Detecting ICMP RateLimiting - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Detecting ICMP RateLimiting

Description:

STING developed by Stefan Savage. TCP can't ack out-of-order packets ... Results from Sting & Synack ... Utility of Sting as an aid ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 18
Provided by: mit69
Category:

less

Transcript and Presenter's Notes

Title: Detecting ICMP RateLimiting


1
Detecting ICMP Rate-Limiting
  • Les Cottrell
  • Warren Matthews
  • Mit Shah

2
Motivation 1
  • Smurf Attacks IP spoofing and ICMP packets to
    an IP Broadcast group. Traffic to target
    multiplied by responses from each member
  • Example Attacker on 768Kbps stream and a 100
    member Broadcast group generate 77Mbps of
    traffic and swamp target!
  • Routers set to no ip directed-broadcast

3
Motivation 2
  • Cisco introduces CAR (Committed Access Rate) in
    7200 and 7500 series routers. Later includes
    support in IOS 12.0
  • access-list 102 permit icmp any any echo
  • interface Serial3/0/0 rate-limit input
    access-group 102 256000 8000 8000 conform-action
    transmit exceed-option drop

4
ICMP Blocking - No Response!
  • www.vincy.bg.ac.yu blocked 884 rounds of 10 ICMP
    packets each, out of 903
  • islamabad-server2.comsats.net.pk blocked 554 out
    of 903 rounds
  • leonis.nus.edu.sg blocked all packets it was sent
    (All examples from data for Dec 1999)
  • Yet in reality, none of these servers was down!

5
New tools to the rescue
  • SYNACK developed in-house
  • Establishes TCP connections and measures time
    taken by target to respond
  • Cleans up connections
  • Highly visible to system admins
  • STING developed by Stefan Savage
  • TCP cant ack out-of-order packets
  • Data-seeding and Hole-filling (reliable)
  • Need to change one line of kernel code

6
Results from Sting Synack
  • Both tools based on TCP/IP, hence appear to
    router to be normal traffic
  • Results
  • The Singapore node responds ONLY to 568 byte
    packets
  • Both the other nodes were alive-and-kicking with
    low loss rates!

7
Utility of Sting as an aid
  • These are 5 sites that were responding to pings
    very infrequently, and neglecting entire sets of
    10 pings more than 50 of the time
  • Sting showed that they were alive on port 80!

8
Tail-Drop Behavior
  • Rate-limiting kicks in after the first few
    packets and hence later packets are more likely
    to be dropped
  • This node no longer displays tail-drop behavior!

9
Frequency Analysis
  • Calculate the packet drops as a function of
    packet-numbers
  • Calculate the slope and identify extremes
  • Implemented by Warren as a metric
  • Some encouraging early results!

10
Some Candidates
11
CAR (Committed Access Rate)
  • Tokens removed in proportion to size of packet
  • Maximum number of tokens in bucket Normal Burst
    Size
  • Extended Burst mechanism to make drops more
    RED-like

12
RED (Random Early Detection)
  • Tail-drop causes packet-loss across all TCP
    streams when traffic is too heavy
  • Causes all TCP-streams to sense congestion and
    start recovery
  • Small, bursty TCP streams also have to restart
  • Solution drop packets randomly BEFORE
    congestion strikes!

13
Extended Burst Mechanism in CAR
  • Stream allowed to borrow more tokens if
    extended-burst value gt normal-burst
  • Compounded debt computed as sum of a(j) where
    j denotes the jth packet that tries to borrow
    tokens since last packet drop and a(j) denotes
    actual debt value
  • Packet dropped if CD gt extended-burst and CD set
    to 0

14
Detecting CAR the good news
  • A stream at constant rate R, above the
    configured-rate C, will exhaust tokens in bucket
    after B/(R-C) sec, at most
  • From this point on, borrowed packets at jth
    packet j(R-C) and beyond jE/(R-C), actual
    debt gt extended-burst and all packets will be
    dropped
  • Pattern is non-random!

15
Detecting CAR A trial
  • Analyzed the first-order differences in
    packet-numbers of dropped packets to see if there
    was a pattern hoping that site-specific CAR might
    have set packet-size gt normal_burst_size
    extended_burst_size
  • Not surprisingly, no results
  • False alarm 10th packet being dropped but data
    was TOO clean!

16
Detecting CAR the bad news
  • It appears that most sites will impose a
    traffic-limit on TOTAL icmp traffic
  • Predicting when a packet drop occurs akin to
    predicting the rest of the traffic on that router
    at that moment - a known hard problem!
  • Solution Aggressive pinging, your
    traffic-stream dominates! High signal-to-noise!!!

17
Further study
  • Pinging with variable-sized packets (less than
    MTU) and detect whether packet-loss varies
    linearly with size
  • trivial to determine MTU?
  • How important are other effects like being more
    likely to be dropped from queue?
  • Set up a router that implements CAR, simulate
    icmp traffic, and study patterns
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Detecting ICMP RateLimiting" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!