Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly

About This Presentation
Title:

Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly

Description:

Various Types: TCP SYN, ICMP broadcasts, DNS flood attacks. Shrew attacks or Low Rate DoS attacks ... Impact of shrew DoS Attack on TCP flow aggregation. With ... –

Number of Views:96
Avg rating:3.0/5.0
Slides: 35
Provided by: katp
Learn more at: https://www.cse.sc.edu
Category:

less

Transcript and Presenter's Notes

Title: Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly


1
Low-rate TCP-Targeted Denial of Service
AttacksAleksandar Kuzmanovic and Edward W.
Knightly
  • Presented by
  • Prasanth Kalakota Ravi Katpelly

2
Outline
  • Introduction
  • TCP timeout mechanism
  • DOS outages
  • Counter DOS techniques
  • Conclusion

3
Introduction
  • DoS Attacks
  • Prevent access to legitimate users
  • Consume resources
  • Various Types TCP SYN, ICMP broadcasts, DNS
    flood attacks
  • Shrew attacks or Low Rate DoS attacks

4
TCP Congestion Control
  • Uses Additive Increase Multiplicative Decrease
    (AIMD)
  • Uses Retransmission Timeout (RTO) to avoid
    congestion
  • Selection of RTO value
  • Case (i) If too low spurious retransmissions
    occurs
  • Case (ii) If too high, flows will wait
    unnecessarily long

5
TCP Congestion Control (cntd)
  • To solve the first case, time out value should be
    at least 1 sec. (suggested and verified by Allman
    and Paxson)
  • For the second case, TCP sender maintains two
    states.
  • Smooth Round Trip Time (SRTT)
  • Round Trip Time Variation (RTTVAR)

6
Terms used
  • RTT
  • RTO
  • SRTT
  • RTTVAR
  • minRTO

7
TCPs Timeout Mechanism
  • Suggested in RFC 2988
  • When First time RTT is measured
  • SRTT R, RTTVAR R/2,
  • RTO SRTT max(G, 4RTTVAR)
  • When subsequent RTT measurement is made
  • RTTVAR (1-ß)RTTVAR ßSRTT-R
  • SRTT (1-a)SRTT aR
  • RTO max(minRTO, SRTT max(G, 4RTTVAR)).
  • a 1/4 and ß 1/8

8
Low-Rate DoS Attacks
  • Attackers exploit TCP Timeout mechanism
  • Send short duration bursts with length equal to
    RTT scale burst length
  • Repeat these things periodically at slower RTO
    time scales

9
Model of DoS Attack (Simple DoS Model)
  • Assume single TCP flow and single DoS stream
  • Attacker sends short duration burst at time t0
  • The TCP sender waits 1sec and doubles RTO.
  • Attacker sends the second outage between 1 and
    12RTT

10
Model of DoS Attack (cntd)
11
Model of DoS Attack (cntd)
  • N TCP flows with heterogeneous RTTs and single
    DoS flow.

12
Model of DoS Attack (cntd)
  • DoS TCP Throughput Result
  • Assume periodic DoS attack with period T
  • L gt RTTi
  • minRTO gt SRTTi 4RTTVARi for all i1,..,n
  • Normalized throughput of the aggregate TCP flow
    is given by

13
Model of DoS Attack (cntd)
  • DoS TCP Flow-Filtering Result
  • For i 1,.,k
  • L RTTi and
  • minRTO gt SRTTi 4RTTVARi
  • For j k1,.,n
  • L lt RTTj and
  • minRTO SRTTj 4RTTVARj

14
Model of DoS Attack (cntd)
15
Creating DoS outages
  • Instantaneous Queue Behavior
  • B Queue Size
  • B0 Queue Size at the onset of an attack
  • RTCP Instantaneous rate of the TCP flow.
  • RDoS Rate of DoS flow
  • T DoS burst length
  • L Duration of attack
  • C Bottleneck Rate
  • Time at which Queue becomes full is given by
  • L1 (B-B0)/(RDoSRTCP-C)

16
Creating DoS outages (cntd)
  • Queue remains full for L2 L L1 seconds if
    RDoSRTCP C
  • If No TCP Traffic and if B00, Time at which
    Queue becomes full is given by
  • L1 B/(RMAX-C)
  • If the buffer is full attacker reduces its rate
    to bottleneck rate C.

17
Minimum Rate DoS Streams
  • Double rate DoS stream

18
Impact of shrew DoS Attack on TCP flow aggregation
  • With homogeneous RTT
  • With heterogeneous RTT
  • On web traffic
  • On TCP variants

19
Low-rate DoS stream with Homogeneous RTT
20
Low-rate DoS stream with Heterogeneous RTT
  • Depends on its RTT
  • Shorter RTT flows use more bandwidth

21
Low-rate DoS stream with Heterogeneous RTT (cntd)
  • With increased TCP flows unused bandwidth
    utilized by higher RTT flows
  • Total TCP throughput increase

22
Impact of DoS Burst Length
  • Flows with longer RTTs filtered
  • Less no of non-filtered flows

23
Impact of DoS Peak Rate on Short-RTT Flow
  • Throughput of short-RTT flow effected
  • Low peak rate sufficient to filter short-RTT flow

24
Impact on HTTP Traffic
25
Dos Attacks on TCP Variants
26
Dos Attacks on TCP Variants (cntd)
27
DoS Experiments on Internet
28
Results
29
Counter-DOS Techniques
  • Router-Assisted Mechanisms
  • End-point minRTO Randomization

30
Router-Assisted Mechanisms
  • Router-Based algorithms
  • Random early detection with preferential dropping
    (RED-PD)

31
Router-Assisted Mechanisms (cntd)
32
Router-Assisted Mechanisms (cntd)
33
End-Point minRTO Randomization
34
Conclusions
  • Presented DoS attacks that are able to throttle
    TCP flows.
  • Discussed impact of various DoS Attacks on TCP
    flow aggregation
  • Experiments conducted using combination of
    analytical modeling, extensive set of simulations
    and internet experiments
  • Discussed Counter DoS Techniques
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Low-rate TCP-Targeted Denial of Service Attacks Aleksandar Kuzmanovic and Edward W. Knightly" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!