1 / 50

Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It

Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It. Xiao-Bing Zhang, Ericsson Felix Wu, UC Davis Zhi Fu, NC State University Tsung-Li Wu, CCIT http://www.cs.ucdavis.edu/~wu wu@cs.ucdavis.edu. full paper:

aldan
Download Presentation

Malicious Packet Dropping : How It Might Impact the TCP Performance & How We Can Detect It

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Packet Dropping: How It Might Impact the TCP Performance & How We Can Detect It Xiao-Bing Zhang, Ericsson Felix Wu, UC Davis Zhi Fu, NC State University Tsung-Li Wu, CCIT http://www.cs.ucdavis.edu/~wu wu@cs.ucdavis.edu full paper: http://www.cs.ucdavis.edu/publications/PDALong.ps IEEE ICNP'2000, Osaka, Japan

  2. Outline • Packet Dropping • Anomaly Detection • Evaluation IEEE ICNP'2000, Osaka, Japan

  3. Packet Dropping Attacks • Maliciously drop a small portion of packets • e.g., the first 20 packets in a connection • Selectively drop some important packets • e.g., retransmission packets, signaling packets in IP telephony • Degrade QoS • Difficult to detect • packet loss could be due to network congestion IEEE ICNP'2000, Osaka, Japan

  4. Attack Types • Persistent • attack every connection between two TCP ends. • Intermittent • attack some of the connections • e.g., 1 of every 5 connections IEEE ICNP'2000, Osaka, Japan

  5. Dropping Patterns • Periodical Packet Dropping (PerPD) • Retransmission Packet Dropping (RetPD) • Random Packet Dropping (RanPD) IEEE ICNP'2000, Osaka, Japan

  6. Periodical Packet Dropping • Parameters (K, I, S) • K, the total number of dropped packets in a connection • I, the interval between two consecutive dropped packets • S, the position of the first dropped packet. • Example (5, 10, 4) • 5 packets dropped in total • 1 every 10 packets • start from the 4th packet • The 4th, 14th, 24th, 34th and 44th packet will be dropped IEEE ICNP'2000, Osaka, Japan

  7. Retransmission Packet Dropping • Parameters (K, S) • K, the times of dropping the packet's retransmissions • S, the position of the dropped packet • Example (5, 10) • first, drops the 10th packet • then, drops the retransmissions of the 10th packet 5 times IEEE ICNP'2000, Osaka, Japan

  8. Random Packet Dropping • Parameters (K) • K, the total number of packets to be dropped in a connection • Example (5) • randomly drops 5 packets in a connection IEEE ICNP'2000, Osaka, Japan

  9. Dropper Model P% Per (K,I,S) Ret (K,S) Ran (K) IEEE ICNP'2000, Osaka, Japan

  10. How can this happen? • Unintentional: • ill-configuration • aggressive traffic control or management • Intentional: • compromised packet forwarding engine • selectively-flooded routers/switches IEEE ICNP'2000, Osaka, Japan

  11. Compromise intermediate routers easy to manipulate victim's traffic hard to detect difficult to practice Congest intermediate routers hard to manipulate victim's traffic cause more attention easy to practice How to Practice Dropping Attacks IEEE ICNP'2000, Osaka, Japan

  12. Impacts of Packet Dropping • Delay • Response time • Quality • Bandwidth • Throughput ... IEEE ICNP'2000, Osaka, Japan

  13. Internet Experiment Setting • 4 FTP Servers across the Internet • FTP client runs Linux 2.0.36 in SHANG lab • Size of downloaded file is 5.5MB • Attack Agent • runs on the same host as FTP client • act as on a compromised router FTP Client on Linux 2.0.36 FTP Server FTP xyz.zip 5.5M Attack Agent Divert Socket Data Packets IEEE ICNP'2000, Osaka, Japan

  14. FTP Client SHANG FTP Servers Heidelberg NCU SingNet UIUC FTP Severs and Clients IEEE ICNP'2000, Osaka, Japan

  15. FTP Severs IEEE ICNP'2000, Osaka, Japan

  16. Impacts of Packet Dropping On Session Delay IEEE ICNP'2000, Osaka, Japan

  17. Compare Impacts of Dropping Patterns PerPD: I=4, S=5 RetPD: S=5 IEEE ICNP'2000, Osaka, Japan

  18. Different K, I, S for PerPD IEEE ICNP'2000, Osaka, Japan

  19. On Interval • If Interval is extremely small (< 4), PerPD is similar to RetPD. • If Interval is larger, • if RTT is small, session delay will be smaller if the interval is also smaller (but not too small). IEEE ICNP'2000, Osaka, Japan

  20. Compare Impacts of Dropping Patterns (cont.) • Periodical Packet Dropping • session delay linearly increases with an increase of K • packet loss is repaired by fast retransmit or timeout • Random Packet Dropping • comparatively small damage, relating to RTT • session delay increases linearly when increasing K • packet loss is usually repaired by fast retransmit • Retransmission Packet Dropping • severe damage, relating to RTO • session delay increases exponentially when increasing K IEEE ICNP'2000, Osaka, Japan

  21. The Plain DDOS Model (1999-2000) Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP IEEE ICNP'2000, Osaka, Japan

  22. Congestion Tools: Tribe Flood Network • Distributed Denial Of Service (DDOS) attack tools • Master • a host running an application called Client • Client initiates attacks by sending commands to Agents • Agent • a host running a Daemon • Daemon receives and carries out commands issued by a Client. • Attack • UDP flood, ICMP echo reply (ping), SYN flood, and TARGA3 IEEE ICNP'2000, Osaka, Japan

  23. FTP server fire FTP client FTP data redwing 152.1.75.0 congestion bone 172.16.0.0 UDP flood light 192.168.1.0 TFN target air TFN master TFN agents Congestion Experiment Setting • Networks are in SHANG lab • All machines are PCs • Bone with 500MHz Intel Pentium CPU acts as a router • Downloaded file size: 44MB IEEE ICNP'2000, Osaka, Japan

  24. Congestion Experiment Results IEEE ICNP'2000, Osaka, Japan

  25. Attack mode Number of Session Damage m n (flood , stop ) packet loss per delay connection (sec.) Normal 0.9 31.7 - Flood 18.5 470.5 27.8% 1, stop 20 57.4 58.4 84.5% Flood 1, stop 5 Flood 62.1 67.3 112.6% 5, stop 10 Congestion Experiment Results (cont.) damage = (delayflood – delaynormal) / delaynormal 124.4 164.5 418.9% Flood 5, stop 2 IEEE ICNP'2000, Osaka, Japan

  26. Intrusion Detection: TDSAM • TCP-Dropping Statistic Analysis Module (TDSAM) • run on the protected asset, e.g., the FTP client • Expected Behavior • described in long-term profile • e.g., the average session delay is 50 seconds • Observed Behavior • described in short-term profile • e.g., the average session delay becomes 100 seconds IEEE ICNP'2000, Osaka, Japan

  27. Intrusion Detection: TDSAM (cont.) • Statistic Measures • Position Measure: position of each packet re-ordering • Delay Measure: session delay • NPR Measure: number of packet reordering IEEE ICNP'2000, Osaka, Japan

  28. FTP Client on Linux 2.0.36 FTP Server FTP TDSAM xyz.zip 5.5M Attack Agent Divert Socket Data Packets Internet TDSAM Experiment Setting p1, p2, p3, p5, p4 max reordering counting IEEE ICNP'2000, Osaka, Japan

  29. Long-term Profile • Category, C-Training • learn the aggregate distribution of a statistic measure • Q Statistics, Q-Training • learn how much deviation is considered normal • Threshold IEEE ICNP'2000, Osaka, Japan

  30. Long-term Profile: C-Training For each sample of the statistic measure, X • k bins • Expected Distribution, P1P2 ... Pk , where • Training time: months (0, 50] 20% (50, 75] 30% (75, 90] 40% (90, +) 10% IEEE ICNP'2000, Osaka, Japan

  31. Long-term Profile: Q-Training (1) For each sample of the statistic measure, X • k bins, samples fall into bin • samples in total ( ) • Weighted Sum Scheme with the fading factor s (0, 50] 20% (50, 75] 40% (75, 90] 20% (90, +) 20% IEEE ICNP'2000, Osaka, Japan

  32. Long-term Profile: Q-Training (2) • Deviation: • Example: • Qmax • the largest value among all Q values IEEE ICNP'2000, Osaka, Japan

  33. Long-term Profile: Q-Training (3) • Q Distribution • [0, Qmax) is equally divided into 31 bins and the last bin is [Qmax, +) • distribute all Q values into the 32 bins IEEE ICNP'2000, Osaka, Japan

  34. Threshold • Predefined threshold,  • If Prob(Q>q) < , raise alarm IEEE ICNP'2000, Osaka, Japan

  35. Q-Distribution for Position M. IEEE ICNP'2000, Osaka, Japan

  36. Q-Distribution for Delay M. IEEE ICNP'2000, Osaka, Japan

  37. Detect Malicious Dropping • For each Observed Distribution • compares it to the Expected Distribution (calculate a Q value) • if the Q value falls into alarm zone, raise alarm • Short-term profile is updated using Weighted Sum Scheme IEEE ICNP'2000, Osaka, Japan

  38. Long-term Profile Update • Update when no attacks occurs during the a period of time • Update Expected Distribution and Q Distribution • weighted sum scheme • fading factor equals l IEEE ICNP'2000, Osaka, Japan

  39. FTP Client on Linux 2.0.36 FTP Server FTP TDSAM njcom210.zip 5.5M Attack Agent Divert Socket Data Packets Internet TDSAM Performance Analysis: Experiment Setting • Persistent Atk. • PerPD: (10, 4, 5), ... (100, 40, 5) • RetPD: (5, 5) • RanPD: (10), (40) • Intermittent Atk. • PerPD (10, 4, 5) with attack period 5 and 50 IEEE ICNP'2000, Osaka, Japan

  40. Example • Long-Term profile • nbin = 5, bin-width =800 • p1=0.194339, p2=0.200759, p3=0.197882, p4=0.204260, p5=0.202760. • PerPD(20,4,5) • drop packets only in the first 85. • p1=0.837264, p2=0.039390, p3=0.043192, p4=0.041045, p5=0.039109. IEEE ICNP'2000, Osaka, Japan

  41. Results: Position Measure IEEE ICNP'2000, Osaka, Japan

  42. Results: Delay Measure IEEE ICNP'2000, Osaka, Japan

  43. Results: NPR Measure IEEE ICNP'2000, Osaka, Japan

  44. TDSAM Performance Analysis: Results (good or bad!!) • False Alarm Rate • less than 10% in most cases, the highest is 17.4% • Detection Rate • Position: good on RetPD and most of PerPD • at NCU, 98.7% for PerPD(20,4,5), but 0% for PerPD(100, 40, 5) in which dropped packets are evenly distributed • Delay: good on those significantly change session delay, e.g., RetPD, PerPD with a large value of K • at SingNet, 100% for RetPD(5,5), but 67.9% for RanPD(10) • NPR: good on those dropping many packets • at Heidelberg, 0% for RanPD(10), but 100% for RanPD(40) IEEE ICNP'2000, Osaka, Japan

  45. TDSAM Performance Analysis: Results (cont.) • Good sites correspond to a high detection rate. • stable and small session delay or packet reordering • e.g., using Delay Measure for RanPD(10): UIUC (99.5%) > Heidelberg(74.5%) > SingNet (67.9%) > NCU (26.8%) • How to choose the value of nbin is site-specific • e.g., using Position Measure, lowest false alarm rate occurs when nbin= 5 at Heidelberg(4.0%) and NCU(5.4%), 10 at UIUC(4.5%) and 20 at SingNet(1.6%) IEEE ICNP'2000, Osaka, Japan

  46. Conclusion • TDSAM with a single measure • able to detect dropping attacks • has weakness in identifying some malicious droppings • Combines the 3 measures • works well on most of the attacks • except for those causing very limited damages • RanPD with a small value of K • intermittent attacks with a large attack interval • Limitations…. IEEE ICNP'2000, Osaka, Japan

  47. Future…. • Detect Non-TCP Packet Dropping Attacks • choose appropriate statistic measures • Service Level Agreement Monitoring • build long-term profile statistically monitoring the quality of service • e.g., evaluate the DNS response time IEEE ICNP'2000, Osaka, Japan

  48. Contributions • Packet Dropping Attacks • Studied how to practice the attacks • Studied the impacts of dropping attacks • Implemented the Attack Agent • Intrusion Detection • Implementation of TDSAM • TDSAM performance analysis over the real Internet IEEE ICNP'2000, Osaka, Japan

  49. Thanks full paper: http://www.cs.ucdavis.edu/publications/PDALong.ps Any questions? IEEE ICNP'2000, Osaka, Japan

  50. Weighted Sum Scheme • Problems of Sliding Window Scheme • Keep the most recent N pieces of audit records • required resource and computing time are O(N) • Assume • K: number of bins • Yi: count of audit records falls into ith bin • N: total number of audit records • : fading factor • When Ei occurs, update IEEE ICNP'2000, Osaka, Japan

More Related