EECS 110: Lec 6: Fractals and Trutles Aleksandar Kuzmanovic Northwestern University
Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly
description
Transcript of Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly
![Page 1: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/1.jpg)
1
Low-rate TCP-Targeted Denial of Service Attacks
Aleksandar Kuzmanovic and Edward W. Knightly
Presented byPrasanth Kalakota & Ravi Katpelly
![Page 2: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/2.jpg)
2
Outline
Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion
![Page 3: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/3.jpg)
3
Introduction
DoS Attacks Prevent access to legitimate users Consume resources Various Types: TCP SYN, ICMP
broadcasts, DNS flood attacks Shrew attacks or Low Rate DoS
attacks
![Page 4: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/4.jpg)
4
TCP Congestion Control Uses Additive Increase Multiplicative
Decrease (AIMD) Uses Retransmission Timeout (RTO) to
avoid congestion Selection of RTO value Case (i): If too low spurious
retransmissions occurs Case (ii): If too high, flows will wait
unnecessarily long
![Page 5: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/5.jpg)
5
TCP Congestion Control (cntd’)
To solve the first case, time out value should be at least 1 sec. (suggested and verified by Allman and Paxson)
For the second case, TCP sender maintains two states.
Smooth Round Trip Time (SRTT) Round Trip Time Variation (RTTVAR)
![Page 6: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/6.jpg)
6
Terms used
RTT RTO SRTT RTTVAR minRTO
![Page 7: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/7.jpg)
7
TCP’s Timeout Mechanism Suggested in RFC 2988 When First time RTT is measured SRTT = R’, RTTVAR = R’/2, RTO = SRTT + max(G, 4RTTVAR) When subsequent RTT measurement is made RTTVAR = (1-β)RTTVAR + β|SRTT-R’| SRTT = (1-α)SRTT + αR’ RTO = max(minRTO, SRTT + max(G,
4RTTVAR)). α = 1/4 and β = 1/8
![Page 8: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/8.jpg)
8
Low-Rate DoS Attacks
Attackers exploit TCP Timeout mechanism
Send short duration bursts with length equal to RTT scale burst length
Repeat these things periodically at slower RTO time scales
![Page 9: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/9.jpg)
9
Model of DoS Attack (Simple DoS Model)
Assume single TCP flow and single DoS stream
Attacker sends short duration burst at time t=0
The TCP sender waits 1sec and doubles RTO.
Attacker sends the second outage between 1 and 1+2RTT
![Page 10: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/10.jpg)
10
Model of DoS Attack (cntd’)
![Page 11: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/11.jpg)
11
Model of DoS Attack (cntd’)
N TCP flows with heterogeneous RTTs and single DoS flow.
![Page 12: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/12.jpg)
12
Model of DoS Attack (cntd’)
DoS TCP Throughput Result Assume periodic DoS attack with period T L’ >= RTTi
minRTO > SRTTi + 4*RTTVARi for all i=1,..,n Normalized throughput of the aggregate TCP
flow is given by
T
RTOTTRTO
Tmin*
min
)(
![Page 13: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/13.jpg)
13
Model of DoS Attack (cntd’)
DoS TCP Flow-Filtering Result For i = 1,….,k
L’ ≥RTTi and
minRTO > SRTTi + 4*RTTVARi
For j = k+1,….,nL’ < RTTj and
minRTO ≤ SRTTj + 4*RTTVARj
![Page 14: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/14.jpg)
14
Model of DoS Attack (cntd’)
![Page 15: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/15.jpg)
15
Creating DoS outages Instantaneous Queue Behavior B = Queue Size B0 = Queue Size at the onset of an attack RTCP Instantaneous rate of the TCP flow. RDoS Rate of DoS flow T = DoS burst length L = Duration of attack C = Bottleneck Rate Time at which Queue becomes full is given by
L1 = (B-B0)/(RDoS+RTCP-C)
![Page 16: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/16.jpg)
16
Creating DoS outages (cntd’)
Queue remains full for L2 = L – L1 seconds if RDoS+RTCP ≥ C
If No TCP Traffic and if B0=0, Time at which Queue becomes full is given by
L1 = B/(RMAX-C) If the buffer is full attacker reduces
its rate to bottleneck rate C.
![Page 17: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/17.jpg)
17
Minimum Rate DoS Streams Double rate DoS stream
![Page 18: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/18.jpg)
18
Impact of shrew DoS Attack on TCP flow aggregation
With homogeneous RTT With heterogeneous RTT On web traffic On TCP variants
![Page 19: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/19.jpg)
19
Low-rate DoS stream with Homogeneous RTT
![Page 20: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/20.jpg)
20
Low-rate DoS stream with Heterogeneous RTT
Depends on its RTT Shorter RTT flows use more
bandwidth
![Page 21: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/21.jpg)
21
Low-rate DoS stream with Heterogeneous RTT (cntd’) With increased TCP flows
unused bandwidth utilized by higher RTT flows
Total TCP throughput increase
![Page 22: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/22.jpg)
22
Impact of DoS Burst Length
Flows with longer RTT’s filtered Less no of non-filtered flows
![Page 23: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/23.jpg)
23
Impact of DoS Peak Rate on Short-RTT Flow
Throughput of short-RTT flow effected
Low peak rate sufficient to filter short-RTT flow
![Page 24: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/24.jpg)
24
Impact on HTTP Traffic
![Page 25: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/25.jpg)
25
Dos Attacks on TCP Variants
![Page 26: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/26.jpg)
26
Dos Attacks on TCP Variants (cntd’)
![Page 27: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/27.jpg)
27
DoS Experiments on Internet
![Page 28: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/28.jpg)
28
Results
![Page 29: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/29.jpg)
29
Counter-DOS Techniques
Router-Assisted Mechanisms End-point minRTO Randomization
![Page 30: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/30.jpg)
30
Router-Assisted Mechanisms
Router-Based algorithms Random early detection with
preferential dropping (RED-PD)
![Page 31: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/31.jpg)
31
Router-Assisted Mechanisms (cntd’)
![Page 32: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/32.jpg)
32
Router-Assisted Mechanisms (cntd’)
![Page 33: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/33.jpg)
33
End-Point minRTO Randomization
![Page 34: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681586a550346895dc5ca1d/html5/thumbnails/34.jpg)
34
Conclusions Presented DoS attacks that are able to
throttle TCP flows. Discussed impact of various DoS
Attacks on TCP flow aggregation Experiments conducted using
combination of analytical modeling, extensive set of simulations and internet experiments
Discussed Counter DoS Techniques