Presentation is loading. Please wait.

Presentation is loading. Please wait.

Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003."— Presentation transcript:

1 Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003

2 What is a Low-Rate DoS Attack? Floods bottleneck with packets to overflow queues and produce dropped packets TCP connections senses congestion and waits retransmission timeout (one second) While TCP connections are waiting the timeout, the attacker does not need to attack It then resumes attacking after waiting the RTO The attacker has a low throughput relative to traditional DoS attackers so it can avoid detection

3 Proposed Solution Randomize the RTO so that we start retransmitting in between attacks This should help improve throughput Various possible randomization techniques: simulations show that choice doesn’t make significant difference

4 Related Works A. Kuzmanovic and E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003 G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal Draft These papers run simulations only, we will test their findings with experiments

5 Our Task Analyze the effectiveness of randomized RTO against a low-rate TCP DoS attack Evaluate effectiveness by performing experiments on a TCP testbed using DummyNet to simulate an internet bottleneck Compare experimental results to simulation results

6 The Linux Kernel Linux implements TCP New Reno The Linux kernel actually uses a minimum RTO of 200ms (max is 120sec) This reduces the effectiveness of a low- rate attack since it must transmit more often, leaving it more susceptible to detection

7 The Linux Kernel (cont) Linux uses the value of RTOmin to initialize the value of rttvar when a new connection is establised Setting RTOmin to 1sec heavily affected rttvar Solution: bound the value of RTO dynamically without changing the defined values that affect rttvar

8 Linux Kernel Modifications Kernel 1: make minimum RTO = 1sec in order to match the papers by Knightly and Yang Kernel 2: Randomize RTO around 1sec to see if randomization can defend against a low rate attack

9 Experiment Setup Sender, Receiver - iperf client and server to produce TCP traffic Attacker - Custom UDP traffic generator: 3MBit/s attack, 50 byte packets DummyNet simulates internet bottleneck - 1.5MBit/s link - 40ms propagation delay - 50 slot queue

10 The Square Wave Attack (approximates a Low-rate TCP DoS Attack) Burst Length Inter-burst Period

11 Experiments 4 sets of experiments Set 1: standard Linux kernel behavior Set 1: standard Linux kernel behavior Set 2: modified “1sec” Linux kernel behavior Set 2: modified “1sec” Linux kernel behavior Set 3: modified “1sec – randomized RTO” Linux kernel behavior Set 3: modified “1sec – randomized RTO” Linux kernel behavior For each set we measured throughput for interburst periods (IBPs) ranging from 0.3sec to 5sec (burst length and network parameters were kept constant) For each set we measured throughput for interburst periods (IBPs) ranging from 0.3sec to 5sec (burst length and network parameters were kept constant) Set 4: all kernels measured under attack for different burst lengths Set 4: all kernels measured under attack for different burst lengths

12 Topology

13 Attack

14 Experimental Results – I The standard Linux kernel is vulnerable, but a high rate attack is needed (minRTO is 200ms)

15 Experimental Results – II Changing the minimum value of RTO to 1sec makes the attack very effective!

16 Experimental Results – III Randomizing the value of RTO in the “1sec” kernel (randomization ranges from -0.5 to +0.5) significantly improves performance (connection NOT throttled for IBPs of 0.5s and 1s)

17 Experimental Results – IV Randomization eliminates the throughput throttling problem for IBP values of minRTO/2 and minRTO Experimental results confirm simulation results

18 Experimental Results – V The burst length greatly affects the effectiveness of the attack

19 Experimental Results – V (cont.)

20 Our Findings Low-Rate TCP DoS attack relies heavily on RTO synchronization Attack targets low RTT connections Randomization of RTO improves throughput greatly (especially in the vulnerable cases of 0.5s and 1s)

21 Our Findings - II The effectiveness of the attack depends a lot on the synchronization of the sender and the attacker Performance results for certain cases fluctuated greatly for consecutive runs of the same experiment. Possible reasons: Dummynet buffer management, synchronization issues between the attacker and the sender

22 Conclusions The experimental results coincide with the findings of papers by Knightly and Yang Randomization is an effective way to reduce the damage done by a Low-Rate TCP DoS attack Such an attack may not be realistic if modern systems implement a low RTO (ie. Linux’s 200ms RTO)

23 Future Work Determine the fairness of the RTO randomization scheme Explore probing as a defense against a Low Rate TCP DoS attack Examine the attack and defense results with multiple TCP flows

24 References A. Kuzmanovic and E. W. Knightly, Low-Rate TCP- Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003 G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal Draft Pasi Sarolathi, Alexey Kuznetsov, Congestion Control in Linux TCP D. Bovet and M. Cesati, Understanding the Linux kernel, O’Reilly press 2003

Download ppt "Low-Rate TCP Denial of Service Defense Johnny Tsao Petros Efstathopoulos Tutor: Guang Yang UCLA 2003."

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University

When TCP Friendliness Becomes Harmful Amit Mondal Aleksandar Kuzmanovic Northwestern University
CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.
Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.

Rice Networks Group Aleksandar Kuzmanovic Edward W. Knightly Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew.
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.
Experimental evaluation of TCP-L June 5, 2003 Stefan Alfredsson Karlstad University.

Experimental evaluation of TCP-L June 5, 2003 Stefan Alfredsson Karlstad University.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.

1 End to End Bandwidth Estimation in TCP to improve Wireless Link Utilization S. Mascolo, A.Grieco, G.Pau, M.Gerla, C.Casetti Presented by Abhijit Pandey.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
1 Estimating Shared Congestion Among Internet Paths Weidong Cui, Sridhar Machiraju Randy H. Katz, Ion Stoica Electrical Engineering and Computer Science.

1 Estimating Shared Congestion Among Internet Paths Weidong Cui, Sridhar Machiraju Randy H. Katz, Ion Stoica Electrical Engineering and Computer Science.
1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.

1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.
Vijay Vasudevan, Amar Phanishayee, Hiral Shah, Elie Krevat David Andersen, Greg Ganger, Garth Gibson, Brian Mueller* Carnegie Mellon University, *Panasas.

Vijay Vasudevan, Amar Phanishayee, Hiral Shah, Elie Krevat David Andersen, Greg Ganger, Garth Gibson, Brian Mueller* Carnegie Mellon University, *Panasas.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Explicit Congestion Notification ECN Tilo Hamann Technical University Hamburg-Harburg, Germany.

Explicit Congestion Notification ECN Tilo Hamann Technical University Hamburg-Harburg, Germany.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
A simulation-based comparative evaluation of transport protocols for SIP Authors: M.Lulling*, J.Vaughan Department of Computer science, University college.

A simulation-based comparative evaluation of transport protocols for SIP Authors: M.Lulling*, J.Vaughan Department of Computer science, University college.
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, TCP Increase/Decrease.

1 Minseok Kwon and Sonia Fahmy Department of Computer Sciences Purdue University {kwonm, TCP Increase/Decrease.
WB-RTO: A Window-Based Retransmission Timeout Ioannis Psaras, Vassilis Tsaoussidis Demokritos University of Thrace, Xanthi, Greece.

WB-RTO: A Window-Based Retransmission Timeout Ioannis Psaras, Vassilis Tsaoussidis Demokritos University of Thrace, Xanthi, Greece.

Similar presentations

Ads by Google