Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.

Published byKaya Wyne Modified over 9 years ago

Similar presentations

Presentation on theme: "TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake."— Presentation transcript:

1 TCP for today’s Web

2 Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake == 10%-30% penalty

3 Add data into Handshake SYN-Flag SYN/ACK-Flag ACK-Flag+Data Let’s talk

4 How about HTTP1.1 What is HTTP1.1 – Persistent keep alive – Re-use old connections so no more TCP handshakes But … – browser tries to be fast opens multiple TCP connections (limits reuse) – Domain sharding -- place resource on different domains to further increases parallelism (so forced to use diff connections). – MB terminate idle conns to reduce state --> so persis con no longer persistent. – mobile devs shut down conns to conserve power

5 Status of HTTP1.1 92% conn use HTTP1.1 – But still Handshake has 5-7% overhead in general – For first use of connect, overhead is 8-27% Chrome always uses HTTP1.1 – But 33% of conn use new TCP

6 New Security Attacks SYN-Flag+ Data SYN/ACK-Flag+ Data ACK-Flag+Data

7 New Attacks: SYN Flood SYN-Flag+ Data Make up a false ip address Send a bunch of SYN pks with data Server does a lot processing And gets overloaded Note: Since you used a fake address, the response from the server don’t come to you, so you don’t maintain state or devote resources

8 New Attacks: Reflection SYN-Flag+ Data Use host B’s IP as source Send a bunch of SYN pks with data Note: Every server responds to host B with a flood of packet. Host B gets attacked. Once against you don’t devote any resources on your machine to do attack. And since response is larger than syn-flag+data it is better than you attack direction

9 Attack Model Attacks work because: – Attacker can spoof SRC IPs. To prevent this: – TFO adds a cookie to the protocol – Client must include cookie in the handshake – The cookie is an encrypted version of source IP Source IP encrypted with the server’s private key Server unencrypts cookie and compares

10 System Assumptions Acceptable Changes: 1. symmetric crypto – (can be done in fast path) but no asymmetric. 2. soft state – (can't keep permanent state-- scale issues) 3. minor App changes – Don’t want to prevent adoption

11 Add Cookie to the First Handshake SYN-Flag+TFO-Option SYN/ACK-Flag+ Cookie ACK-Flag+Data Let’s use TFO Here’s a cookie for next time

12 Second Connection to Same server benefits SYN-Flag+Cookie+Data SYN/ACK-Flag+ Data ACK-Flag+Data We are using FTO: here’s a cookie for proof.

13 Second Connection to Same server benefits SYN-Flag+Cookie+Data SYN/ACK-Flag ACK-Flag+Data

14 Attacks Revisited Reflection – To get cookie must compromise host or network If you can then you don’t need reflection SYN Flood – We limit the number TFO connections – So server is still always willing to accept regular TCP connections

15 Deployment Issues Middleboxes are HORRIBLE – They drop new TCP options – NAT changes IP addresses so cookies can’t work

16 Deployment Issues: Load Balancers LoadBalancer

17 Deployment Issues: Load Balancers LoadBalancer All servers need to share the same key so TFO can work. So, you may need to also change the keys more frequently

18

19

20

21

22 Lessons A webpage === lots of small objects – Harder to ameliorate overheads TCP Handshake overhead 2 RTT  Loss detection Most common loss pattern in WAN – Last packet in small connection – Use redundancy (FEC) to overcome this. Eliminate Handshake overhead – Send packet during the handshake – Insert secret cookie in handshake to eliminate attacks

Download ppt "TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.
TCP--Revisited. Background How to effectively share the network? – Goal: Fairness and vague notion of equality Ideal: If N connections, each should get.

TCP--Revisited. Background How to effectively share the network? – Goal: Fairness and vague notion of equality Ideal: If N connections, each should get.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Measuring Packet Reordering NETREAD UC Berkeley George Porter Oct 4, 2002.

Measuring Packet Reordering NETREAD UC Berkeley George Porter Oct 4, 2002.
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.

Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.

1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Similar presentations

Ads by Google