The taming of the shrew mitigating low rate tcp targeted attack
1 / 15

The Taming of The Shrew: - PowerPoint PPT Presentation

  • Updated On :

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack. Chia-Wei Chang, Seungjoon Lee , Bill Lin, Jia Wang. Shrew Attack [Kuzmanovic03]. TCP-targeted low-rate denial-of-service attack Exploits TCP’s retransmission timeout

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Taming of The Shrew: ' - Jims

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The taming of the shrew mitigating low rate tcp targeted attack l.jpg

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack

Chia-Wei Chang, Seungjoon Lee,

Bill Lin, Jia Wang

Shrew attack kuzmanovic03 l.jpg
Shrew Attack [Kuzmanovic03]

  • TCP-targeted low-rate denial-of-service attack

  • Exploits TCP’s retransmission timeout

    • Periodic burst (with period T) synchronized with TCP minRTO

      • R: large enough to cause packet drops

      • L: long enough to induce timeouts

    • Victims experience repeated loss of retransmissions

      • Near-zero throughput

Shrew attack

TCP victim

Related work l.jpg
Related Work

  • BGP (Border Gateway Protocol) runs on top of TCP

    • Shrew attack can cause BGP session close [Zhang07]

      • Potentially can disrupt Internet routing

  • Detection/Mitigation Schemes

    • Active Queue Management, randomize minRTO

      • Insufficient to fully mitigate attack

    • Previous schemes to identify attack flows

      • Periodic pattern monitoring, auto-correlation analysis, wavelet-based approach, frequency domain spectrum analysis

      • Prohibitive to realize in high-speed networks

Outline l.jpg

  • SAP (Shrew Attack Protection) Design Overview

    • Deployment Consideration

  • Testbed Experiments

  • Simulation Experiments

Shrew attack protection l.jpg
Shrew Attack Protection

  • Priority-based filtering mechanism

    • Identifies victims and prioritizes their flows

      • Can help external systems identify attack flows

    • Router monitors drop rate for each potential “victim”

      • Low drop rate: Packets are treated normal (i.e., low priority)

      • High drop rate: Packets are tagged high priority, and preferentially admitted to output queue

    • Protects victims from losing consecutive packets

Sap components l.jpg
SAP Components

  • Drop Rate Collector

    • Continuously monitors instantaneous per-aggregate drop rate

      • Counters for arrivals and drops for each potential victim

      • For the current time interval and recent history (e.g., total of 10 time intervals)

  • Fair Drop Rate Controller

    • Pavg: Average drop rate for all monitored aggregates

    • Pfair = max(Pavg, Pmin)

      • No intervention if drop rate is under a threshold

  • Differential Tagging & Preferential Drop

    • Packets are tagged high-priority if instantaneous drop rate is beyond Pfair

      • Relatively short sequence of losses can trigger differential tagging

      • E.g., Pfair = 5%, and 9 successful transmissions and one drop

    • Preferential dropping is implemented in modern routers (e.g., WRED)

Sap maintains statistics for aggregates l.jpg
SAP Maintains Statistics for Aggregates

  • Maintaining per-flow statistics for all flows is typically infeasible

  • SAP uses application-level aggregates

    • E.g., destination port

    • Maintaining aggregate-level information is feasible in hardware

      • E.g., 65536 TCP ports

      • 20 counters * 4 bytes * 60K aggregates ~ 5MB of SRAM

Discussions l.jpg

  • Different flows can be treated as a single aggregate

    • Attacker may use protected TCP port

      • Shrew attack may use protected TCP port

      • Malicious flow may intentionally cause packet drops and trigger elevated priority

    • SAP still prevents session close and improves victim’s throughput

    • SAP can help external systems narrow down attack flows

  • Different aggregates may vary in the number of flows

    • SAP preserves per-flow throughput

Experiment setup l.jpg
Experiment Setup

  • Simulation Study using FTP, HTTP, BGP flows

    • ns-2 simulator

      • augmented with SAP

  • Validation using real router testbed

    • 1 Juniper router, 2 Ethernet switches, 3 PCs

    • BGP flow only (using Zebra and real BGP trace)



Simulation vs testbed l.jpg
Simulation vs. Testbed

  • T = 1sec, L = 0.3sec, R = 15, 18, 20Mbps

  • Packet drop rates are highly close

Simulation throughput and drop rate l.jpg
Simulation: Throughput and Drop Rate

  • R = 15Mbps, T = 1sec, L = 0.3sec

  • RED is not enough to mitigate Shrew attack

  • BGP session is closed

Simulation throughput and drop rate12 l.jpg
Simulation: Throughput and Drop Rate

  • SAP protects legitimate TCP flows from losing multiple packets

  • Thus, enables high throughput in the presence of attack

Simulation throughput and drop rate13 l.jpg
Simulation: Throughput and Drop Rate

  • Shrew attack using protected port is more effective against SAP

    • Pavg becomes higher due to attack flow

  • Still, SAP keeps all TCP sessions alive

    • SAP prevents consecutive packet drops

Simulation throughput and drop rate14 l.jpg
Simulation: Throughput and Drop Rate

  • HTTP flows get higher throughput when Shrew attack uses HTTP

  • SAP keeps all sessions alive

Conclusions l.jpg

  • SAP (Shrew Attack Protection)

    • Simple counter-based filtering mechanism

      • Priority-tagging and preferential drop

    • Uses application-level aggregates, not per-flow statistics

      • Implementable using today’s hardware

    • Identifies and protects victims

      • Can help identify attack flows

    • Mitigates Shrew attack in various attack scenarios