Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Slides:

Advertisements

Similar presentations

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Advertisements

Mobile Agents Mouse House Creative Technologies Mike OBrien.

1 Specifying New Congestion Control Algorithms Sally Floyd and Mark Allman draft-floyd-cc-alt-00.txt November 2006 TSVWG Slides:

Ph.D. Thesis Presentation Aleksandar Kuzmanovic Edge-based Inference, Control, and DoS Resilience for the Internet.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

CS 495 Advanced Networking David R. Choffnes, Spring 2005 Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, Edward W. Knightly.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP

The Power of Explicit Congestion Notification Aleksandar Kuzmanovic Northwestern University

Rice Networks Group Aleksandar Kuzmanovic & Edward W. Knightly TCP-LP: A Distributed Algorithm for Low Priority Data Transfer.

Presented by Prasanth Kalakota & Ravi Katpelly

A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Leveraging Multiple Network Interfaces for Improved TCP Throughput Sridhar Machiraju SAHARA Retreat, June 10-12, 2002.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Rice University R. Les Cottrell SLAC/SCS-Network Monitoring.

1 TCP-LP: A Distributed Algorithm for Low Priority Data Transfer Aleksandar Kuzmanovic, Edward W. Knightly Department of Electrical and Computer Engineering.

Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University

1 Upgrading Transport Protocols using Untrusted Mobile Code Parveen Patel Andrew Whitaker Jay Lepreau David Wetherall Tim Stack (Univ. of Washington) (Univ.

Medium Start in TCP-Friendly Rate Control Protocol CS 217 Class Project Spring 04 Peter Leong & Michael Welch.

Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble Aleksandar Kuzmanovic Northwestern University

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.

Rafael C. Nunez - Gonzalo R. Arce Department of Electrical and Computer Engineering University of Delaware May 19 th, 2005 Diffusion Marking Mechanisms.

Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Whither Congestion Control? Sally Floyd E2ERG, July

Multicast Congestion Control in the Internet: Fairness and Scalability

Secure Localization Algorithms for Wireless Sensor Networks proposed by A. Boukerche, H. Oliveira, E. Nakamura, and A. Loureiro (2008) Maria Berenice Carrasco.

Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks Sonja Buchegger Jean-Yves Le Boudec.

Advanced Network Architecture Research Group 2001/11/149 th International Conference on Network Protocols Scalable Socket Buffer Tuning for High-Performance.

TCP Enhancement for Random Loss Jiang Wu Computer Science Lakehead University.

Changes in CCID 2 and CCID 3 Sally Floyd August 2004 IETF.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Quick-Start for TCP and IP A.Jain, S. Floyd, M. Allman, and P. Sarolahti ICSI, April 2006 This and earlier presentations::

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

--Harish Reddy Vemula Distributed Denial of Service.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Fairness Attacks in the eXplicit Control Protocol Christo Wilson Christopher Coakley Ben Y. Zhao University of California Santa Barbara.

Requirements for Simulation and Modeling Tools Sally Floyd NSF Workshop August 2005.

EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

1/26 Module C - Part 2 DOMINO Detection Of greedy behavior in MAC layer of IEEE public NetwOrks Prof. JP Hubaux Mobile Networks

Improving TCP Performance over Wireless Networks

1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.

Development of a QoE Model Himadeepa Karlapudi 03/07/03.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

-Mayukh, clemson university1 Project Overview Study of Tfrc Verification, Analysis and Development Verification : Experiments. Analysis : Check for short.

Denial of Service Resilience in Ad Hoc Networks (MobiCom 2004) Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly November 21 th, 2006 Jinkyu Lee.

1 Three ways to (ab)use Multipath Congestion Control Costin Raiciu University Politehnica of Bucharest.

COM594: Mobile Technologies Location-Identifier Separation.

RCP (Receiver Centric Transport Protocol)

Johns Hopkins university

Group 5 ECE 4605 Neha Jain Shashwat Yadav

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic

TCP-LP Distributed Algorithm for Low-Priority Data Transfer

TCP-LP: A Distributed Algorithm for Low Priority Data Transfer

Congestion Control, Internet transport protocols: udp

Removing Exponential Backoff from TCP

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Self Organized Networks

ECN in QUIC - Questions Surfaced

Lecture 6, Computer Networks (198:552)

Presentation transcript:

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols

Motivation l Sender-based TCP –Control functions given to the sender

Receiver-Based TCP l Receiver decides how much data can be sent, and which data should be sent by the sender l DATA – ACK communication becomes REQ - DATA l Example protocols –TFRC [RFC3448], WebTP, and RCP

Why Receiver-Based TCP? l Example: Busy web server –Receiver-based TCP distributes the state management across a large number of clients l Generally –Whenever a feedback is needed from the receiver, receiver-based TCP has advantage over sender-based schemes due to the locality of information l Benefits [RCP03] Performance Functionality - Loss recovery- Seamless handoffs - Congestion control- Server migration - Power management for - Bandwidth aggregation mobile devices - Web response times - Network-specific congestion control

Vulnerability l Receivers remotely control servers by deciding which packets and when to be sent l Receivers have both means and incentive to manipulate the congestion control algorithm –Means: open source OS –Incentive: faster web browsing & file download

An Example: Request-Flood Attack l Request flood attack –A misbehaving receiver floods the server with requests, which replies and congests the network l Resource stealing –A misbehaving receiver moderately re-tunes TCP parameters to gain performance, yet eludes detection

Remaining Outline l Modeling receiver misbehaviors l Evaluate network-based solutions l Present an end-point solution l Conclusion

Algorithmic Misbehavior Why parameter-based misbehaviors? –Easy to implement –Tells how much you can misbehave while eluding detection l Goal –Compute TCP throughput for arbitrary (misbehaving) parameters

Bandwidth Stealing

Network-Based Solutions l RED-PD [MFW01] designed to detect non- responsive flows –Monitors only a subset of flows at the router and compares their rates to the targeted bandwidth (TB)  TB is computed as a TCP-fair throughput for »Observed Ploss & RTT=40ms  If Ti > TB => flow i malicious l Pushback [RFC3168] –Once a misbehavior is detected, network nodes coordinate efforts to thwart a malicious (flooding) node

RED-PD l Fact –Network-based schemes lack the exact knowledge of end-point parameters l Example –RED-PD doesn’t know about RTT: TB=f(Ploss, RTT=40ms) l Implication –Clients with RTT > 40 ms can exploit this vulnerability l Algorithmic misbehavior –Our algorithm tells how to re-tune AIMD parameters to steal bandwidth, yet elude detection

Pushback l The request-flood attack and Pushback l But in the request flooding scenario, the flooding machine is not malicious –moreover, it is a victim…

An End-Point Solution l Sender-side verification: –Ping Agent:  Measures RTT by pinging the receiver –TFRC Agent:  Computes “TCP- fair” rate –Control Agent:  Enforces the sending rate

A Server-Side Only Solution l Secure RTT measurement –What if the receiver simulates a shorter RTT?  Use nonce [ESWSA01]  Randomize the time between pings l Secure Ploss measurement –What if the receiver floods the sender with requests?  Use nonce [ESWSA01]  The sender purposely drops a packet; if the receiver never re- request the packet – it is cheating! The solution is completely independent of a potentially misbehaving receiver

Evaluation l Scenarios: –with behaving receiver (to study false positives) –with misbehaving receivers (to study detection) End-point scheme is able to detect even very moderate misbehaviors Slight inaccuracy for higher packet loss ratios (due to TFRC conservatism)

Challenges l “Advanced” TCP stacks –From the sender’s perspective, advanced TCP stacks look like a receiver’s misbehavior l HTTP servers –A single malicious receiver can significantly degrade performance to others –Counter mechanisms discussed in the paper  Can protect against DoS, but at the same time can reduce the performance in absence of DoS attacks

Conclusions l Receiver-based TCP stacks are highly vulnerable to receiver misbehaviors –cannot be safely deployed in the Internet without some level of protection l Network-based schemes are fundamentally limited to thwart receiver misbehaviors l An end-point-based solution –accurate and independent of a potentially misbehaving receiver –system security and protocol performance  both cannot be maximized simultaneously