The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack

Slides:



Advertisements
Similar presentations
When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University
Advertisements

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Active Queue Management: Theory, Experiment and Implementation Vishal Misra Dept. of Computer Science Columbia University in the City of New York.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Multimedia Streaming Gateway With Jitter Detection Siu-Ping Chan, Chi-Wah Kok Albert K. Wong IEEE TRANSACTIONS ON MULTIMEDIA, June 2005.
Presented by Prasanth Kalakota & Ravi Katpelly
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Promoting the Use of End-to- End Congestion Control in the Internet Sally Floyd and Kevin Fall Presented by Scott McLaren.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
The War Between Mice and Elephants By Liang Guo (Graduate Student) Ibrahim Matta (Professor) Boston University ICNP’2001 Presented By Preeti Phadnis.
Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.
Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.
Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,
Diffusion Early Marking Department of Electrical and Computer Engineering University of Delaware May / 2004 Rafael Nunez Gonzalo Arce.
NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.
Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing
Adaptive Packet Marking for Providing Differentiated Services in the Internet Wu-chang Feng, Debanjan Saha, Dilip Kandlur, Kang Shin October 13, 1998.
National Chi Nan University Performance Evaluation of Transport Protocols in Smart Meter Networks Speaker: Chia-Wen Lu Advisor: Dr. Quincy Wu Date: 2012/07/23.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
5th e-VLBI Workshop, September 2006, Haystack Observatory 1 A Simulation model for e-VLBI traffic on network links in the Netherlands Julianne Sansa*
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Sharing Information across Congestion Windows CSE222A Project Presentation March 15, 2005 Apurva Sharma.
1 TCP/IP based TML for ForCES Protocol Hormuzd Khosravi Furquan Ansari Jon Maloy 61 st IETF Meeting, DC.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
TCP Trunking: Design, Implementation and Performance H.T. Kung and S. Y. Wang.
The Impact of Active Queue Management on Multimedia Congestion Control Wu-chi Feng Ohio State University.
EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.
1/26 Module C - Part 2 DOMINO Detection Of greedy behavior in MAC layer of IEEE public NetwOrks Prof. JP Hubaux Mobile Networks
1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.
Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.
We used ns-2 network simulator [5] to evaluate RED-DT and compare its performance to RED [1], FRED [2], LQD [3], and CHOKe [4]. All simulation scenarios.
Explicit Allocation of Best-Effort Service Goal: Allocate different rates to different users during congestion Can charge different prices to different.
An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.
Providing QoS in IP Networks
Scheduling Mechanisms Applied to Packets in a Network Flow CSC /15/03 By Chris Hare, Ricky Johnson, and Fulviu Borcan.
Ethernet Packet Filtering – Part 2 Øyvind Holmeide 10/28/2014 by.
Lab #2 NET332 By Asma AlOsaimi.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Introduction An introduction to the software and organization of the Internet Lab.
Denial of Service Attacks
QoS & Queuing Theory CS352.
Topics discussed in this section:
Johns Hopkins university
Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,
Buffer Management in a Switch
Mrinalini Sawhney CS-710 Presentation 2006/09/12
Chapter 6 Queuing Disciplines
Open Issues in Router Buffer Sizing
Preventing Internet Denial-of-Service with Capabilities
DDoS Attack Detection under SDN Context
A New Multipath Routing Protocol for Ad Hoc Wireless Networks
Providing QoS through Active Domain Management
RAP: Rate Adaptation Protocol
COMP/ELEC 429 Introduction to Computer Networks
The War Between Mice & Elephants by, Matt Hartling & Sumit Kumbhar
Network Research Center Tsinghua Univ. Beijing, P.R.China
HARQ Feasibility for EHT
EECS 122: Introduction to Computer Networks Packet Scheduling and QoS
Session 20 INST 346 Technologies, Infrastructure and Architecture
Review of Internet Protocols Transport Layer
Presentation transcript:

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack Chia-Wei Chang, Seungjoon Lee, Bill Lin, Jia Wang

Shrew Attack [Kuzmanovic03] TCP-targeted low-rate denial-of-service attack Exploits TCP’s retransmission timeout Periodic burst (with period T) synchronized with TCP minRTO R: large enough to cause packet drops L: long enough to induce timeouts Victims experience repeated loss of retransmissions Near-zero throughput Shrew attack TCP victim

Related Work BGP (Border Gateway Protocol) runs on top of TCP Shrew attack can cause BGP session close [Zhang07] Potentially can disrupt Internet routing Detection/Mitigation Schemes Active Queue Management, randomize minRTO Insufficient to fully mitigate attack Previous schemes to identify attack flows Periodic pattern monitoring, auto-correlation analysis, wavelet-based approach, frequency domain spectrum analysis Prohibitive to realize in high-speed networks

Outline SAP (Shrew Attack Protection) Design Overview Deployment Consideration Testbed Experiments Simulation Experiments

Shrew Attack Protection Priority-based filtering mechanism Identifies victims and prioritizes their flows Can help external systems identify attack flows Router monitors drop rate for each potential “victim” Low drop rate: Packets are treated normal (i.e., low priority) High drop rate: Packets are tagged high priority, and preferentially admitted to output queue Protects victims from losing consecutive packets

SAP Components Drop Rate Collector Continuously monitors instantaneous per-aggregate drop rate Counters for arrivals and drops for each potential victim For the current time interval and recent history (e.g., total of 10 time intervals) Fair Drop Rate Controller Pavg: Average drop rate for all monitored aggregates Pfair = max(Pavg, Pmin) No intervention if drop rate is under a threshold Differential Tagging & Preferential Drop Packets are tagged high-priority if instantaneous drop rate is beyond Pfair Relatively short sequence of losses can trigger differential tagging E.g., Pfair = 5%, and 9 successful transmissions and one drop Preferential dropping is implemented in modern routers (e.g., WRED)

SAP Maintains Statistics for Aggregates Maintaining per-flow statistics for all flows is typically infeasible SAP uses application-level aggregates E.g., destination port Maintaining aggregate-level information is feasible in hardware E.g., 65536 TCP ports 20 counters * 4 bytes * 60K aggregates ~ 5MB of SRAM

Discussions Different flows can be treated as a single aggregate Attacker may use protected TCP port Shrew attack may use protected TCP port Malicious flow may intentionally cause packet drops and trigger elevated priority SAP still prevents session close and improves victim’s throughput SAP can help external systems narrow down attack flows Different aggregates may vary in the number of flows SAP preserves per-flow throughput

Experiment Setup Simulation Study using FTP, HTTP, BGP flows ns-2 simulator augmented with SAP Validation using real router testbed 1 Juniper router, 2 Ethernet switches, 3 PCs BGP flow only (using Zebra and real BGP trace) Simulation Testbed

Simulation vs. Testbed T = 1sec, L = 0.3sec, R = 15, 18, 20Mbps Packet drop rates are highly close Juniper Testbed ns-2 simulation Attack rate BGP Attack flow 15 Mbps 17.4% 33.1% 18.1% 35.0% 18 Mbps 28.1% 45.2% 28.3% 44.8% 20 Mbps 28.2% 50.3% 29.0% 49.8%

Simulation: Throughput and Drop Rate Throughput (in Kbps) Drop Rate (in %) FTP HTTP BGP Attack No-attack 4996 4995 4.5 - 0.2 5.8 RED ~0 3462 ~100 22.7 SAP Un-protected Port Protected Port R = 15Mbps, T = 1sec, L = 0.3sec RED is not enough to mitigate Shrew attack BGP session is closed

Simulation: Throughput and Drop Rate Throughput (in Kbps) Drop Rate (in %) FTP HTTP BGP Attack No-attack 4996 4995 4.5 - 0.2 5.8 RED ~0 3462 ~100 22.7 SAP Un-protected Port 3975 3870 5.4 1784 3.0 6.1 57.0 Protected Port SAP protects legitimate TCP flows from losing multiple packets Thus, enables high throughput in the presence of attack

Simulation: Throughput and Drop Rate Throughput (in Kbps) Drop Rate (in %) FTP HTTP BGP Attack No-attack 4996 4995 4.5 - 0.2 5.8 RED ~0 3462 ~100 22.7 SAP Un-protected Port 3975 3870 5.4 1784 3.0 6.1 57.0 Protected Port 83 76 1.8 3410 8.9 9.1 22 23 Shrew attack using protected port is more effective against SAP Pavg becomes higher due to attack flow Still, SAP keeps all TCP sessions alive SAP prevents consecutive packet drops

Simulation: Throughput and Drop Rate Throughput (in Kbps) Drop Rate (in %) FTP HTTP BGP Attack No-attack 4996 4995 4.5 - 0.2 5.8 RED ~0 3462 ~100 22.7 SAP Un-protected Port 3975 3870 5.4 1784 3.0 6.1 57.0 Protected Port 83 76 1.8 3410 8.9 9.1 22 23 75 1760 1.7 3281 9.0 1.1 28 HTTP flows get higher throughput when Shrew attack uses HTTP SAP keeps all sessions alive

Conclusions SAP (Shrew Attack Protection) Simple counter-based filtering mechanism Priority-tagging and preferential drop Uses application-level aggregates, not per-flow statistics Implementable using today’s hardware Identifies and protects victims Can help identify attack flows Mitigates Shrew attack in various attack scenarios

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.