Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

1
Defending Against Low-rate TCP AttackDynamic
Detection and Protection

• Prof. John C.S. Lui
• CSE Dept. CUHK

2
Outline

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

3
Introduction to the Low-rate TCP Attack

• Common DoS attack

• Consume resources (bandwidth, buffer etc)
• Keep legitimate users away form service
• Large number of machines or agents are involved
• Harmful, but relatively easy to be detected

• Low-rate DoS attack

• Aim to deny the bandwidth of legitimate TCP flows
• Attacker sends the attack stream with low volume
• Exploit the TCP congestion control feature
• Attacker sends a periodic short burst to
  victim/router

4
TCP Retransmission Mechanism

• TCP congestion control

• If under severe network congestion
• Wait till transmission timeout (RTO)
• Reduce the congestion window double the RTO
  retransmit the packet
• If succeed, enter slow start phase
• else, exponential back off again

• Calculation of RTO

• In RFC 2988
• RTOmax(minRTO,SRTTmax(G,4RTTVAR))
• Usually, RTO minRTO when slow start
• minRTO1 second (recommended in RFC 2988)

5
Low-rate DoS Attack to TCP Flow

• A example of low-rate DoS attack

Avg BW lR/T

• Sufficiently large attack burst
• Packet loss at congested router
• TCP waits until timeout retransmit after RTO
• Attack period RTO of TCP flow,
• TCP continually incurs loss achieves zero or
  very low throughput.

6
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

7
Formal Description

• Mathematical Description

• T Attack period
• l Length of burst
• R Rate of burst
• N Background noise
• S Time shift

8
Low-rate DoS Traffic Pattern

• The periodic burst may have different patterns

• Simple Square wave (Kuzmanovic Knightly in
  Sigcomm 03)

• Step-like double rate stream (Kuzmanovic
  Knightly in Sigcomm 03)

• General peaks with background noise

9
Low-rate DoS Traffic Pattern

• Attack traffic is not easy to remain the same as
  the original at the victim router.
• Attack traffic between different period may not
  be the same, thus T, l, R may vary.

We need a ROBUST method to identify all
possible forms of attack
10
Low-rate DoS Traffic Pattern

• Multiple distributed attack sources

• Small Burst combination

• Long Period combination

11
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

12
Dynamic Detection

• Overall Idea of Dynamic Detection

13
Dynamic Detection

• Traffic signature Detection

• Small average throughput gt Throughput based IDS
• No signature in packet gt per packet
  approaches
• Extract the essential signature of attack traffic

X
X
v
14
Dynamic Detection

• Advantages of Dynamic Detection

• Push the detection of low-rate attacks as close
  as possible to the attack sources
• Minimize the damage to other legitimate TCP flows

15
Algorithm of Detection

• The background noise of samples need to be
  filtered
• Background noise(UDP flows and other TCP flows
  that less sensitive to attack)
• For simplicity, a threshold filter can be used.

Pattern match
Pattern match
Extract the signature
Extract the signature
Filter the noise
Filter the noise
Samplethe traffic
Samplethe traffic
16
Robustness of Detection

• Attack traffic simulations

• DTW values for low-rate attack

SPSB RPSB SPGB RPGB
Max 34.88 35.66 34.08 34.69
Min 0 0.80 0.84 1.20
Mean 10.68 9.63 10.89 10.48
Stdv 7.83 6.86 6.77 5.26

• 4 types of attack trafficStrictly Periodic
  Square Burst (SPSB), Random Periodic Square
  Burst (RPSB),Strictly Periodic General Burst
  (SPGB), Random Periodic General Burst (RPGB)
• T ,l Uniformly distributed s.t. l
  /Tlt0.25
• R 1 (full bandwidth)
• N,S Uniformly distributed
• Around 3000 simulations /type

17
Robustness of Detection

• DTW values for Legitimate traffic (Gaussian)

• DTW values of legitimate traffic
• Legitimate traffic composition.
• Legitimate traffic simulation using Gaussian
  model C Gaussian(0, N)
• Run more than 8000 simulations

Max 286.53
Min 113.50
Mean 236.95
Stdv 43.10
18
Robustness of Detection

• Probability distribution of DTW values

• Attack flows V.S. legitimate (Gaussian) flows
• Expect a separation between them.

19
Robustness of Detection

• DTW values for Legitimate traffic (Self-similar)

• More accurate network traffic model (Ethernet
  traffic, WWW traffic)
• Use FARIMA model to generate self-similar
  traffic.
• Hurst Parameter H 0.75-0.85
• Run more than 10,000 simulations

Max 238.16
Min 28.01
Mean 130.73
Stdv 51.44
20
Robustness of Detection

• Probability distribution of DTW values
  (Self-similar)

• Attack flows V.S. Self-similar flows
• Small Overlap
• (Around 30)

False Self-similar 141
Total Self-similar 11000
False Positive 1.28
False Attack 378
Total Attack 11492
False Negative 3.54


21
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

22
Defense Mechanism

• Router deployment

• Pushback detection
• Pushback to outmost deployed router
• distributed attack
• Deficit Round Robin (DRR)

Resource Management
23
Defense Mechanism

• Deficit Round Robin (DRR)

• 1st Round
• As counter 1000
• Bs counter 200 (served twice)
• Cs counter 400

• Classify packets according to the input port i.
• deficit_counteri0
• deficit_counteri Quantumi
• If packets sizelt deficit_counteri , serve the
  packet
• deficit_counteri -packets size.
• If no packeti, deficit_counteri 0.

• 2nd Round
• As counter 500 (served)
• Bs counter 0
• Cs counter 800 (served)

24
Fairness Analysis of DRR Algorithm

• Definitions in DRR algorithm

• BackloggedA port i is backlogged during an
  interval (t1 t2) of a DRR execution if the
  queue for port i is never empty during the
  interval.
• Flow Share We assume there is some quantity fi
  that
• expresses the ideal share obtained
  by the port i that fi
  Quantumi/Quantum where Quantum
  Min(Quantumi).
• Sent Packets Let senti(t1 t2) be the total
  number of bytes sent on the output port i in the
  interval (t1 t2)

• Fairness Measurement Let Fairness Measurement
  FM(t1 t2) be the maximum of (senti(t1 t2)/fi -
  sentj(t1 t2)/fj) over all ports i,j that are
  backlogged in the interval (t1 t2).
• Now we can define a service discipline to be fair
  if FM(t1 t2) is bounded by a small constant.

25
Fairness Analysis of DRR Algorithm

• Lemmas of DRR Fairness

• Lemma 1 For any port i ,during the execution of
  DRR algorithm, the deficit_counteri is within
  the range 0Max) at the end of each round, where
  Max is the maximum size of all possible packets.
  
• 0
  deficit_counteri lt Max
• Proof Initially deficit_counteri 0.
• After queue i is serviced in each
  round
• 1) If there are packet(s) left in the
  queue for port i
• 0 deficit_counteri
  lt Max
• 2) If no packets are left in the queue
• deficit_counteri is
  reset to zero
• 
  

26
Fairness Analysis of DRR Algorithm

• Lemmas of DRR Fairness

Lemma 2 mQuantumi-Max senti(t1 t2)
mQuantumi Max

• Lemma 2 During any period in which port i is
  backlogged the number of bytes sent on the behalf
  of port i is roughly equal to mQuantumi
  ,specifically bounded as follows
• mQuantumi-Max senti(t1 t2)
  mQuantumi Max
• where m is the number of round-robin service
  round received by port i during this
  interval.

Proof Let deficit_counterik be the value of
deficit_counteri at the end of k round DRR
executions. Let bytesi(k) be the bytes
sent by port i in round k. And let
senti(k) be the bytes sent by port i from round 1
through k.Thus, senti(k) ? bytesi(k)
Obviously bytesi(k)deficit_counterik

Quantumideficit_counterik-1 bytesi(k)
Quantumideficit_counterik-1-

deficit_counterik

Summing this equation over m rounds of servicing
of port i We have senti(m) mQuantumi
deficit_counteri0

deficit_counterim Since deficit_counteri is
always non negative and upper bounded by Max
(Lemma1), the result follows.


27
Fairness Analysis of DRR Algorithm

• Theorem of DRR Fairness

• Theorem 1 For an interval (t1 t2) in any
  execution of the DRR service discipline
• FM(t1 t2) 2Max Quantum
  
  where Quantum Min(Quantumi)

Proof let m be the number of
DRR execution rounds given to port i in interval
(t1 t2), let m be the number of DRR
execution rounds given to port j in the same
interval. As each class is serviced in
a strict round-robin mode, then m m 1

From Lemma 2 senti(t1 t2) mQuantumi Max
since Ideal Share fi
Quantumi/Quantum We have the normalized
service received by port i
senti(t1 t2)/fi mQuantum Max/fi
(1) Similarly for port j
sentj(t1 t2)/fj mQuantum - Max/fj
(2)
Thus FM(t1 t2) senti(t1 t2)/fi-
sentj(t1 t2)/fj (m-m)
Quantum Max/fi Max/fj
Quantum2Max


28
Analysis of DRR Algorithm

• Analytical Results for DRR Algorithm

• Fairness Using Golestani's fairness definition,
  difference in the normalized bytes sent between
  ports within a certain interval (t1 t2) is
  bounded by a small constant.
• Implementation Cost DRR algorithm can be
  implemented with less work compared with other
  scheduling algorithm.
• In general, the processing cost of DRR is
  O(1) per packet.
• As a result, DRR can provide not only a fairness
  scheduling method, but also work with a low
  implementation cost.

29
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

30
Fluid Model of TCP Flows

• Model of TCP on a Droptail Router

• In a Congested Droptail Router
• N TCP flows go through
• Droptail queue at output interface
• Dropping Function
• P Drop Prob. xi length of queue i Qi
  Size of queue i
• Behavior of Queue Length C Capacity of the
  link

31
Fluid Model of TCP Flows

• Model of TCP on a Droptail Router

• Throughput of TCP flow i
• Wi(t) Window Size
• Ri(t) Round Trip Time
• Round Trip Time
• ai Propagation delay

32
Fluid Model of TCP Flows

• Model of TCP on a Droptail Router

• Slow start/ Congestion Avoidance Hi threshold
• Retransmission Time Out
• where u(n) is a unit step function
• q(W) denotes the Prob. of that loss is caused
  by timeout

• Finally, the behavior of TCP window size
• Overview of TCP droptail scheduling
  Numerical result of differential equations (1-9)

33
Fluid Model of TCP Flows

• Model of TCP on a DRR Router

• Modification based on the Droptail Model
• Different Queue Management may cause
• Change of the behavior of Queue Length
• Change of the calculation of round trip time

• Behavior of Queue Length in DRR
• where tt time length for each round

• Calculation of round trip time
• Fluid Model of TCP on DRR router
• Replace the corresponding two equations in
  Droptail Model

34
Fluid Model of TCP Flows

• Simulation of TCP fluid model

• Attack with Single TCP Flow (Droptail Router)
• Settings
• T 1.1s,
• l 0.1s
• R 300kb/s
• C 100kb/s
• Propagation delay0.1s
• Attack starts 2s later

35
Fluid Model of TCP Flows

• Simulation of TCP fluid model

• Attack with Single TCP Flow (DRR Router)
• Settings
• T 1.1s,
• l 0.1s
• R 300kb/s
• C 100kb/s
• Propagation delay0.1s
• Quantum 1kb
• Buffer size 10kb
• Attack starts 2s later

36
Fluid Model of TCP Flows

• Simulation of TCP fluid model

• Attack with Multiple TCP Flows(Droptail Router)
• Settings
• T 1.1s,
• l 0.1s
• R 300kb/s
• C 100kb/s
• Attack starts 2s later
• Propagation delay0.1s, 0.2s, 0.4s and 0.8s
  

37
Fluid Model of TCP Flows

• Simulation of TCP fluid model

• Attack with Multiple TCP Flows (DRR Router)
• Settings
• T 1.1s,
• l 0.1s
• R 300kb/s
• C 100kb/s
• Quantum 1kb
• Buffer size 10kb
• Attack starts 2s later
• Propagation delay0.1s, 0.2s, 0.4s and 0.8s

38
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

39
Experiment of Defense Mechanism

• Single TCP flow vs. single source attacker

• Go through the same router
• Link Capacity 5Mbp/s

Drop Tail Drop Tail Drop Tail Drop Tail DRR DRR DRR DRR
TCP (Kbps) TCP (Kbps) Attack (Kbps) Attack (Kbps) TCP (Kbps) TCP (Kbps) Attack (Kbps) Attack (Kbps)
Tahoe 224.37 4.49 1016.52 20.33 3402.07 68.04 780.39 15.61
Reno 26.30 0.53 1022.55 20.45 946.87 18.94 1014.97 20.30
NewReno 23.62 0.47 1022.04 20.44 3690.32 73.81 913.39 18.27

40
Experiment of Defense Mechanism

• Multiple TCP flows vs. single source attacker

Drop Tail Drop Tail DRR DRR
Throughput (Kbps) of link capacity Throughput (Kbps) of link capacity
Attack 928.76 18.58 343.09 6.86
TCP1 8.71 0.17 965.91 19.32
TCP2 210.77 4.22 645.79 12.92
TCP3 4.75 0.10 629.15 12.58
TCP4 11.09 0.22 618.05 12.36
TCP5 5.54 0.11 468.3 9.37
TCP6 267.82 5.36 356.57 7.13
TCP7 72.11 1.44 293.97 5.88
TCP8 3.17 0.06 194.93 3.90
TCP Sum 583.96 11.68 4172.67 83.45

• Eight TCP flows
• Single low-rate attacker
• Go through the same router
• Link Capacity 5Mbp/s

41
Experiment of Defense Mechanism

• Network model of attack vs. Multiple TCP flows

Drop Tail DRR on R6 DRR on R6,R4 DRR on R6,R4,R2 DRR on R6,R4,R2,R1
?(Kbps) ?(Kbps) ?(Kbps) ?(Kbps) ?(Kbps)
Attack 640.00 561.00 453.00 419.00 404.00
TCP1 386.00 358.00 311.00 314.00 778.00
TCP2 264.00 329.00 282.00 874.00 763.00
TCP3 324.00 251.00 1245.00 924.00 788.00
TCP4 425.00 1719.00 1154.00 966.00 765.00
Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00

• 4 TCP flows
• Single attacker
• 7 routers network
• R1,R2,R4,R6 may run DRR
• Link capacity 5 Mb/s

42
What is the next?

• Introduction to Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Dynamic Detection
• Low-rate Attack Defense Mechanism
• Fluid Model of TCP Flows
• Defence Experiments
• Related Work Conclusion

43
Related Work Conclusion

• Related Work

• Another solution to this attack
• Randomizing
  RTO
• Intuitive solution
• Widespread updates of end user software
• May reduce the performance of TCP
• Reduction of Quality (RoQ) Attack
• General class of attack exploiting the transients
  of adaptation.
• Similar attack form

• Conclusions

• Formal model to describe low-rate TCP attack.
• Distributed detection mechanism using
  
  Dynamic Time Wrapping
• The push back mechanism
• DRR approach protection and isolation

44
Major References

• HaiBin Sun, John C.S. Lui, David K.Y. Yau.
  Defending Against Low-rate TCP Attack Dynamic
  Detection and Protection IEEE International
  Conference on Network Protocols (ICNP), Berlin,
  Germany, October, 2004.
• HaiBin Sun, John C.S. Lui, David K.Y. Yau.
  Distributed Mechanism in Detecting and Defending
  Against Low-rate TCP Attack Computer Networks
  Journal (Elsevier), July,2005.

45
Thank you for your attention!
Q A