1 / 44

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection. Prof. John C.S. Lui CSE Dept. CUHK. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows

malana
Download Presentation

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending Against Low-rate TCP Attack:Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK

  2. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion Outline

  3. Introduction to the Low-rate TCP Attack • Common DoS attack • Consume resources (bandwidth, buffer …etc) • Keep legitimate users away form service • Large number of machines or agents are involved • Harmful, but relatively easy to be detected • Low-rate DoS attack • Aim to deny the bandwidth of legitimate TCP flows • Attacker sends the attack stream with low volume • Exploit the TCP congestion control feature • Attacker sends a periodicshort burst to victim/router

  4. TCP Retransmission Mechanism • TCP congestion control If under severe network congestion: • Wait till transmission timeout (RTO) • Reduce the congestion window double the RTO retransmit the packet • If succeed, enter slow start phase else, exponential back off again • Calculation of RTO InRFC 2988: RTO=max(minRTO,SRTT+max(G,4RTTVAR)) • Usually, RTO = minRTO when slow start • minRTO=1 second(recommended in RFC 2988)

  5. TCP Low-rate DoS Attack to TCP Flow • A example of low-rate DoS attack Avg BW= lR/T • Sufficiently large attack burst • Packet loss at congested router • TCP waits until timeout & retransmit after RTO • Attack period = RTOof TCP flow, • TCP continually incurs loss & achieves zero or very low throughput.

  6. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  7. T S l R N Formal Description • Mathematical Description • T: Attack period • l: Length of burst • R: Rate of burst • N: Background noise • S: Time shift

  8. The periodic burst may have different patterns: Low-rate DoS Traffic Pattern • Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03) • Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03) • General peaks with background noise

  9. Low-rate DoS Traffic Pattern • Attack traffic is not easy to remain the same as the original at the victim router. • Attack traffic between different period may not be the same, thus T, l, R may vary. We need a “ROBUST ” method to identify all possible forms of attack

  10. Low-rate DoS Traffic Pattern • Small Burst combination • Multiple distributed attack sources • Long Period combination

  11. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  12. Dynamic Detection • Overall Idea of Dynamic Detection

  13. Dynamic Detection • Traffic signature Detection • Small average throughput => Throughput based IDS • No signature in packet => “per packet” approaches • Extract the essential signatureof attack traffic X X √

  14. The background noise of samples need to be filtered • Background noise(UDP flows and other TCP flows that less sensitive to attack) • For simplicity, a threshold filter can be used. • Sample the throughput of link interface at a constant rate(The rate should be frequent enough but not over burden system) • Each time of detection consists of a sequence of sampled throughput(The length of sequence should also be properly adjusted) • Normalization is necessary • Autocorrelation is adopted to extract the periodic signature of input signal.periodic input => special pattern of its autocorrelation.Autocorrelation can also mask the difference of time shift S • Unbiased normalizationM: length of input sequencem: index of autocorrelation • Similarity between the template and input should be calculated. • We use Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in the paper) • The smaller the DTW value is, the more similar they are. • DTW values will clustered; threshold can be set to distinguish them. Algorithm of Detection Samplethe traffic Samplethe traffic Filter the noise Filter the noise Extract the signature Extract the signature Pattern match Pattern match

  15. Robustness of Detection • Attack traffic simulations • DTW values for low-rate attack • 4 types of attack traffic:Strictly Periodic Square Burst (SPSB), Random Periodic Square Burst(RPSB),Strictly Periodic General Burst (SPGB), Random Periodic General Burst (RPGB) • T ,l : Uniformly distributed s.t. :l /T<=0.25 • R : 1 (full bandwidth) • N,S : Uniformly distributed • Around 3000 simulations /type

  16. Robustness of Detection • DTW values for Legitimate traffic(Gaussian) • DTW values of legitimate traffic • Legitimate traffic composition. • Legitimate traffic simulation using Gaussian model:C+ Gaussian(0, N) • Run more than 8000 simulations

  17. Robustness of Detection • Probability distribution of DTW values • Attack flows V.S. legitimate (Gaussian) flows • Expect a separation between them.

  18. Robustness of Detection • DTW values for Legitimate traffic(Self-similar) • More accurate network traffic model (Ethernet traffic, WWW traffic) • Use FARIMA model to generate self-similar traffic. • Hurst Parameter H:[0.75-0.85] • Run more than 10,000 simulations

  19. Robustness of Detection • Probability distribution of DTW values (Self-similar) • Attack flows V.S. Self-similar flows • Small Overlap (Around 30)

  20. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  21. Defense Mechanism • Router deployment • Pushback detection • Pushback to outmost deployed router distributed attack • Deficit Round Robin (DRR) }Resource Management

  22. Quantum[i]=1000 bytes 2000 1000 0 1500 A 500 300 B 600 600 C Head of Queue Second Round First Round Defense Mechanism • Deficit Round Robin (DRR) • 1st Round • A’s counter : 1000 • B’s counter : 200 (served twice) • C’s counter : 400 • Classify packets according to the input port [i]. • deficit_counter[i]=0 ; • deficit_counter[i]+= Quantum[i] • If packet’s size<= deficit_counter[i] , serve the packet • deficit_counter[i] -=packet’s size. • If no packet[i],deficit_counter[i] =0. • 2nd Round • A’s counter: 500 (served) • B’s counter: 0 • C’s counter: 800 (served)

  23. Fairness Analysis of DRR Algorithm • Definitions in DRR algorithm • Backlogged:A porti is backlogged during an interval (t1; t2) of a DRR execution if the queue for port i is never empty during the interval. • Flow Share: We assume there is some quantityfithat • expresses the ideal share obtained by the port ithat fi= Quantum[i]/Quantum where Quantum = Min(Quantum[i]). • Sent Packets: Let senti(t1; t2) be the total number of bytes sent on the output port i in the interval (t1; t2) • Fairness Measurement:Let Fairness Measurement FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj) over all ports i,j that are backlogged in the interval (t1; t2). • Nowwe can define a service discipline to be fair if FM(t1; t2) is bounded by a small constant.

  24. Fairness Analysis of DRR Algorithm • Lemmas of DRR Fairness • Lemma 1: For any port i ,during the execution of DRR algorithm, the deficit_counter[i] is within the range [0;Max) at the end of each round, where Max is the maximum size of all possible packets. 0≤deficit_counter[i]< Max • Proof:Initially deficit_counter[i] = 0. • After queue iis serviced in each round: • 1) If there are packet(s) left in the queue for port i • 0 ≤deficit_counter[i]< Max • 2) If no packets are left in the queue • deficit_counter[i]is reset to zero • ■

  25. Fairness Analysis of DRR Algorithm • Lemmas of DRR Fairness Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max • Lemma 2: During any period in which port i is backlogged the number of bytes sent on the behalf of port i is roughly equal to m×Quantum[i] ,specifically bounded as follows: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max • where m is the number of round-robin service round received by port i during this interval. Proof:Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRRexecutions.Let bytesi(k) be the bytes sent by port iin round k. And let senti(k) be the bytes sent by port ifrom round 1 through k.Thus, senti(k)= ∑ bytesi(k) Obviously:bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1] bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k] Summing this equation over mrounds of servicing of port i: We have: senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m] Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows. ■

  26. Fairness Analysis of DRR Algorithm • Theorem of DRR Fairness • Theorem 1: For an interval (t1; t2) in any execution of the DRR service discipline FM(t1; t2) ≤ 2×Max + Quantum; where Quantum = Min(Quantum[i]) Proof: let mbe the number of DRR execution rounds given to port iin interval (t1; t2), let m’be the number of DRR execution rounds given to port jin the same interval. As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1 From Lemma 2:senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi= Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1) Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2) Thus: FM(t1; t2) =senti(t1; t2)/fi- sentj(t1; t2)/fj≤(m-m’)×Quantum + Max/fi + Max/fj ≤ Quantum+2Max ■

  27. Analysis of DRR Algorithm • Analytical Results for DRR Algorithm • Fairness:Using Golestani's fairness definition, difference in the normalized bytes sent between ports within a certain interval (t1; t2) is bounded by a small constant. • Implementation Cost:DRR algorithm can be implemented with less work compared with other scheduling algorithm. In general, the processing cost of DRR is O(1) per packet. As a result, DRR can provide not only a fairness scheduling method, but also work with a low implementation cost.

  28. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  29. Fluid Model of TCP Flows • Model of TCP on a Droptail Router • In a Congested Droptail Router: • N TCP flows go through • Droptail queue at output interface • Dropping Function: P: Drop Prob. xi: length of queue i; Qi: Size of queue i • Behavior of Queue Length: C: Capacity of the link

  30. Fluid Model of TCP Flows • Model of TCP on a Droptail Router • Throughput of TCP flow i: Wi(t):Window Size Ri(t): Round Trip Time • Round Trip Time: ai :Propagation delay

  31. Fluid Model of TCP Flows • Model of TCP on a Droptail Router • Slow start/ Congestion Avoidance: Hi :threshold • Retransmission Time Out: where u(n) is a unit step function: q(W) denotes the Prob. of that loss is caused by timeout • Finally, the behavior of TCP window size: Overview of TCP droptail scheduling:Numerical result of differential equations (1-9)

  32. Fluid Model of TCP Flows • Model of TCP on a DRR Router • Modification based on the Droptail Model Different Queue Management may cause: • Change of the behavior of Queue Length • Change of the calculation of round trip time • Behavior of Queue Length in DRR: • where τt : time length for each round • Calculation of round trip time : • Fluid Model of TCP on DRR router: • Replace the corresponding two equations in Droptail Model

  33. Fluid Model of TCP Flows • Simulation of TCP fluid model • Attack with Single TCP Flow (Droptail Router): • Settings: • T = 1.1s, • l = 0.1s • R = 300kb/s • C = 100kb/s • Propagation delay=0.1s • Attack starts 2s later

  34. Fluid Model of TCP Flows • Simulation of TCP fluid model • Attack with Single TCP Flow (DRR Router): • Settings: • T = 1.1s, • l = 0.1s • R = 300kb/s • C = 100kb/s • Propagation delay=0.1s • Quantum = 1kb • Buffer size =10kb • Attack starts 2s later

  35. Fluid Model of TCP Flows • Simulation of TCP fluid model • Attack with Multiple TCP Flows(Droptail Router): • Settings: • T = 1.1s, • l = 0.1s • R = 300kb/s • C = 100kb/s • Attack starts 2s later • Propagation delay=0.1s, 0.2s, 0.4s and 0.8s

  36. Fluid Model of TCP Flows • Simulation of TCP fluid model • Attack with Multiple TCP Flows (DRR Router): • Settings: • T = 1.1s, • l = 0.1s • R = 300kb/s • C = 100kb/s • Quantum = 1kb • Buffer size =10kb • Attack starts 2s later • Propagation delay=0.1s, 0.2s, 0.4s and 0.8s

  37. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  38. Experiment of Defense Mechanism • Single TCP flow vs. single source attacker • Go through the same router • Link Capacity 5Mbp/s

  39. Experiment of Defense Mechanism • Multiple TCP flows vs. single source attacker • Eight TCP flows • Single low-rate attacker • Go through the same router • Link Capacity 5Mbp/s

  40. Experiment of Defense Mechanism • Network model of attack vs. Multiple TCP flows • 4 TCP flows • Single attacker • 7 routers network • R1,R2,R4,R6 may run DRR • Link capacity 5 Mb/s

  41. Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP Attack Distributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP Flows Defence Experiments Related Work & Conclusion What is the next?

  42. Related Work & Conclusion • Related Work • Another solution to this attack: Randomizing RTO • Intuitive solution • Widespread updates of end user software • May reduce the performance of TCP • Reduction of Quality (RoQ) Attack • General class of attack exploiting the transients of adaptation. • Similar attack form • Conclusions • Formal model to describe low-rate TCP attack. • Distributed detection mechanism using Dynamic Time Wrapping • The push back mechanism • DRR approach protection and isolation

  43. HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Defending Against Low-rate TCP Attack: Dynamic Detection and Protection”IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, October, 2004. HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Distributed Mechanism in Detecting andDefending Against Low-rate TCP Attack”Computer Networks Journal (Elsevier), July,2005. Major References

  44. Thank you for your attention! Q & A

More Related