Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet
Aleksandar Kuzmanovic The Internet l 1969 The system of astonishing scale and complexity l 2004
Aleksandar Kuzmanovic Internet Design Principles l Network as a black-box l End-to-end argument [Clark84] –The core is simple –Intelligence at the endpoints l Implications –Easy to upgrade the network –Easy to incrementally deploy new services
Aleksandar Kuzmanovic Why End-Point Approach Today? l Scalability e2e scalability l Deployability –IP and network core are not extensible and are slowly evolving: IPv6 (10 years) IP Multicast (domain dependent) Goal: Improve network performance right here – right now!
Aleksandar Kuzmanovic Network Performance l Internet traffic –HTTP (web browsing) –FTP (file transfer) Fact: 95% of the traffic today is TCP-based l Performance –QoS differentiation Net win for both HTTP and FTP flows End-point-based two-level differentiation scheme –Denial of Service DoS attacks can demolish network performance Prevent DoS attacks via a robust end-point protocol design
Aleksandar Kuzmanovic End-Point Service Differentiation l TCP-Low Priority –Utilizes only the excess network bandwidth l Key mechanism –Early congestion indications: one-way packet delay l Performance –Can improve the HTTP file transfers for more than 90% when FTP flows use TCP-LP l Deployability –no changes in the network core –sender side modification of TCP l High-speed version developed in cooperation with SLAC –tested over Gb/s networks in US
Aleksandar Kuzmanovic Denial of Service l A malicious way to consume resources in a network, a server cluster or in an end host, thereby denying service to other legitimate users l Example –Well-known TCP’s vulnerability to high-rate non-responsive flows
Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints l Implications –Easy to incrementally implement new services. –Easy to upgrade the network. –Large-scale system l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem Needle in a haystack
Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints l Implications –Malicious clients may misuse the intelligence. –Easy to upgrade the network. –Large-scale system l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem Needle in a haystack
Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints. –Hard to detect endpoint misbehavior. –Large-scale system –Malicious clients may misuse the intelligence l Implications l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem Needle in a haystack
Aleksandar Kuzmanovic Design Principles - Revisited l Design Principles –Intelligence at the endpoints –The core is simple –Trust and cooperation among the endpoints. –Hard to detect endpoint misbehavior. –Large-scale system –Malicious clients may misuse the intelligence l Implications l Implement more intelligence at routers? –Scalability issue –Detect misbehaving flows in routers is a hard problem Needle in a haystack
Aleksandar Kuzmanovic End-Point Protocol Design l Performance vs. Security –End-point protocols are designed to maximize performance, but ignore security –95% of the Internet traffic is TCP traffic Can have catastrophic consequences l DoS-resilient protocol design –Jointly optimize performance and security –Outperforms the core-based solutions
Aleksandar Kuzmanovic Remaining Outline l End-point protocol vulnerabilities –Low-rate TCP-targeted DoS attacks –Receiver-based TCP stacks with a misbehaving receiver l Limitations of network-based solutions l DoS-resilient end-point protocol design
Aleksandar Kuzmanovic Low-Rate Attacks l TCP is vulnerable to low-rate DoS attacks
Aleksandar Kuzmanovic TCP: a Dual Time-Scale Perspective l Two time-scales fundamentally required –RTT time-scales (~ ms) AIMD control –RTO time-scales (RTO=SRTT+4*RTTVAR) Avoid congestion collapse l Lower-bounding the RTO parameter: –[AllPax99]: minRTO = 1 sec to avoid spurious retransmissions –RFC2988 recommends minRTO = 1 secRFC2988
Aleksandar Kuzmanovic The Low-Rate Attack
Aleksandar Kuzmanovic The Low-Rate Attack l At a random initial time l A short burst (~RTT) sufficient to create outage –Outage – event of correlated packet losses that forces TCP to enter RTO mechanism l The impact of outage is distributed to all TCP flows
Aleksandar Kuzmanovic The Low-Rate Attack l The outage synchronizes all TCP flows –All flows react simultaneously and identically backoff for minRTO l The attacker stops transmitting to elude detection
Aleksandar Kuzmanovic The Low-Rate Attack l Once the TCP flows try to recover –hit them again l Exploit protocol determinism
Aleksandar Kuzmanovic The Low-Rate Attack l And keep repeating… l RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP traffic
Aleksandar Kuzmanovic Low-Rate Attacks l TCP is vulnerable to low-rate DoS attacks
Aleksandar Kuzmanovic Vulnerability of Receiver-Based TCP to Misbehaviors l Sender-based TCP –Control functions given to the sender
Aleksandar Kuzmanovic Receiver-Based TCP l Receiver decides how much data can be sent, and which data should be sent by the sender l DATA – ACK communication becomes REQ - DATA l Example protocols –TFRC [RFC3448], WebTP, and RCP
Aleksandar Kuzmanovic Why Receiver-Based TCP? l Example: Busy web server –Receiver-based TCP distributes the state management across a large number of clients l Generally –Whenever a feedback is needed from the receiver, receiver-based TCP has advantage over sender-based schemes due to the locality of information l Benefits [RCP03] Performance Functionality - Loss recovery- Seamless handoffs - Congestion control- Server migration - Power management for - Bandwidth aggregation mobile devices - Web response times - Network-specific congestion control
Aleksandar Kuzmanovic Vulnerability l Receivers decide which packets and when to be sent –Receivers remotely control servers l Receivers have both means and incentive to manipulate the congestion control algorithm –Means: open source OS –Incentive: faster web browsing & file download
Aleksandar Kuzmanovic Receiver-Induced DoS Attacks l Request flood attack –A misbehaving receiver floods the server with requests, which replies and congests the network l Goals –Evaluate network-based schemes –Develop end-point solutions
Aleksandar Kuzmanovic Remaining Outline l End-Point protocol vulnerabilities l Limitations of network-based solutions –Low rate attacks –Misbehaving receivers l DoS-resilient end-point protocol design
Aleksandar Kuzmanovic Random Early Detection with Preferential Dropping l RED-PD [MFW01] designed to detect and thwart non-responsive flows –Monitors only a subset of flows at the router and compares their rates to the targeted bandwidth (TB) TB is computed as a TCP-fair throughput for »Observed Ploss & RTT=40ms If Ti > TB => flow i malicious l Key questions –Can algorithms intended to find high-rate attacks detect low-rate attacks? –Could we tune the algorithms to detect low-rate attacks without having too many false alarms?
Aleksandar Kuzmanovic The Time-Scale Issue l Scenario: 9 TCP Sack flows with RED and RED-PD –RED-PD detects high bandwidth flows DoS inter-burst period < 500 ms
Aleksandar Kuzmanovic The Time-Scale Issue l Scenario: 9 TCP Sack flows with RED and RED-PD –RED-PD detects high but fails to detect low-rate attacks bandwidth flows DoS inter-burst period > 500 ms DoS inter-burst period < 500 ms
Aleksandar Kuzmanovic CHOKe l CHOKe [PPP00] controls misbehaving flows by preventing a flow to monopolize buffer resources l Question: –Why don’t we use CHOKe against low-rate attacks?
Aleksandar Kuzmanovic Flow Filtering Scenario l Heterogeneous RTT environment: –Short-RTT flows are the most vulnerable to low- rate attacks l Implications: –Long-RTT flows ‘collaborate’ in the attack –Less-than bottleneck rates needed to attack short-RTT flows
Aleksandar Kuzmanovic CHOKe and Flow Filtering l DoS flow utilizes only 3.3% of the bottleneck capacity l CHOKe fails to throttle the low-rate attack against short-RTT flows
Aleksandar Kuzmanovic Request Flooding DoS Attack l Pushback [RFC3168] –Network nodes coordinate efforts to detect a malicious (flooding) node l But in the request flooding scenario, the flooding machine is not malicious –moreover, it is a victim…
Aleksandar Kuzmanovic Bandwidth Stealing l Fact –Network-based schemes lack the exact knowledge of end-point parameters l Example –RED-PD doesn’t know about RTT: TB=f(Ploss, RTT=40ms) l Implication –Clients with RTT > 40 ms can exploit this vulnerability l Algorithmic misbehavior –We generalized the TCP formula T=f(Ploss, RTT, a, b) –Our algorithm tells how to re-tune AIMD parameters to steal bandwidth, yet elude detection
Aleksandar Kuzmanovic Summary of Limitations l Low rate attacks –RED-PD: issue of time-scales –CHOKe: flow filtering l Misbehaving receivers –Pushback: No distinction of causes and effects –RED-PD: No knowledge of endpoint parameters l Can we do better from the endpoints? –End-point parameter randomization –End-point TCP-fairness verification
Aleksandar Kuzmanovic End-point minRTO Randomization l Observe: –Low-rate attacks exploit protocol determinism minRTO=1sec l Question: –Can minRTO randomization alleviate the problem? l Approach: –Randomize the minRTO parameter – l Insight: –The most vulnerable time-scale is T=b Wait for flows to recover and then hit them again
Aleksandar Kuzmanovic End-point minRTO Randomization l TCP throughput formula on T=b time-scale of the low-rate attack
Aleksandar Kuzmanovic End-point minRTO Randomization l TCP throughput formula on T=b time-scale of the Shrew attack l Randomizing the minRTO parameter shifts and smoothes TCP’s null time-scales l Fundamental tradeoff between TCP performance and vulnerability to low-rate DoS attacks remains
Aleksandar Kuzmanovic An End-Point Solution l Sender-side verification: –Ping Agent: Measures RTT without a cooperation from the receiver –TFRC Agent: Computes “TCP- fair” rate –Control Agent: Enforces the sending rate
Aleksandar Kuzmanovic Evaluation l Scenarios: –with behaving receiver (to study false positives) –with misbehaving receivers (to study detection) End-point scheme is able to detect even very moderate misbehaviors Slight inaccuracy for higher packet loss ratios (due to TFRC conservatism)
Aleksandar Kuzmanovic Summary l Denial of Service attacks represent a fundamental threat to today’s Internet l Network-based solutions are necessary, yet are quite often very limited l End-point protocols optimized for performance, not security l DoS-resilient protocol design Parameter randomization Ability to control the other end-point
Aleksandar Kuzmanovic Conclusions l Improve network performance via –End-point QoS differentiation –DoS-resilient protocol design l QoS differentiation –Developed, implemented, and tested TCP-LP –Can significantly improve the network performance l Denial of Service –Pro-active approach –Jointly consider both performance and security aspects
Aleksandar Kuzmanovic Publications [1] Measuring Service in Multi-Class Networks, In IEEE INFOCOM [2] Measurement Based Characterization and Classification of QoS- Enhanced Systems, In IEEE TPDS, 14(7): , [3] TCP-LP: A Distributed Algorithm for Low Priority Data Transfer, In IEEE INFOCOM [4] TCP-LP: Low-Priority Service via End-Point Congestion Control, To appear in IEEE/ACM ToN. [5]* HSTCP-LP: A Protocol for Low-Priority Bulk Data Transfer in High- Speed High-RTT Networks, In PFLDnet [6] Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In ACM SIGCOMM [7] Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies, Submitted to IEEE/ACM ToN. [8] A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols, In IEEE ICNP [9] Receiver-based Congestion Control with a Misbehaving Receiver: Vulnerabilities and End-Point Solutions, Submitted to IEEE/ACM ToN. * With R. Les Cottrell, SLAC.