Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah.

Published byScot Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah."— Presentation transcript:

1 Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah

2 Motivation 1 n Smurf Attacks : IP spoofing and ICMP packets to an IP Broadcast group. Traffic to target multiplied by responses from each member n Example : Attacker on 768Kbps stream and a 100 member Broadcast group generate 77Mbps of traffic and swamp target! n Routers set to : “no ip directed- broadcast”

3 Motivation 2 n Cisco introduces CAR (Committed Access Rate) in 7200 and 7500 series routers. Later includes support in IOS 12.0 n access-list 102 permit icmp any any echo n interface Serial3/0/0 rate-limit input access-group 102 256000 8000 8000 conform-action transmit exceed-option drop

4 ICMP Blocking - No Response! n www.vincy.bg.ac.yu blocked 884 rounds of 10 ICMP packets each, out of 903 n islamabad-server2.comsats.net.pk blocked 554 out of 903 rounds n leonis.nus.edu.sg blocked all packets it was sent (All examples from data for Dec 1999) n Yet in reality, none of these servers was down!

5 New tools to the rescue n SYNACK developed in-house n Establishes TCP connections and measures time taken by target to respond n Cleans up connections n Highly visible to system admins n STING developed by Stefan Savage n TCP can’t ack out- of-order packets n Data-seeding and Hole-filling (reliable) n Need to change one line of kernel code

6 Results from Sting & Synack n Both tools based on TCP/IP, hence appear to router to be “normal” traffic n Results : n The Singapore node responds ONLY to 56+8 byte packets n Both the other nodes were alive-and- kicking with low loss rates!

7 Utility of Sting as an aid n These are 5 sites that were responding to pings very infrequently, and neglecting entire sets of 10 pings more than 50% of the time n Sting showed that they were alive on port 80!

8 Tail-Drop Behavior n Rate-limiting kicks in after the first few packets and hence later packets are more likely to be dropped n This node no longer displays tail-drop behavior!

9 Frequency Analysis n Calculate the packet drops as a function of packet-numbers n Calculate the slope and identify extremes n Implemented by Warren as a metric n Some encouraging early results!

10 Some Candidates :

11 CAR (Committed Access Rate) n Tokens removed in proportion to size of packet n Maximum number of tokens in bucket = Normal Burst Size n Extended Burst mechanism to make drops more RED- like

12 RED (Random Early Detection) n Tail-drop causes packet-loss across all TCP streams when traffic is too heavy n Causes all TCP-streams to sense congestion and start recovery n Small, bursty TCP streams also have to restart n Solution : drop packets randomly BEFORE congestion strikes!

13 Extended Burst Mechanism in CAR n Stream allowed to borrow more tokens if extended-burst value > normal-burst n “ Compounded debt” computed as sum of a(j) where j denotes the jth packet that tries to borrow tokens since last packet drop and a(j) denotes actual debt value n Packet dropped if CD > extended-burst and CD set to 0

14 Detecting CAR : the good news n A stream at constant rate R, above the configured-rate C, will exhaust tokens in bucket after B/(R-C) sec, at most n From this point on, borrowed packets at jth packet = j*(R-C) and beyond j=E/(R- C), actual debt > extended-burst and all packets will be dropped n Pattern is non-random!

15 Detecting CAR : A trial n Analyzed the first-order differences in packet-numbers of dropped packets to see if there was a pattern hoping that site-specific CAR might have set packet-size > normal_burst_size + extended_burst_size n Not surprisingly, no results n False alarm : 10th packet being dropped but data was TOO clean!

16 Detecting CAR : the bad news n It appears that most sites will impose a traffic-limit on TOTAL icmp traffic n Predicting when a packet drop occurs akin to predicting the rest of the traffic on that router at that moment - a known “hard” problem! n Solution : Aggressive pinging, your traffic-stream dominates! High signal-to- noise!!!

17 Further study n Pinging with variable-sized packets (less than MTU) and detect whether packet-loss varies linearly with size n trivial to determine MTU? n How important are other effects like being more likely to be dropped from queue? n Set up a router that implements CAR, simulate icmp traffic, and study patterns

Download ppt "Detecting ICMP Rate-Limiting Les Cottrell Warren Matthews Mit Shah."

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS 577 - Fall 2014 - Kinicki 1.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
Lecture 3  A round up of the most important basics I haven’t covered yet.  A round up of some of the (many) things I am missing out of this course (ATM,

Lecture 3  A round up of the most important basics I haven’t covered yet.  A round up of some of the (many) things I am missing out of this course (ATM,
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.

School of Information Technologies TCP Congestion Control NETS3303/3603 Week 9.
1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.

1 Secure Detection and Isolation of TCP-unfriendly Flows Shuo Chen (Summer Intern) Jose C. Brustoloni (Mentor) Network Software Research Department Bell.
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)

1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.

1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Similar presentations

Ads by Google