Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing

1
Low-Rate TCP-Targeted DoS Attack Disrupts
Internet Routing

• Ying Zhang Z. Morley Mao Jia Wang

2
Attacks on the Internet

• Attacks targeting end hosts
• Denial of Service attacks, worms, spam
• Attacks targeting the routing infrastructure
• Compromised routers
• Stealthy denial of service attacks

Internet
Bots
Target link
Attackers
Target
Destination
3
Border Gateway Protocol De facto standard
inter-domain routing protocol
BGP session reset
confirm peer liveliness determine peer
reachability
BGP session
AS 2
Transport TCP connection
4
Low-rate TCP-targeted DoS attacks Kuzmanovic03

• Exploiting TCPs deterministic retransmission
  behavior

No packet loss ACKs received
packet loss No ACK received
TCP Congestion Window Size (packets)
minRTO
2 x minRTO
4 x minRTO
Time
5
Low-rate TCP-targeted DoS attacks

• Attack flow period approximates minRTO of TCP
  flows

TCP congestion window size (segments)
minRTO
2 x minRTO
4 x minRTO
Time
6
Impact of low-rate TCP DoS attacks

• Impact on any TCP connections
• TCP continuously experiences loss
• TCP obtains near zero throughput
• Difficult to detect due to low-rate property
• Our finding
• Low-rate TCP DoS attacks can disrupt BGP (with
  default configurations)

7
Impact of routing disruption

• Reduced sending rate
• Increasing convergence delay
• BGP session reset
• Routing instability
• Unreachable destinations
• Traffic performance degradation

8
Outline

• Description of a potential attack against
  Internet routing
• Attack demonstration using testbed experiments
• Increased attack sophistication
• Using multi-host coordination
• Defense solutions through prevention

9
Testbed experiments

• Using high-end commercial routers
• Demonstrating the attack feasibility

Gigabit Ethernet
Gigabit Ethernet
OC3 155Mbps
Router R1 (Cisco GSR)
Router R2 (Cisco GSR)
10
The attack to bring down a BGP session
UDP-based attack flow
Packet is dropped due to congestion
BGP Keepalive message
11
The attack to bring down a BGP session
UDP-based attack flow
Retransmitted BGP Keepalive message
minRTO
12
The attack to bring down a BGP session
UDP-based attack flow
2nd Retransmitted BGP Keepalive message
minRTO
2minRTO
13
The attack to bring down a BGP session
UDP-based attack flow
7th retransmitted BGP Keepalive message
minRTO
2minRTO
BGP Session Reset
Hold Timer expired!
14
Basic attack flow properties
Burst length L
Magnitude of the peak R
Inter-burst period T
15
How likely is BGP session reset?
R185Mbps T 600msec Min duration216 sec
16
Router implementation diversity
17
Explanation of packet drops

• BGP packet drop locations
• Ingress or egress line card buffer queues
• Resource sharing across interfaces
• Interfaces share buffers and processing time

Router
Interface 1
BGP pkt
Egress line card
BGP pkt
Ingress line card
Interface 2
Interface 3
Interface 4
18
Buffer allocation in line cards

• Line card memory is divided into buckets of
  different packet sizes
• Packets cannot utilize buckets of a different
  size

Line card buffer queues
Switch fabric
Full!
Packet size
(0,80Byte
Drop!
BGP pkt
81Byte,270Byte
271Byte, 502Byte
Empty
503Byte, 908Byte
909Byte,1500Byte
19
Necessary conditions for session reset

• Inter-burst period approximates minRTO
• The attack flows path traverses at least one
  link of the BGP session
• Attack flows bottleneck link is the target link

Attack flows path
Attacker
Bottleneck link
Router R2
Router R1
Multi-hop BGP Session
20
Outline

• Description of a potential attack against
  Internet routing
• Attack demonstration using testbed experiments
• Increased attack sophistication
• Using multi-host coordination
• Defense solutions through prevention

21
Coordinated low-rate DoS attacks
Attack host A
Destination C
Target BGP session
Destination D
Attack host B
22
Coordinated low-rate DoS attacks
Attack Host A
Destination C
Target BGP session
Destination D
Attack Host B
23
Coordinated low-rate DoS attacks
C
BR
C
BR
24
Host selection for coordinated attacks

• Selecting attack host-destination pairs to
  traverse target link
• Identify the target links geographic location
  and ASes
• Identify prefixes with AS-level path through the
  target link
• Identify IP-level paths

25
Wide-area experiments

• Internet bottleneck link available bandwidth
  measurement
• 160 peering links
• 330 customer and provider links
• Attack host selection
• PlanetLab hosts as potential attack hosts
• Attack hosts geographically close to the target
  link
• Attacks targeting a local BGP session

26
Wide-area coordinated attacks against a local BGP
session
R5Mbps L300msec T1s Average Rate 1.5Mbps
UW1 (US)
10Mbps
100Mbps
Targeted
UW2
WAN
BGP session
Software router 1
Software router 2
THU1(China)
THU2
27
Conditions for
Coordinated attacks
a single attack flow

• 1. Inter-burst period approximates minRTO
• 1. Sufficiently strong combined attack flows to
  cause congestion
• 2. The attack flows path traverses the BGP
  session
• 3. Attack flows bottleneck link is the target
  link
• 3. Identify the target link location

28
Outline

• Description of a potential attack against
  Internet routing
• Attack demonstration using testbed experiments
• Increased attack sophistication
• Using multi-host coordination
• Defense solutions through prevention

29
Attack prevention hiding information

• Randomize minRTO Kuzmanovic03
• minRTO is any value within range a,b
• Does not eliminate BGP session reset
• Hide network topology from end-hosts
• Disabling ICMP TTL Time Exceeded replies at
  routers

30
Attack prevention prioritize routing traffic

• Weighted Random Early Detection (WRED)
• Prevent TCP synchronization
• Selectively drop packets
• Drop low-priority packets first when the queue
  size exceeds defined thresholds
• Assumption of WRED
• The IP precedence field is not spoofed
• We need to police the IP precedence markings

31
Support from existing commercial routers

• Router supported policing features
• Committed Access Rate (CAR)
• Class-based policing
• Traffic marking
• Reset the incoming packets to be low priority
• Class-based queuing
• Drop the packets with low priority when the
  traffic burst is high
• Effective in isolating BGP packets from attack
  traffic!

32
Conclusion

• Feasibility of attacks against Internet routing
  infrastructure
• Lack of protection of routing traffic
• Prevention solution using existing router
  configurations
• Ubiquitous deployment is challenging
• Difficulties in detecting and defending against
  coordinated attacks
• may affect any network infrastructure

33
Thank you!
34
Backup slides
35
Attack flow notations

• Periodic, on-off square-wave flow
• Burst period length L
• Inter-burst period T
• Burst magnitude of the peak R

Burst Length L
Magnitude of the peak R
Inter-burst period T
36
Attack inter-burst periods impact on table
transfer duration(R185Mbps,L200msec)
37
Attack peak magnitudes impact on session reset
and table transfer duration(TopT600msec,L200ms
ec) (BottomT1.2s,L200msec)
Normalized avg rate 0.48
Normalized avg rate 0.24
38
Synchronization accuracy
39
BGP table transfer with WRED enabled under attack