Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It

11/17/2000 IEEE ICNP'2000, Osaka, Japan 1

Malicious Packet Dropping: How It Might Impact the TCP Performance

& How We Can Detect It

Xiao-Bing Zhang, EricssonFelix Wu, UC DavisZhi Fu, NC State UniversityTsung-Li Wu, CCIT

http://www.cs.ucdavis.edu/[email protected]

full paper:http://www.cs.ucdavis.edu/publications/PDALong.ps


Outline

Packet DroppingAnomaly DetectionEvaluation


Packet Dropping Attacks

Maliciously drop a small portion of packets e.g., the first 20 packets in a connection

Selectively drop some important packets e.g., retransmission packets, signaling packets

in IP telephony

Degrade QoS

Difficult to detect packet loss could be due to network congestion


Attack Types

Persistentattack every connection between two

TCP ends.

Intermittentattack some of the connectionse.g., 1 of every 5 connections


Dropping Patterns

Periodical Packet Dropping (PerPD)

Retransmission Packet Dropping (RetPD)

Random Packet Dropping (RanPD)


Periodical Packet Dropping

Parameters (K, I, S) K, the total number of dropped packets in a connection I, the interval between two consecutive dropped packets S, the position of the first dropped packet.

Example (5, 10, 4) 5 packets dropped in total 1 every 10 packets start from the 4th packet The 4th, 14th, 24th, 34th and 44th packet will be dropped


Retransmission Packet Dropping

Parameters (K, S) K, the times of dropping the packet's

retransmissions S, the position of the dropped packet

Example (5, 10) first, drops the 10th packet then, drops the retransmissions of the 10th

packet 5 times


Random Packet Dropping

Parameters (K) K, the total number of packets to be dropped

in a connection

Example (5) randomly drops 5 packets in a connection


Dropper Model

P%P% Per (K,I,S)Ret (K,S)Ran (K)


How can this happen?

Unintentional: ill-configuration aggressive traffic control or

managementIntentional:

compromised packet forwarding engine selectively-flooded routers/switches


How to Practice Dropping Attacks

Compromise intermediate routers easy to manipulate victim's traffic hard to detect difficult to practice

Congest intermediate routers hard to manipulate victim's traffic cause more attention easy to practice


Impacts of Packet Dropping

Delay

Response time

Quality

Bandwidth

Throughput...


Experiment Setting

4 FTP Servers across the Internet

FTP client runs Linux 2.0.36 in SHANG lab

Size of downloaded file is 5.5MB

Attack Agent runs on the same

host as FTP client act as on a

compromised router

FTP

Internet

Divert Socket

FTP Client on Linux 2.0.36

xyz.zip 5.5M

FTP Server

Attack Agent

Data Packets


FTP Severs and Clients

FTP Client

SHANG

FTP Servers

Heidelberg

NCU

SingNet

UIUC


FTP Severs

Name FTP Server IP Address Location

Heidelberg ftp.uni-heidelberg.de 129.206.100.134 Europe

NCU ftp.ncu.edu.tw 140.115.1.71 Asia

SingNet ftp.singnet.com.sg 165.21.5.14 Asia

UIUC ftp.cso.uiuc.edu 128.174.5.14 North America


Impacts of Packet Dropping On Session Delay

5663.4 66

218.4

98.6108.2

125.8

250.9

62.6

77.186.9

260.3

23.6 26.5

44.6

183.9

0

50

100

150

200

250

300

Ses

sio

n D

elay

(s)

Heidelberg NCU SingNet UIUC

Normal

RanPD(7)

PerPD(7, 4, 5)

RetPD(7, 5)


Compare Impacts of Dropping Patterns

0

500

-10 40

Number

Sess

ion

Heidelberg

0

50

100

150

200

250

300

350

400

450

500

0 10 20 30 40

Number of victim packets

Sess

ion

dela

y

PerPD

RanPD

RetPD

NCU

0

50

100

150

200

250

300

350

400

450

500

0 10 20 30 40


Sess

ion

dela

y

PerPD

RanPD

RetPD

SingNet

0

50

100

150

200

250

300

350

400

450

500

0 10 20 30 40


Sess

ion

dela

y

PerPD

RanPD

RetPD

UIUC

0

50

100

150

200

250

300

350

400

450

500

0 10 20 30 40


Sess

ion

dela

y

PerPD

RanPD

RetPD

PerPD: I=4, S=5

RetPD: S=5


Different K, I, S for PerPD

(a) I=4, S=5

0

50

100

150

200

250

0 10 20 30 40

Number of Victim Packets, K

Sess

ion

Del

ay

Heidelberg

NCU

SingNet

UIUC

(b) K=20, S=5

0

50

100

150

200

250

0 20 40 60 80 100

Dropping Interval, I

Heidelberg

NCU

SingNet

UIUC

(c) K=20, I=50

0

50

100

150

200

250

0 50 100 150 200

Dropping start point, S

Heidelberg

NCU

SingNet

UIUC


On Interval

If Interval is extremely small (< 4), PerPD is similar to RetPD.

If Interval is larger, if RTT is small, session delay will be

smaller if the interval is also smaller (but not too small).


Compare Impacts of Dropping Patterns (cont.)

Periodical Packet Dropping session delay linearly increases with an increase of K packet loss is repaired by fast retransmit or timeout

Random Packet Dropping comparatively small damage, relating to RTT session delay increases linearly when increasing K packet loss is usually repaired by fast retransmit

Retransmission Packet Dropping severe damage, relating to RTO session delay increases exponentially when increasing K


The Plain DDOS Model (1999-2000)

Masters

Slaves

Victim

... ISP

.com::.

Attackerssrc: randomdst: victim


Congestion Tools: Tribe Flood Network

Distributed Denial Of Service (DDOS) attack tools

Master a host running an application called Client Client initiates attacks by sending commands to Agents

Agent a host running a Daemon Daemon receives and carries out commands issued by a Client.

Attack UDP flood, ICMP echo reply (ping), SYN flood, and TARGA3


Congestion Experiment Setting

bone

fire

redwing

light

152.1.75.0

192.168.1.0

172.16.0.0

UDP flood

FTP data

TFN agents

TFN target

FTP client

FTP server

congestion

air

TFN master

Networks are in SHANG lab

All machines are PCs

Bone with 500MHz Intel Pentium CPU acts as a router

Downloaded file size: 44MB


Congestion Experiment Results

flood 1, Stop 20

0

2

4

6

8

10

12

0 20 40 60 80 100

Time (s)

Nu

mb

er o

f L

ost

Pac

ket

sflood 1, Stop 5

0

2

4

6

8

10

12

0 20 40 60 80 100Time (s)

Nu

mb

er o

f L

ost

Pac

ket

s

flood 5, Stop 10

0

2

4

6

8

10

12

0 20 40 60 80 100

Time (s)

Nu

mb

er o

f L

ost

Pac

ket

s

flood 5, Stop 2

0

2

4

6

8

10

12

0 20 40 60 80 100

Time (s)

Nu

mb

er o

f L

ost

Pac

ket

s


Congestion Experiment Results (cont.)

0

38.3

123 126.4

387.5

0

50

100

150

200

250

300

350

400

450

Number of Lost Packets

118.4131.4

161.1

185.4

323.2

0

50

100

150

200

250

300

350

400

Session Delay (seconds)

NormalF1,S20F1,S5F5,S10F5,S2

Attack mode(flood m , stop n )

Number ofpacket loss per

connection

Sessiondelay(sec.)

Damage

Normal 0.9 31.7 -Flood 1, stop 20 18.5 470.5 27.8%Flood 1, stop 5 57.4 58.4 84.5%

Flood 5, stop 10 62.1 67.3 112.6%Flood 5, stop 2 124.4 164.5 418.9%

damage = (delayflood – delaynormal) / delaynormal


Intrusion Detection: TDSAM

TCP-Dropping Statistic Analysis Module (TDSAM) run on the protected asset, e.g., the FTP client

Expected Behavior described in long-term profile e.g., the average session delay is 50 seconds

Observed Behavior described in short-term profile e.g., the average session delay becomes 100

seconds


Intrusion Detection: TDSAM (cont.)

Statistic MeasuresPosition Measure: position of each

packet re-orderingDelay Measure: session delayNPR Measure: number of packet

reordering


TDSAM Experiment Setting

FTP

Internet

Divert Socket


xyz.zip 5.5M

FTP Server

Attack Agent

TDSAM

Data Packets

p1, p2, p3, p5, p4max

reordering counting


Long-term Profile

Category, C-Training learn the aggregate distribution of a

statistic measure

Q Statistics, Q-Training

learn how much deviation is considered normal

Threshold


Long-term Profile: C-Training

For each sample of the statistic measure, X

(0, 50]

20%

(50, 75]

30%

(75, 90]

40%

(90, +)

10%

k bins Expected Distribution, P1 P2 ... Pk , where Training time: months

ki ip1 1


Long-term Profile: Q-Training (1)

For each sample of the statistic measure, X

(0, 50]

20%

(50, 75]

40%

(75, 90]

20%

(90, +)

20%

k bins, samples fall into bin samples in total ( ) Weighted Sum Scheme with the fading factor s

iY thiN k

i i NY1



Deviation:

Example:

Qmax

the largest value among all Q values

k

i i

ii

pN

pNYQ

1

2)(

33.21.010

)1.0102(

4.010

)4.0102(

3.010

)3.0104(

2.010

)2.0102( 2222

Q



Q Distribution [0, Qmax) is equally divided into 31 bins

and the last bin is [Qmax, +)distribute all Q values into the 32 bins


Threshold

Predefined threshold, If Prob(Q>q) < , raise alarm

0

0.08

0 5 10 15 20 25 30

Q bins

Pro

bab

ilit

y

TH_redTH_yellow


Q-Distribution for Position M.Heidelberg

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

0 5 10 15 20 25 30 35Q bins

Prob

abilit

y

NCU

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

0 5 10 15 20 25 30 35Q bins

Prob

abilit

y

SingNet

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

0 5 10 15 20 25 30 35Q bins

Prob

abilit

y

UIUC

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

0 5 10 15 20 25 30 35Q bins

Prob

abilit

y


Q-Distribution for Delay M.Heidelberg

0

0.05

0.1

0.15

0.2

0.25

0.3

0 5 10 15 20 25 30 35

Q bins

Prob

abilit

y

NCU

0

0.05

0.1

0.15

0.2

0.25

0.3

0 5 10 15 20 25 30 35

Q bins

Prob

abilit

y

SingNet

0

0.05

0.1

0.15

0.2

0.25

0.3

0 5 10 15 20 25 30 35

Q bins

Prob

abilit

y

UIUC

0

0.05

0.1

0.15

0.2

0.25

0.3

0 5 10 15 20 25 30 35

Q bins

Prob

abilit

y


Detect Malicious Dropping

For each Observed Distributioncompares it to the Expected Distribution

(calculate a Q value) if the Q value falls into alarm zone, raise

alarm

Short-term profile is updated using Weighted Sum Scheme


Long-term Profile Update

Update when no attacks occurs during the a period of time

Update Expected Distribution and Q Distributionweighted sum scheme fading factor equals l


TDSAM Performance Analysis: Experiment Setting

FTP

Internet

Divert Socket


njcom210.zip 5.5M

FTP Server

Attack Agent

TDSAM

Data Packets

Persistent Atk.

PerPD: (10, 4,

5), ... (100, 40, 5)

RetPD: (5, 5)

RanPD: (10),

(40)

Intermittent Atk. PerPD (10, 4, 5)

with attack period 5 and 50


Example

Long-Term profile nbin = 5, bin-width =800 p1=0.194339, p2=0.200759, p3=0.197882,

p4=0.204260, p5=0.202760.

PerPD(20,4,5) drop packets only in the first 85. p1=0.837264, p2=0.039390, p3=0.043192,

p4=0.041045, p5=0.039109.


Results: Position Measure

Heidelberg NCU SingNet UIUCPosition

nbin=5 DR MR DR MR DR MR DR MR

Normal* - 4.0% - 5.4% - 3.5% - 6.5% -

(10, 4, 5) 99.7% 0.3% 100% 0% 100% 0.0% 100% 0%

(20, 4, 5) 100% 0% 98.1% 1.9% 99.2% 0.8% 100% 0%

(40, 4, 5) 96.6% 3.4% 100% 0% 100% 0% 98.5% 1.5%

(20, 20, 5) 100% 0% 100% 0% 100% 0 % 100% 0%

(20, 100, 5) 98.9% 1.1%. 99.2% 0.8% 99.6% 0.4% 99.1% 0.9%

(20, 200, 5) 0% 100% 76.5% 23.5% 1.5% 98.5% 98.3% 1.7%

PerPD

(100, 40, 5) 0.2% 99.8% 0% 100% 0% 100% 100% 0%

RetPD (5, 5) 84.9% 15.1% 81.1% 18.9% 94.3% 5.7% 97.4% 2.6%

10 0% 100% 42.3% 57.7% 0% 100% 0% 100%RanPD

40 0% 100% 0% 100% 0% 100% 0% 100%

5 98.6% 1.4% 100% 0% 98.2% 1.8% 100% 0%Intermittent

(10, 4, 5) 50 34.1% 65.9% 11.8% 88.2% 89.4% 10.6% 94.9% 5.1%


Results: Delay Measure

Heidelberg NCU SingNet UIUCDelay


Normal* - 1.6% - 7.5% - 2.1% - 7.9% -

(10, 4, 5) 97.4% 2.6% 95.2% 4.8% 94.5% 5.5% 99.2% 0.8%

(20, 4, 5) 99.2% 0.8% 98.5% 1.5% 100% 0% 100% 0%

(40, 4, 5) 100% 0% 100% 0% 100% 0% 100% 0%

(20, 20, 5) 96.3% 3.7% 100% 0% 92.6% 7.4% 98.9% 1.1%

(20, 100, 5) 100% 0% 95.3% 4.7% 98.7% 1.3% 100% 0%

(20, 200, 5) 98.6% 1.4% 99% 1% 97.1% 2.9% 100% 0%

PerPD

(100, 40, 5) 100% 0% 100% 0% 100% 0% 100% 0%

RetPD (5, 5) 100% 0% 100% 0% 100% 0% 100% 0%

10 74.5% 25.5% 26.8% 73.2% 67.9% 32.1% 99.5% 0.5%RanPD

40 100% 0% 100% 0% 100% 0% 100% 0%

5 25.6% 74.4% 0% 100% 0% 100% 97.3% 2.7%Intermittent

(10, 4, 5) 50 0% 100% 24.9% 75.1% 0% 100% 3.7% 96.3%


Results: NPR Measure

Heidelberg NCU SingNet UIUCNPR


Normal* - 4.5% - 5.8% - 8.2% - 2.9% -

(10, 4, 5) 0% 100% 14.4% 85.6% 29.1% 70.9% 100% 0%

(20, 4, 5) 83.1% 16.9% 94.2% 5.8% 95.2% 4.8% 100% 0%

(40, 4, 5) 100% 0% 97.4% 2.6% 100% 0% 100% 0%

(20, 20, 5) 91.6% 8.4% 92% 8% 93.5% 6.5% 100% 0%

(20, 100, 5) 94.3% 5.7% 92.2% 7.8% 96.4% 3.6% 100% 0%

(20, 200, 5) 0% 100% 96.5% 3.5% 94.8% 5.2% 100% 0%

PerPD

(100, 40, 5) 100% 0% 100% 0% 100% 0% 100% 0%

RetPD (5, 5) 0% 100% 84.7% 15.3% 23.9% 76.1% 46.5% 53.5%

10 0% 100% 0% 100% 100% 0% 100% 0%RanPD

40 100% 0% 100% 0% 100% 0% 100% 0%

5 0% 100% 0% 100% 82.2% 17.8% 100% 0%Intermittent

(10, 4, 5) 50 0% 100% 1% 99% 40% 60% 64.8% 35.2%


TDSAM Performance Analysis: Results (good or bad!!)

False Alarm Rate less than 10% in most cases, the highest is 17.4%

Detection Rate Position: good on RetPD and most of PerPD

at NCU, 98.7% for PerPD(20,4,5), but 0% for PerPD(100, 40, 5) in which dropped packets are evenly distributed

Delay: good on those significantly change session delay, e.g., RetPD, PerPD with a large value of K

at SingNet, 100% for RetPD(5,5), but 67.9% for RanPD(10)

NPR: good on those dropping many packets at Heidelberg, 0% for RanPD(10), but 100% for RanPD(40)


TDSAM Performance Analysis: Results (cont.)

Good sites correspond to a high detection rate. stable and small session delay or packet reordering

e.g., using Delay Measure for RanPD(10): UIUC (99.5%)

> Heidelberg(74.5%) > SingNet (67.9%) > NCU (26.8%)

How to choose the value of nbin is site-specific e.g., using Position Measure, lowest false alarm rate

occurs when nbin= 5 at Heidelberg(4.0%) and

NCU(5.4%), 10 at UIUC(4.5%) and 20 at SingNet(1.6%)


Conclusion

TDSAM with a single measure able to detect dropping attacks has weakness in identifying some malicious

droppings

Combines the 3 measures works well on most of the attacks except for those causing very limited damages

RanPD with a small value of Kintermittent attacks with a large attack interval

Limitations….


Future….

Detect Non-TCP Packet Dropping Attackschoose appropriate statistic measures

Service Level Agreement Monitoringbuild long-term profile statistically

monitoring the quality of servicee.g., evaluate the DNS response time


Contributions

Packet Dropping AttacksStudied how to practice the attacksStudied the impacts of dropping attacks Implemented the Attack Agent

Intrusion Detection Implementation of TDSAMTDSAM performance analysis over the

real Internet


Thanks

Any questions?

full paper:http://www.cs.ucdavis.edu/publications/PDALong.ps


Weighted Sum Scheme

Problems of Sliding Window Scheme Keep the most recent N pieces of audit records

required resource and computing time are O(N)

12

,2

12

1

NYN

ijYY

YY

ki i

jj

ii

Assume K: number of bins Yi: count of audit

records falls into ith bin N: total number of

audit records : fading factor

When Ei occurs, update

Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It

Documents

Transcript of Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It