1

Low-rate TCP-Targeted Denial of Service Attacks

Aleksandar Kuzmanovic and Edward W. Knightly

Presented byPrasanth Kalakota & Ravi Katpelly

2

Outline

Introduction TCP timeout mechanism DOS outages Counter DOS techniques Conclusion

3

Introduction

DoS Attacks Prevent access to legitimate users Consume resources Various Types: TCP SYN, ICMP

broadcasts, DNS flood attacks Shrew attacks or Low Rate DoS

attacks

4

TCP Congestion Control Uses Additive Increase Multiplicative

Decrease (AIMD) Uses Retransmission Timeout (RTO) to

avoid congestion Selection of RTO value Case (i): If too low spurious

retransmissions occurs Case (ii): If too high, flows will wait

unnecessarily long

5

TCP Congestion Control (cntd’)

To solve the first case, time out value should be at least 1 sec. (suggested and verified by Allman and Paxson)

For the second case, TCP sender maintains two states.

Smooth Round Trip Time (SRTT) Round Trip Time Variation (RTTVAR)

6

Terms used

RTT RTO SRTT RTTVAR minRTO

7

TCP’s Timeout Mechanism Suggested in RFC 2988 When First time RTT is measured SRTT = R’, RTTVAR = R’/2, RTO = SRTT + max(G, 4RTTVAR) When subsequent RTT measurement is made RTTVAR = (1-β)RTTVAR + β|SRTT-R’| SRTT = (1-α)SRTT + αR’ RTO = max(minRTO, SRTT + max(G,

4RTTVAR)). α = 1/4 and β = 1/8

8

Low-Rate DoS Attacks

Attackers exploit TCP Timeout mechanism

Send short duration bursts with length equal to RTT scale burst length

Repeat these things periodically at slower RTO time scales

9

Model of DoS Attack (Simple DoS Model)

Assume single TCP flow and single DoS stream

Attacker sends short duration burst at time t=0

The TCP sender waits 1sec and doubles RTO.

Attacker sends the second outage between 1 and 1+2RTT

10

Model of DoS Attack (cntd’)

11

Model of DoS Attack (cntd’)

N TCP flows with heterogeneous RTTs and single DoS flow.

12

Model of DoS Attack (cntd’)

DoS TCP Throughput Result Assume periodic DoS attack with period T L’ >= RTTi

minRTO > SRTTi + 4*RTTVARi for all i=1,..,n Normalized throughput of the aggregate TCP

flow is given by

T

RTOTTRTO

Tmin*

min

)(

13

Model of DoS Attack (cntd’)

DoS TCP Flow-Filtering Result For i = 1,….,k

L’ ≥RTTi and

minRTO > SRTTi + 4*RTTVARi

For j = k+1,….,nL’ < RTTj and

minRTO ≤ SRTTj + 4*RTTVARj

14

Model of DoS Attack (cntd’)

15

Creating DoS outages Instantaneous Queue Behavior B = Queue Size B0 = Queue Size at the onset of an attack RTCP Instantaneous rate of the TCP flow. RDoS Rate of DoS flow T = DoS burst length L = Duration of attack C = Bottleneck Rate Time at which Queue becomes full is given by

L1 = (B-B0)/(RDoS+RTCP-C)

16

Creating DoS outages (cntd’)

Queue remains full for L2 = L – L1 seconds if RDoS+RTCP ≥ C

If No TCP Traffic and if B0=0, Time at which Queue becomes full is given by

L1 = B/(RMAX-C) If the buffer is full attacker reduces

its rate to bottleneck rate C.

17

Minimum Rate DoS Streams Double rate DoS stream

18

Impact of shrew DoS Attack on TCP flow aggregation

With homogeneous RTT With heterogeneous RTT On web traffic On TCP variants

19

Low-rate DoS stream with Homogeneous RTT

20

Low-rate DoS stream with Heterogeneous RTT

Depends on its RTT Shorter RTT flows use more

bandwidth

21

Low-rate DoS stream with Heterogeneous RTT (cntd’) With increased TCP flows

unused bandwidth utilized by higher RTT flows

Total TCP throughput increase

22

Impact of DoS Burst Length

Flows with longer RTT’s filtered Less no of non-filtered flows

23

Impact of DoS Peak Rate on Short-RTT Flow

Throughput of short-RTT flow effected

Low peak rate sufficient to filter short-RTT flow

24

Impact on HTTP Traffic

25

Dos Attacks on TCP Variants

26

Dos Attacks on TCP Variants (cntd’)

27

DoS Experiments on Internet

28

Results

29

Counter-DOS Techniques

Router-Assisted Mechanisms End-point minRTO Randomization

30

Router-Assisted Mechanisms

Router-Based algorithms Random early detection with

preferential dropping (RED-PD)

31

Router-Assisted Mechanisms (cntd’)

32

Router-Assisted Mechanisms (cntd’)

33

End-Point minRTO Randomization

34

Conclusions Presented DoS attacks that are able to

throttle TCP flows. Discussed impact of various DoS

Attacks on TCP flow aggregation Experiments conducted using

combination of analytical modeling, extensive set of simulations and internet experiments

Discussed Counter DoS Techniques