Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah.

Slides:

Advertisements

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.

Basic IP Traffic Management with Access Lists

Lecture 3  A round up of the most important basics I haven’t covered yet.  A round up of some of the (many) things I am missing out of this course (ATM,

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.

1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.

1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)

TCP/IP Basics A review for firewall configuration.

Lecture 15 Denial of Service Attacks

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

TCP: flow and congestion control. Flow Control Flow Control is a technique for speed-matching of transmitter and receiver. Flow control ensures that a.

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

Guide to TCP/IP, Third Edition

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.

Chapter 4: Managing LAN Traffic

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Exploring the Packet Delivery Process Chapter

Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.

Understanding the Performance of TCP Pacing Amit Aggarwal, Stefan Savage, Thomas Anderson Department of Computer Science and Engineering University of.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Link Scheduling & Queuing COS 461: Computer Networks

Network Instruments VoIP Analysis. VoIP Basics  What is VoIP?  Packetized voice traffic sent over an IP network  Competes with other traffic on the.

Congestion Control - Supplementary Slides are adapted on Jean Walrand’s Slides.

TCP/IP Vulnerabilities

1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.

27th, Nov 2001 GLOBECOM /16 Analysis of Dynamic Behaviors of Many TCP Connections Sharing Tail-Drop / RED Routers Go Hasegawa Osaka University, Japan.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Terena Networking Conference, Lisbon, May

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Service Level Monitoring. Measuring Network Delay, Jitter, and Packet-loss  Multi-media applications are sensitive to transmission characteristics of.

Cisco 2 - Routers Perrine. J Page 112/19/2015 Chapter 8 TCP/IP Error Message Some of the conditions that must be met in order for host to host communication.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

CONGESTION CONTROL.

DoS/DDoS attack and defense

Random Early Detection (RED) Router notifies source before congestion happens - just drop the packet (TCP will timeout and adjust its window) - could make.

TCP continued. Discussion – TCP Throughput TCP will most likely generate the saw tooth type of traffic. – A rough estimate is that the congestion window.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.

1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

Transmission Control Protocol (TCP) TCP Flow Control and Congestion Control CS 60008: Internet Architecture and Protocols Department of CSE, IIT Kharagpur.

Denial-of-Service Attacks

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.

Topics discussed in this section:

Instructor Materials Chapter 6: VLANs

Domain 4 – Communication and Network Security

Outline Basics of network security Definitions Sample attacks

Network Administration CNET-443

CONGESTION CONTROL.

Routing and Switching Essentials v6.0

Congestion Control, Quality of Service, & Internetworking

CS4470 Computer Networking Protocols

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Outline Basics of network security Definitions Sample attacks

Queueing Problem The performance of network systems rely on different delays. Propagation/processing/transmission/queueing delays Which delay is affected.

Presentation transcript:

Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah

Motivation 1 n Smurf Attacks : IP spoofing and ICMP packets to an IP Broadcast group. Traffic to target multiplied by responses from each member n Example : Attacker on 768Kbps stream and a 100 member Broadcast group generate 77Mbps of traffic and swamp target! n Routers set to : “no ip directed- broadcast”

Motivation 2 n Cisco introduces CAR (Committed Access Rate) in 7200 and 7500 series routers. Later includes support in IOS 12.0 n access-list 102 permit icmp any any echo n interface Serial3/0/0 rate-limit input access-group conform-action transmit exceed-option drop

ICMP Blocking - No Response! n blocked 884 rounds of 10 ICMP packets each, out of 903 n islamabad-server2.comsats.net.pk blocked 554 out of 903 rounds n leonis.nus.edu.sg blocked all packets it was sent (All examples from data for Dec 1999) n Yet in reality, none of these servers was down!

New tools to the rescue n SYNACK developed in-house n Establishes TCP connections and measures time taken by target to respond n Cleans up connections n Highly visible to system admins n STING developed by Stefan Savage n TCP can’t ack out- of-order packets n Data-seeding and Hole-filling (reliable) n Need to change one line of kernel code

Results from Sting & Synack n Both tools based on TCP/IP, hence appear to router to be “normal” traffic n Results : n The Singapore node responds ONLY to 56+8 byte packets n Both the other nodes were alive-and- kicking with low loss rates!

Utility of Sting as an aid n These are 5 sites that were responding to pings very infrequently, and neglecting entire sets of 10 pings more than 50% of the time n Sting showed that they were alive on port 80!

Tail-Drop Behavior n Rate-limiting kicks in after the first few packets and hence later packets are more likely to be dropped n This node no longer displays tail-drop behavior!

Frequency Analysis n Calculate the packet drops as a function of packet-numbers n Calculate the slope and identify extremes n Implemented by Warren as a metric n Some encouraging early results!

Some Candidates :

CAR (Committed Access Rate) n Tokens removed in proportion to size of packet n Maximum number of tokens in bucket = Normal Burst Size n Extended Burst mechanism to make drops more RED- like

RED (Random Early Detection) n Tail-drop causes packet-loss across all TCP streams when traffic is too heavy n Causes all TCP-streams to sense congestion and start recovery n Small, bursty TCP streams also have to restart n Solution : drop packets randomly BEFORE congestion strikes!

Extended Burst Mechanism in CAR n Stream allowed to borrow more tokens if extended-burst value > normal-burst n “ Compounded debt” computed as sum of a(j) where j denotes the jth packet that tries to borrow tokens since last packet drop and a(j) denotes actual debt value n Packet dropped if CD > extended-burst and CD set to 0

Detecting CAR : the good news n A stream at constant rate R, above the configured-rate C, will exhaust tokens in bucket after B/(R-C) sec, at most n From this point on, borrowed packets at jth packet = j*(R-C) and beyond j=E/(R- C), actual debt > extended-burst and all packets will be dropped n Pattern is non-random!

Detecting CAR : A trial n Analyzed the first-order differences in packet-numbers of dropped packets to see if there was a pattern hoping that site-specific CAR might have set packet-size > normal_burst_size + extended_burst_size n Not surprisingly, no results n False alarm : 10th packet being dropped but data was TOO clean!

Detecting CAR : the bad news n It appears that most sites will impose a traffic-limit on TOTAL icmp traffic n Predicting when a packet drop occurs akin to predicting the rest of the traffic on that router at that moment - a known “hard” problem! n Solution : Aggressive pinging, your traffic-stream dominates! High signal-to- noise!!!

Further study n Pinging with variable-sized packets (less than MTU) and detect whether packet-loss varies linearly with size n trivial to determine MTU? n How important are other effects like being more likely to be dropped from queue? n Set up a router that implements CAR, simulate icmp traffic, and study patterns