low-rate tcp-targeted denial of service attacks aleksandar kuzmanovic and edward w. knightly
DESCRIPTION
Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly. Presented by Prasanth Kalakota & Ravi Katpelly. Outline. Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion. Introduction. DoS Attacks - PowerPoint PPT PresentationTRANSCRIPT
1
Low-rate TCP-Targeted Denial of Service Attacks
Aleksandar Kuzmanovic and Edward W. Knightly
Presented byPrasanth Kalakota & Ravi Katpelly
2
Outline
Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion
3
Introduction
DoS Attacks Prevent access to legitimate users Consume resources Various Types: TCP SYN, ICMP
broadcasts, DNS flood attacks Shrew attacks or Low Rate DoS
attacks
4
TCP Congestion Control Uses Additive Increase Multiplicative
Decrease (AIMD) Uses Retransmission Timeout (RTO) to
avoid congestion Selection of RTO value Case (i): If too low spurious
retransmissions occurs Case (ii): If too high, flows will wait
unnecessarily long
5
TCP Congestion Control (cntd’)
To solve the first case, time out value should be at least 1 sec. (suggested and verified by Allman and Paxson)
For the second case, TCP sender maintains two states.
Smooth Round Trip Time (SRTT) Round Trip Time Variation (RTTVAR)
6
Terms used
RTT RTO SRTT RTTVAR minRTO
7
TCP’s Timeout Mechanism Suggested in RFC 2988 When First time RTT is measured SRTT = R’, RTTVAR = R’/2, RTO = SRTT + max(G, 4RTTVAR) When subsequent RTT measurement is made RTTVAR = (1-β)RTTVAR + β|SRTT-R’| SRTT = (1-α)SRTT + αR’ RTO = max(minRTO, SRTT + max(G,
4RTTVAR)). α = 1/4 and β = 1/8
8
Low-Rate DoS Attacks
Attackers exploit TCP Timeout mechanism
Send short duration bursts with length equal to RTT scale burst length
Repeat these things periodically at slower RTO time scales
9
Model of DoS Attack (Simple DoS Model)
Assume single TCP flow and single DoS stream
Attacker sends short duration burst at time t=0
The TCP sender waits 1sec and doubles RTO.
Attacker sends the second outage between 1 and 1+2RTT
10
Model of DoS Attack (cntd’)
11
Model of DoS Attack (cntd’)
N TCP flows with heterogeneous RTTs and single DoS flow.
12
Model of DoS Attack (cntd’)
DoS TCP Throughput Result Assume periodic DoS attack with period T L’ >= RTTi
minRTO > SRTTi + 4*RTTVARi for all i=1,..,n Normalized throughput of the aggregate TCP
flow is given by
T
RTOTTRTO
Tmin*
min
)(
13
Model of DoS Attack (cntd’)
DoS TCP Flow-Filtering Result For i = 1,….,k
L’ ≥RTTi and
minRTO > SRTTi + 4*RTTVARi
For j = k+1,….,nL’ < RTTj and
minRTO ≤ SRTTj + 4*RTTVARj
14
Model of DoS Attack (cntd’)
15
Creating DoS outages Instantaneous Queue Behavior B = Queue Size B0 = Queue Size at the onset of an attack RTCP Instantaneous rate of the TCP flow. RDoS Rate of DoS flow T = DoS burst length L = Duration of attack C = Bottleneck Rate Time at which Queue becomes full is given by
L1 = (B-B0)/(RDoS+RTCP-C)
16
Creating DoS outages (cntd’)
Queue remains full for L2 = L – L1 seconds if RDoS+RTCP ≥ C
If No TCP Traffic and if B0=0, Time at which Queue becomes full is given by
L1 = B/(RMAX-C) If the buffer is full attacker reduces
its rate to bottleneck rate C.
17
Minimum Rate DoS Streams Double rate DoS stream
18
Impact of shrew DoS Attack on TCP flow aggregation
With homogeneous RTT With heterogeneous RTT On web traffic On TCP variants
19
Low-rate DoS stream with Homogeneous RTT
20
Low-rate DoS stream with Heterogeneous RTT
Depends on its RTT Shorter RTT flows use more
bandwidth
21
Low-rate DoS stream with Heterogeneous RTT (cntd’) With increased TCP flows
unused bandwidth utilized by higher RTT flows
Total TCP throughput increase
22
Impact of DoS Burst Length
Flows with longer RTT’s filtered Less no of non-filtered flows
23
Impact of DoS Peak Rate on Short-RTT Flow
Throughput of short-RTT flow effected
Low peak rate sufficient to filter short-RTT flow
24
Impact on HTTP Traffic
25
Dos Attacks on TCP Variants
26
Dos Attacks on TCP Variants (cntd’)
27
DoS Experiments on Internet
28
Results
29
Counter-DOS Techniques
Router-Assisted Mechanisms End-point minRTO Randomization
30
Router-Assisted Mechanisms
Router-Based algorithms Random early detection with
preferential dropping (RED-PD)
31
Router-Assisted Mechanisms (cntd’)
32
Router-Assisted Mechanisms (cntd’)
33
End-Point minRTO Randomization
34
Conclusions Presented DoS attacks that are able to
throttle TCP flows. Discussed impact of various DoS
Attacks on TCP flow aggregation Experiments conducted using
combination of analytical modeling, extensive set of simulations and internet experiments
Discussed Counter DoS Techniques