A Poisoning-Resilient TCP Stack - PowerPoint PPT Presentation

About This Presentation
Title:

A Poisoning-Resilient TCP Stack

Description:

Counter-DoS solutions at the server cannot protect ... A1 can inject a spoof packet with acceptable sequence number with RST/FIN flag set ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 21
Provided by: abcde7
Category:

less

Transcript and Presenter's Notes

Title: A Poisoning-Resilient TCP Stack


1
A Poisoning-Resilient TCP Stack
  • Amit Mondal
  • Aleksandar Kuzmanovic
  • Northwestern University

http//networks.cs.northwestern.edu/
2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
Large-scale TCP Poisoning Attack
  • Poison clients instead of servers
  • Counter-DoS solutions at the server cannot
    protect
  • Simple see and shoot strategy enough for this
    kind of attack

Only monitoring capability is enough
A1 can inject a spoof packet with acceptable
sequence number with RST/FIN flag set
C1
A2
A1 monitors flows in the network
C2
A1
C3
Server
6
Possible Scenarios
  • Increasing trend of compromising Internet routers
    Mizrak et al. DSN05
  • A malicious hacker with only monitoring
    capability can randomly poison TCP connections
    and avoid detection
  • Music industry against P2P
  • Direct Poisoning
  • Corrupt content to frustrate users
  • Poison P2P connections instead of direct
    poisoning
  • Net Neutrality
  • ISPs actively resetting flows like VoIP calls
    etc.

7
Why TCP Vulnerable to Poisoning Attack?
  • Visibility of TCP headers in the network
  • TCP end-points behave as dummy state machines
  • Easily desynchronized by an outside third party
  • We seek solution to this problem through DoS
    resilient protocol design
  • Upgrade TCP from dummy state machine
  • Implicit authentication of data packets and
    packet stream
  • We are solving security problem through
    congestion control

8
Why Not Stronger Solutions?
  • Explicit monitoring of packet headers are
    required in networks
  • Advanced congestion control protocols (e.g., RCP,
    XCP)
  • Intrusion-detection mechanisms
  • Not implemented/used widely
  • Our Goal
  • Adopt an alternate approach
  • Solve the problem through DoS-resilient protocol
    design

9
Our Approach
  • How to detect attack?
  • Deferred protocol reaction
  • How to survive the attack?
  • Distinguish packet streams from different sources
  • Forward nonces
  • Identify the valid packet stream
  • Self-clocking-based correlation

10
How long to defer?
Ideally, deferring time should be the maximum
possible inter-arrival time to detect all attacks
Inter-arrival time depends upon burstiness of
cross traffic as well as round-trip time of the
connection
Setting deferring time to 25 of SRTT yields
detection probability above 99
11
Forward Nonces
Past Nonce
Future Nonce
i
i1
i2

Concatenation attack
i1
i1
i2
i
  • Chaining mechanism to distinguish among different
    packet sources
  • 8-bit random number
  • Overhead 2 bytes/packet
  • Limits the attack space
  • Attacker can only inject packet w.r.t. sniffed
    packet for meaningful attack

12
Self Clocking Based Correlation
Idea Exploit strong correlation among packet
inter- departure and inter-arrival times at an
endpoint
IDTi
ACKi
Inter-departure samples
IDTi1
ACKi1
ACKi2
IDTi2
ACKi3
DATAi
DATAi1
IATi
DATAi2
Inter-arrival samples
IATi1
DATAi3
IATi2
Infer legitimate flow based on s
13
Internet Experiment
Confirms the accuracy of self-clocking-based
detection method
14
Experimental Setup
Taping Point
15
Evaluation (1)
Variable queuing delay
Congested environment
Attack detection accuracy remains high for
moderately highly congested network environments
16
Evaluation (2)
Link utilization drops sharply even at low attack
rate
Utilization remains high even at high attack rate
Does not go to zero because of high rate of
arrival of short flows
Link utilization remains high even at very high
attack rate with deferred TCP
17
Incremental Deployability
Link utilization increases as percentage of
deferring TCP increases
Deferring TCP consume its fair bandwidth share
Regular TCP flows service is easily denied
Modified AIMD parameters to compensate
degradation due to deferred reaction
Presence of attack
Absence of attack
Deferring TCP flows remain highly resilient
during attack and utilize their bandwidth fair
share in absence of attack
18
Conclusion
  • Large-scale TCP poisoning attack
  • Next stage of thriving DDoS attacks
  • Stealthy and hard to detect
  • Our approach
  • Raise the bar instead of providing 100
    protection
  • Our solution
  • Uses network measurement for implicit
    authentication
  • Incrementally deployable
  • TCP friendly in absence of attack
  • Poisoning resilient in presence of attack

19
Questions?
20
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Poisoning-Resilient TCP Stack" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!