1 / 20

A Poisoning-Resilient TCP Stack

A Poisoning-Resilient TCP Stack. Amit Mondal Aleksandar Kuzmanovic Northwestern University. http://networks.cs.northwestern.edu/. Large-scale TCP Poisoning Attack. Poison clients instead of servers Counter-DoS solutions at the server cannot protect

tyrone
Download Presentation

A Poisoning-Resilient TCP Stack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University http://networks.cs.northwestern.edu/

  2. Large-scale TCP Poisoning Attack • Poison clients instead of servers • Counter-DoS solutions at the server cannot protect • Simple “see and shoot” strategy enough for this kind of attack Only monitoring capability is enough A1 can inject a spoof packet with acceptable sequence number with RST/FIN flag set C1 A2 A1 monitors flows in the network C2 A1 C3 Server

  3. Possible Scenarios • Increasing trend of compromising Internet routers [Mızrak et al. DSN’05] • A malicious hacker with only monitoring capability can randomly poison TCP connections and avoid detection • Music industry against P2P • Direct Poisoning • Corrupt content to frustrate users • Poison P2P connections instead of “direct poisoning” • Net Neutrality • ISPs actively resetting flows like VoIP calls etc.

  4. Why TCP Vulnerable to Poisoning Attack? • Visibility of TCP headers in the network • TCP end-points behave as “dummy” state machines • Easily desynchronized by an outside third party • We seek solution to this problem through DoS resilient protocol design • Upgrade TCP from “dummy” state machine • Implicit authentication of data packets and packet stream • We are solving security problem through congestion control

  5. Why Not Stronger Solutions? • Explicit monitoring of packet headers are required in networks • Advanced congestion control protocols (e.g., RCP, XCP) • Intrusion-detection mechanisms • Not implemented/used widely • Our Goal • Adopt an alternate approach • Solve the problem through DoS-resilient protocol design

  6. Our Approach • How to detect attack? • Deferred protocol reaction • How to survive the attack? • Distinguish packet streams from different sources • Forward nonces • Identify the valid packet stream • Self-clocking-based correlation

  7. How long to defer? Ideally, deferring time should be the maximum possible inter-arrival time to detect all attacks Inter-arrival time depends upon burstiness of cross traffic as well as round-trip time of the connection Setting deferring time to 25% of SRTT yields detection probability above 99%

  8. PN FN PN PN FN FN PN FN PN PN PN FN FN FN PN PN FN FN Forward Nonces Past Nonce Future Nonce i i+1 i+2 … Concatenation attack i+1 i+1 i+2 i … • Chaining mechanism to distinguish among different packet sources • 8-bit random number • Overhead 2 bytes/packet • Limits the attack space • Attacker can only inject packet w.r.t. sniffed packet for meaningful attack

  9. Client Server Self Clocking Based Correlation Idea: Exploit strong correlation among packet inter- departure and inter-arrival times at an endpoint IDTi ACKi Inter-departure samples ACKi+1 IDTi+1 ACKi+2 IDTi+2 ACKi+3 DATAi DATAi+1 IATi DATAi+2 Inter-arrival samples DATAi+3 IATi+1 IATi+2 Infer legitimate flow based on σ

  10. Internet Experiment Confirms the accuracy of self-clocking-based detection method

  11. Experimental Setup Taping Point

  12. Evaluation (1) Variable queuing delay Congested environment Attack detection accuracy remains high for moderately highly congested network environments

  13. Evaluation (2) Utilization remains high even at high attack rate Link utilization drops sharply even at low attack rate Does not go to zero because of high rate of arrival of short flows Link utilization remains high even at very high attack rate with deferred TCP

  14. Incremental Deployability Link utilization increases as percentage of deferring TCP increases Deferring TCP consume its fair bandwidth share Regular TCP flows’ service is easily denied Modified AIMD parameters to compensate degradation due to deferred reaction Presence of attack Absence of attack Deferring TCP flows remain highly resilient during attack and utilize their bandwidth fair share in absence of attack

  15. Conclusion • Large-scale TCP poisoning attack • Next stage of thriving DDoS attacks • Stealthy and hard to detect • Our approach • Raise the bar instead of providing 100% protection • Our solution • Uses network measurement for implicit authentication • Incrementally deployable • TCP friendly in absence of attack • Poisoning resilient in presence of attack

  16. Questions?

More Related