Denial of Service Attacks Presented by: Elad Lifshitz and Yaniv Weizman Design and Analysis of Protocols

Outline Low-Rate TCP-Targeted Denial of Service Attacks What is Denial of service (DoS)? Famous examples in the Internet Low-Rate TCP-Targeted Denial of Service Attacks The Shrew Attack

What is Denial of Service? An attempt to make computer resource unavailable to intended users. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Basic types of attack Consumption of computational resources, such as bandwidth, disk space, or processor time Disruption of configuration information, such as routing information. Disruption of state information, such as unsolicited resetting of TCP sessions. Disruption of physical network components. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately

Direct and Indirect DoS Internet-based network attacks can be categorised in two ways: Direct DoS attack model, where a specific DoS system is developed and rolled out by an attacker with an aim to take down a specific network or computer (can be done in a distributed manner) Indirect DoS attack model, where a worm or virus is at large in the wild, which causes DoS and disruption as a result of its spreading.

Famous DoS examples in the Internet – IP reassembly DoS The maximum packet length of IP is 65,535 bytes, including the IP header, due to the IP header using 16 bits to describe the total Packet length IP packets can be fragmented (due to MTU in the network) – offset field is 13 bits in units of 8 bytes, therefore maximum offset is 65,528 Malicious user can send IP fragment with maximum offset and data larger than 8 bytes. While receiver assembles the fragments, can cause memory overflow (IP packet bigger than max length)

Famous DoS examples in the Internet – IP reassembly DoS solutions: While reassembling, for each incoming IP fragment make sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller than 65,535. Larger memory buffers than max IP packet length.

Famous DoS examples in the Internet – TCP SYN Flood The SYN flood attack sends TCP connections requests faster than a machine can process them. attacker creates a random source address for each packet victim responds to spoofed IP address, then waits for confirmation that never arrives (waits about 3 minutes) victim's connection table fills up waiting for replies after table fills up, all new connections are ignored legitimate users are ignored as well, and cannot access the server

Famous DoS examples in the Internet – TCP SYN Flood Possible solutions: SYN cookies - Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address, port number Thus, the server first allocates memory on the third packet of the handshake, not the first (hashing is expensive though….) Better resource management - newer operating systems manage resources better, making it more difficult to overflow tables, but still are vulnerable

Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants) Written by: Aleksandar Kuzmanovic and Edward W. Knightly SIGCOMM’03, August 25-29, 2003, Karlsruhe, Germany

Traditional DoS attacks Use high-rate transmission of packets (known as “sledge-hammer” approach) Presents a statistical anomaly to network monitor Relatively easily detectable & mitigated using counter-DOS mechanisms 11

TCP congestion control protocol while receiving ACK’s correctly, increase window size additively on retransmission timeout, drop window size to 1 packet and start “ slow start” on 3 duplicate ACK’s, drop window size to half of previous CWND and increase window size additively 12

TCP timeout mechanism Retransmission timeout (RTO) – 1-N sec Used on severe congestion with multiple losses RTO doubles with each subsequent timeout Slow start mechanism (window drops to 1 packet) RTO Low value vs. High value tradeoff Low value – spurious retransmission (ACKs are delayed, not lost) High value – late recover from congestion RTO = max(minRTO, func(RTT)) minRTO – A lower bound (1 second => max throughput - Allman and Paxton) For small-RTT flows, RTO is set constantly as minRTO - a key source of vulnerability to low rate attacks 13

The shrew in the nature A small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite. 14

The Shrew attack strategy Attempts to deny bandwidth to TCP flows Uses Low average rate TCP targeted attacks Elude detection by counter-Dos mechanisms Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows) Severity denial of service to legitimate users Exploit protocol homogeneity and determinism Protocols react in a pre-defined way Exploits the vulnerable TCP congestion control protocol 15

The Shrew Attack Burst rate, R, varies up to full link capacity C Periodic on-off “square-wave” induced outage pulse, highly synchronized to TCP RTO mechanism Burst rate, R, varies up to full link capacity C Burst length l~RTT Inter burst period, T~minRTO, is between two successive outages 16

The Shrew Attack (Cont.) When flows attempt to simultaneously exit timeout and enter slow-start Shrew pulses again and forces flows synchronously back into timeout state All active flows (nearly) simultaneously enter RTO time-scale 17

The model A single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTT and a single DoS flow For any TCP flow in which (a) l’ >= RTT Congestion bursts lasts sufficiently long to force all TCP flows to simultaneously enter timeout (b) minRTO = constant (1 sec) All TCP flows will have identical values of RTO and will thus timeout after minRTO seconds (ideal moment for an attack burst) 18

The model (cont.) The derived normalized throughput to link capacity (discarding slow-start phase) is given by Despite the heterogeneous RTTs, most TCP flows are forced to “synchronize” to the attacker and enter timeout (nearly) concurrently and attempt to recover at (nearly) the same time 19

Single TCP flow Simulation (vs. model) 1 TCP flow, C = 1.5 Mb/s, R = C, L=150 msec, minRTO = 1sec, 12ms<RTO<150ms Analytical model accurately predicts degradation Differences between minRTO/2 to RTO due to TCP slow start mechanism (TCP not utilize full link capacity) When T > minRTO, TCP flow obtains increasingly higher throughput between RTO expirations & attack bursts 20

Single TCP flow Simulation (cont.) Average attack rate is given by (R*l)/T R Decreasing with T increasing Attack effectiveness is clearly NOT increasing with the attacker average rate 21

Aggregation of homogenous RTTs flows 5 long-lived TCP flows, C = 1.5 Mb/s, C=L, l = 100 msec, minRTO = 1sec, 12ms<RTT<132ms Similar to one-flow, model fits for homogeneity aggregate RTO homogeneity introduces one vulnerable timescale One “null frequency” response In minRTO time, there are flows in which RTT>l Vulnerable due to Shrew-induced flow synchronization 22

RTT heterogeneity RTT-based Filtering 20 long-lived TCP flows, C = 10 Mb/s, C=L, l = 100ms, minRTO = 1sec, 20ms<RTT<460ms Shrews are high-RTT pass filters Service is denied to short-RTT flows (up to RTT=180ms) With No-DoS, shorter-RTT flows utilize more bandwidth 23

Short-lived TCP traffic as HTTP traffic Short-lived TCP flows, Randomly web sites, Each page has 10 objects, response time normalized, HTTP load is 50% Larger files (greater than 100 packets) are highly vulnerable Some flows benefit from the attack and decrease their response time Flow arrives into system between two attack outages and is able to transmit its entire file before next outage occurs 24

Internet LAN/WAN experiments Intra-LAN C (victim) = 10Mb/s, R = C, l = 200ms, Two hops between DoS-A & TCP-S “Null frequency” at 1.2 sec Attacked TCP flow decreased from 6.6Mb/s to 780 Kb/s Inter-LAN 3 different LANs, C = 10Mb/s (victim),100Mb/s, R = 10Mb/s, l < 100ms, Two routers & Two switches between two traverses. “Null frequency” at 1.1 sec Attacked TCP flow decreased from 9.8Mb/s to 800 Kb/s WAN R = 10Mb/s, l = 100ms, 8 hops between DoS and TCP-R Attacked TCP flow decreased from 9.8Mb/s to 1.2Mb/s 25

Detecting Shrews End-point minRTO randomization Observe Shrews exploit protocol homogeneity and determinism Question Can minRTO randomization alleviate threat of Shrews? TCP flows’ approach Randomize the minRTO = uniform(a,b) minRTO = uniform(1, 1.2) Randomized minRTO shifts & smoothes both time scales and TCP amplitudes between them The longest most vulnerable timescale (“null frequency”) becomes T = b 26

Conclusions Shrew principles Real-world vulnerability to Shrew attacks Exploits slow-time-scale protocol homogeneity and determinism Real-world vulnerability to Shrew attacks Internet experiment: 87.8% throughput loss without detection Shrews are difficult to detect Low average rate and “TCP friendly” Cannot filter short bursts Fundamental mismatch of attack/defense timescales 27

Try to stay away from Shrews  Life conclusion Try to stay away from Shrews  28