is provided in the paper)
The smaller the DTW value is, the more similar
they are.
DTW values will clustered; threshold can be set to
distinguish them.
.16.
Robustness of Detection
DTW Value
0
5
10
15
20
25
30
35
40
0 2000 4000 6000 8000 10000 12000
SPSB RPSB SPGB RPGB
Max 34.88 35.66 34.08 34.69
Min 0 0.80 0.84 1.20
Mean 10.68 9.63 10.89 10.48
Stdv 7.83 6.86 6.77 5.26
Attack traffic simulations DTW values for low-rate attack
4 types of attack traffic:
Strictly Periodic Square Burst (SPSB),
Random Periodic Square Burst (RPSB),
Strictly Periodic General Burst (SPGB),
Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type
4 types of attack traffic:
Strictly Periodic Square Burst (SPSB),
Random Periodic Square Burst (RPSB),
Strictly Periodic General Burst (SPGB),
Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type
.17.
Robustness of Detection
DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using
Gaussian model:
C+ Gaussian(0, N)Run more than 8000 simulations
DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using
Gaussian model:
C+ Gaussian(0, N)Run more than 8000 simulations
Max286.
53
Min113.
50
Mean236.
95
Stdv43.1
0
DTW values for Legitimate traffic
(Gaussian)
.18.
Attack flows V.S.
legitimate
(Gaussian) flows
Expect a
separation between
them.
Attack flows V.S.
legitimate
(Gaussian) flows
Expect a
separation between
them.
Robustness of Detection
Probability distribution of DTW values
.19.
Robustness of Detection
More accurate network traffic model
(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-
similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations
More accurate network traffic model
(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-
similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations
Max238.
16
Min28.0
1
Mean130.
73
Stdv51.4
4
DTW values for Legitimate traffic (Self-similar)
.20.
Attack flows V.S.
Self-similar flows
Small Overlap
(Around 30)
Attack flows V.S.
Self-similar flows
Small Overlap
(Around 30)
Robustness of DetectionProbability distribution of DTW values (Self-similar)
False Self-similar 141
Total Self-similar
11000
False Positive
1.28%
False Attack 378
Total Attack1149
2
False Negative
3.54%
.21.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.22.
Pushback detection Pushback to
outmost deployed router
distributed attackDeficit Round Robin (DRR)
Pushback detection Pushback to
outmost deployed router
distributed attackDeficit Round Robin (DRR)
Defense Mechanism
Router deployment
}Resource Management
.23.
Deficit Round Robin (DRR)
Defense Mechanism
1500
300
600 600
500
2000 1000
SecondRound
FirstRound
Head ofQueue
A
B
C
0
Quantum[i]=1000 bytes 1st Round
A’s counter : 1000
B’s counter : 200 (served twice)
C’s counter : 400
2nd Round
A’s counter: 500 (served)
B’s counter: 0
C’s counter: 800 (served)
Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
.24.
Definitions in DRR algorithm
Fairness Analysis of DRR Algorithm
Backlogged:A port i is backlogged during an interval (t1; t2)
of a DRR execution if the queue for port i is never empty durin
g the interval.
Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that
fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).
Sent Packets: Let senti(t1; t2) be the total number of bytes se
nt on the output port i in the interval (t1; t2)
Backlogged:A port i is backlogged during an interval (t1; t2)
of a DRR execution if the queue for port i is never empty durin
g the interval.
Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that
fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).
Sent Packets: Let senti(t1; t2) be the total number of bytes se
nt on the output port i in the interval (t1; t2)
Fairness Measurement: Let Fairness Measurement
FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)
over all ports i,j that are backlogged in the interval (t1; t2).
Now we can define a service discipline to be fair if FM(t1; t2)
is bounded by a small constant.
Fairness Measurement: Let Fairness Measurement
FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)
over all ports i,j that are backlogged in the interval (t1; t2).
Now we can define a service discipline to be fair if FM(t1; t2)
is bounded by a small constant.
.25.
Lemmas of DRR Fairness
Fairness Analysis of DRR Algorithm
Lemma 1: For any port i ,during the execution of DRR
algorithm, the deficit_counter[i] is within the range [0;Max) at
the end of each round, where Max is the maximum size of all
possible packets.
0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero
■
Lemma 1: For any port i ,during the execution of DRR
algorithm, the deficit_counter[i] is within the range [0;Max) at
the end of each round, where Max is the maximum size of all
possible packets.
0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero
■
.26.
Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.
And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)
Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]
bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]
Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.
And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)
Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]
bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]
Lemmas of DRR Fairness
Summing this equation over m rounds of servicing of port i: We have:
senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]
Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.
■
Summing this equation over m rounds of servicing of port i: We have:
senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]
Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.
■
Fairness Analysis of DRR Algorithm
Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max
Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max
Lemma 2: During any period in which port i is backlogged
the number of bytes sent on the behalf of port i is roughly equal
to m×Quantum[i] ,specifically bounded as follows:
m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received
by port i during this interval.
Lemma 2: During any period in which port i is backlogged
the number of bytes sent on the behalf of port i is roughly equal
to m×Quantum[i] ,specifically bounded as follows:
m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received
by port i during this interval.
.27.
Theorem of DRR Fairness
Fairness Analysis of DRR Algorithm
Theorem 1: For an interval (t1; t2) in any execution of the
DRR service discipline
FM(t1; t2) ≤ 2×Max + Quantum;
where Quantum = Min(Quantum[i])
Theorem 1: For an interval (t1; t2) in any execution of the
DRR service discipline
FM(t1; t2) ≤ 2×Max + Quantum;
where Quantum = Min(Quantum[i])
Proof:
let m be the number of DRR execution rounds given to port i in interval (t1; t2),
let m’ be the number of DRR execution rounds given to port j in the same interval.
As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1
Proof:
let m be the number of DRR execution rounds given to port i in interval (t1; t2),
let m’ be the number of DRR execution rounds given to port j in the same interval.
As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1
From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)
Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)
From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)
Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)
Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj
≤ (m-m’) ×Quantum + Max/fi + Max/fj
≤ Quantum+2Max ■
Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj
≤ (m-m’) ×Quantum + Max/fi + Max/fj
≤ Quantum+2Max ■
.28.
Analytical Results for DRR Algorithm
Analysis of DRR Algorithm
Fairness: Using Golestani's fairness definition, difference in
the normalized bytes sent between ports within a certain interv
al (t1; t2) is bounded by a small constant.
Implementation Cost: DRR algorithm can be implemente
d with less work compared with other scheduling algorithm.
In general, the processing cost of DRR is O(1) per packet.
As a result, DRR can provide not only a fairness scheduling
method, but also work with a low implementation cost.
Fairness: Using Golestani's fairness definition, difference in
the normalized bytes sent between ports within a certain interv
al (t1; t2) is bounded by a small constant.
Implementation Cost: DRR algorithm can be implemente
d with less work compared with other scheduling algorithm.
In general, the processing cost of DRR is O(1) per packet.
As a result, DRR can provide not only a fairness scheduling
method, but also work with a low implementation cost.
.29.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.30.
In a Congested Droptail Router:1. N TCP flows go through
2. Droptail queue at output interface Dropping Function:
P: Drop Prob. xi: length of queue i; Qi: Size of queue i
Behavior of Queue Length: C: Capacity of the link
In a Congested Droptail Router:1. N TCP flows go through
2. Droptail queue at output interface Dropping Function:
P: Drop Prob. xi: length of queue i; Qi: Size of queue i
Behavior of Queue Length: C: Capacity of the link
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
⎩⎨⎧
>≤
= )1(,1
,0)(
ii
iii
Qx
Qxxp
)2(1))]((1[)( )(
1
Ctxptdt
dxtxi
N
i
ii
i−−×=∑−
ρ
.31.
Throughput of TCP flow i:Wi(t) :Window Size
Ri(t) : Round Trip Time
Round Trip Time:
ai :Propagation delay
Throughput of TCP flow i:Wi(t) :Window Size
Ri(t) : Round Trip Time
Round Trip Time:
ai :Propagation delay
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
)3()(
)()(
tR
tWt
i
ii =ρ
)4()(
)(C
txatR
iii +=
.32.
Slow start/ Congestion Avoidance: Hi :threshold
Retransmission Time Out:
where u(n) is a unit step function:
q(W) denotes the Prob. of that loss is caused by timeout
Slow start/ Congestion Avoidance: Hi :threshold
Retransmission Time Out:
where u(n) is a unit step function:
q(W) denotes the Prob. of that loss is caused by timeout
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
)5())'((2
)())]'((1[)'()( ttxp
tWttxpttHtH i
iiii −+−−×−=
)6())](1([))(())'(())(()(
tTtutWqttxptTtdt
tdTiii
i+−××−×−=
)7(0,1
0,0)(
⎩⎨⎧
≥<
=i
ii
nn
nu
)8())(
3,1())((
tWMintWq
ii =
Finally, the behavior of TCP window size:
Overview of TCP droptail scheduling:
Numerical result of differential equations (1-9)
Finally, the behavior of TCP window size:
Overview of TCP droptail scheduling:
Numerical result of differential equations (1-9)
))'(()'(
)'()1)((
)9())'(()'(2
)'()](1[
)]1([])[1
][(
ttxpttR
ttWWWq
ttxpttR
ttWWWq
TtuHWuR
WHuR
W
dt
dW
ii
iii
ii
ii
iiii
iii
ii
i
−−−
−−
−−−×
−−
+−×−+−=
.33.
Modification based on the Droptail Model Different Queue Management may cause:
1. Change of the behavior of Queue Length
2. Change of the calculation of round trip time
Modification based on the Droptail Model Different Queue Management may cause:
1. Change of the behavior of Queue Length
2. Change of the calculation of round trip time
Model of TCP on a DRR Router
Fluid Model of TCP Flows
Behavior of Queue Length in DRR:
where τt : time length for each round
Behavior of Queue Length in DRR:
where τt : time length for each round
)10())(,(
1))]((1[)( )(t
iitxii
i txQuantumMintxpt
dt
dxi τρ −−×=
)11())(,(
C
txQuantumMinN
i
ii
t
∑=τ
Calculation of round trip time :
Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model
Calculation of round trip time :
Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model
)12()(
)(C
txNatR
iii
×+=
.34.
Attack with Single TCP Flow
(Droptail Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s
Attack starts 2s later
Attack with Single TCP Flow
(Droptail Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s
Attack starts 2s later
Simulation of TCP fluid model
Fluid Model of TCP Flows
Droptail Queue
Attack
TCP
.35.
Attack with Single TCP Flow
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later
Attack with Single TCP Flow
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later
Simulation of TCP fluid model
Fluid Model of TCP Flows
Attack
TCP
DRR Queues
.36.
Attack with Multiple TCP Flows
(Droptail Router):
Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Attack with Multiple TCP Flows
(Droptail Router):
Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Simulation of TCP fluid model
Fluid Model of TCP Flows
TCP1
Attack
TCP2
TCP3
TCP4
Droptail Queue
.37.
Attack with Multiple TCP Flows
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Attack with Multiple TCP Flows
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Simulation of TCP fluid model
Fluid Model of TCP Flows
Attack
TCP1
DRR Queues
TCP2
TCP3
TCP4
.38.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.39.
Experiment of Defense Mechanism
Single TCP flow vs. single source attacker
Go through the
same router Link Capacity
5Mbp/s
Go through the
same router Link Capacity
5Mbp/s
Drop Tail DRR
TCP (Kbps) Attack (Kbps) TCP (Kbps) Attack (Kbps)
Tahoe224.3
74.49
%1016.
5220.33
%3402.
0768.04
%780.3
915.61
%
Reno 26.300.53
%1022.
5520.45
%946.8
718.94
%1014.
9720.30
%
NewReno 23.62
0.47%
1022.04
20.44%
3690.32
73.81%
913.39
18.27%
.40.
Experiment of Defense Mechanism
Multiple TCP flows vs. single source attacker Drop Tail DRR
Throughput (Kbps)
% of link capacityThroughput (Kbps)
% of link capacity
Attack 928.76 18.58% 343.09 6.86%
TCP1 8.71 0.17% 965.91 19.32%
TCP2 210.77 4.22% 645.79 12.92%
TCP3 4.75 0.10% 629.15 12.58%
TCP4 11.09 0.22% 618.05 12.36%
TCP5 5.54 0.11% 468.3 9.37%
TCP6 267.82 5.36% 356.57 7.13%
TCP7 72.11 1.44% 293.97 5.88%
TCP8 3.17 0.06% 194.93 3.90%
TCP Sum
583.96 11.68% 4172.67 83.45%
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbp/s
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbp/s
.41.
Experiment of Defense MechanismNetwork model of attack vs. Multiple TCP flows Drop Tail DRR on R6
DRR on R6,R4
DRR on R6,R4,R2
DRR on R6,R4,R2,R
1
ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps)
Attack 640.00 561.00 453.00 419.00 404.00
TCP1 386.00 358.00 311.00 314.00 778.00
TCP2 264.00 329.00 282.00 874.00 763.00
TCP3 324.00 251.00 1245.00 924.00 788.00
TCP4 425.00 1719.00 1154.00 966.00 765.00
Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb/s
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb/s
.42.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
.43.
Related Work & Conclusion
Related Work
Another solution to this attack:
Randomizing RTO 1. Intuitive solution
2. Widespread updates of end user software3. May reduce the performance of TCP
Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi
ents of adaptation.
2. Similar attack form
Another solution to this attack:
Randomizing RTO 1. Intuitive solution
2. Widespread updates of end user software3. May reduce the performance of TCP
Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi
ents of adaptation.
2. Similar attack form
Conclusions
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation
.44.
Major References
HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Defending Against Low-rate TCP Attack: Dynamic Detection and Protection” IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, October, 2004.
HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Distributed Mechanism in Detecting and Defending Against Low-rate TCP Attack” Computer Networks Journal (Elsevier), July,2005.
.45.
Thank you for your attention!
Q & A