LowRate TCP Denial of Service Defense - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

LowRate TCP Denial of Service Defense

Description:

Low-Rate TCP Denial of Service Defense. Johnny Tsao. Petros Efstathopoulos. Tutor: Guang Yang ... Floods bottleneck with packets to overflow queues and produce ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 25
Provided by: Joh6262
Learn more at: http://web.cs.ucla.edu
Category:

less

Transcript and Presenter's Notes

Title: LowRate TCP Denial of Service Defense


1
Low-Rate TCP Denial of Service Defense
Johnny Tsao Petros Efstathopoulos Tutor Guang
Yang UCLA 2003
2
What is a Low-Rate DoS Attack?
  • Floods bottleneck with packets to overflow queues
    and produce dropped packets
  • TCP connections senses congestion and waits
    retransmission timeout (one second)
  • While TCP connections are waiting the timeout,
    the attacker does not need to attack
  • It then resumes attacking after waiting the RTO
  • The attacker has a low throughput relative to
    traditional DoS attackers so it can avoid
    detection

3
Proposed Solution
  • Randomize the RTO so that we start retransmitting
    in between attacks
  • This should help improve throughput
  • Various possible randomization techniques
    simulations show that choice doesnt make
    significant difference

4
Related Works
  • A. Kuzmanovic and E. W. Knightly, Low-Rate
    TCP-Targeted Denial of Service Attacks (The Shrew
    vs. the Mice and Elephants), In Proceedings of
    ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003
  • G.Yang, M.Gerla and Y.Sanadidi, Randomization and
    Probing Defense against Low-rate TCP-targeted
    DoS Attacks, UCLA Computer Science Department,
    Internal Draft
  • These papers run simulations only, we will test
    their findings with experiments

5
Our Task
  • Analyze the effectiveness of randomized RTO
    against a low-rate TCP DoS attack
  • Evaluate effectiveness by performing experiments
    on a TCP testbed using DummyNet to simulate an
    internet bottleneck
  • Compare experimental results to simulation results

6
The Linux Kernel
  • Linux implements TCP New Reno
  • The Linux kernel actually uses a minimum RTO of
    200ms (max is 120sec)
  • This reduces the effectiveness of a low-rate
    attack since it must transmit more often, leaving
    it more susceptible to detection

7
The Linux Kernel (cont)
  • Linux uses the value of RTOmin to initialize the
    value of rttvar when a new connection is
    establised
  • Setting RTOmin to 1sec heavily affected rttvar
  • Solution bound the value of RTO dynamically
    without changing the defined values that affect
    rttvar

8
Linux Kernel Modifications
  • Kernel 1 make minimum RTO 1sec in order to
    match the papers by Knightly and Yang
  • Kernel 2 Randomize RTO around 1sec to see if
    randomization can defend against a low rate attack

9
Experiment Setup
  • Sender, Receiver
  • - iperf client and server to produce TCP traffic
  • Attacker
  • - Custom UDP traffic generator 3MBit/s attack,
    50 byte packets
  • DummyNet simulates internet bottleneck
  • - 1.5MBit/s link
  • - 40ms propagation delay
  • - 50 slot queue

10
The Square Wave Attack(approximates a Low-rate
TCP DoS Attack)
Burst Length
Inter-burst Period
11
Experiments
  • 4 sets of experiments
  • Set 1 standard Linux kernel behavior
  • Set 2 modified 1sec Linux kernel behavior
  • Set 3 modified 1sec randomized RTO Linux
    kernel behavior
  • For each set we measured throughput for
    interburst periods (IBPs) ranging from 0.3sec to
    5sec (burst length and network parameters were
    kept constant)
  • Set 4 all kernels measured under attack for
    different burst lengths

12
Topology
13
Attack
14
Experimental Results I
  • The standard Linux kernel is vulnerable, but a
    high rate attack is needed (minRTO is 200ms)

15
Experimental Results II
  • Changing the minimum value of RTO to 1sec makes
    the attack very effective!

16
Experimental Results III
  • Randomizing the value of RTO in the 1sec kernel
    (randomization ranges from -0.5 to 0.5)
    significantly improves performance (connection
    NOT throttled for IBPs of 0.5s and 1s)

17
Experimental Results IV
  • Randomization eliminates the throughput
    throttling problem for IBP values of minRTO/2 and
    minRTO
  • Experimental results confirm simulation results

18
Experimental Results V
  • The burst length greatly affects the
    effectiveness of the attack

19
Experimental Results V (cont.)
20
Our Findings
  • Low-Rate TCP DoS attack relies heavily on RTO
    synchronization
  • Attack targets low RTT connections
  • Randomization of RTO improves throughput greatly
    (especially in the vulnerable cases of 0.5s and
    1s)

21
Our Findings - II
  • The effectiveness of the attack depends a lot on
    the synchronization of the sender and the
    attacker
  • Performance results for certain cases fluctuated
    greatly for consecutive runs of the same
    experiment. Possible reasons Dummynet buffer
    management, synchronization issues between the
    attacker and the sender

22
Conclusions
  • The experimental results coincide with the
    findings of papers by Knightly and Yang
  • Randomization is an effective way to reduce the
    damage done by a Low-Rate TCP DoS attack
  • Such an attack may not be realistic if modern
    systems implement a low RTO
  • (ie. Linuxs 200ms RTO)

23
Future Work
  • Determine the fairness of the RTO randomization
    scheme
  • Explore probing as a defense against a Low Rate
    TCP DoS attack
  • Examine the attack and defense results with
    multiple TCP flows

24
References
  • A. Kuzmanovic and E. W. Knightly, Low-Rate
    TCP-Targeted Denial of Service Attacks (The Shrew
    vs. the Mice and Elephants), In Proceedings of
    ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003
  • G.Yang, M.Gerla and Y.Sanadidi, Randomization and
    Probing Defense against Low-rate TCP-targeted
    DoS Attacks, UCLA Computer Science Department,
    Internal Draft
  • Pasi Sarolathi, Alexey Kuznetsov, Congestion
    Control in Linux TCP
  • D. Bovet and M. Cesati, Understanding the Linux
    kernel, OReilly press 2003
Write a Comment
User Comments (0)
About PowerShow.com