Defending%20Against%20Low-rate%20TCP%20Attack:%20Dynamic%20Detection%20and%20Protection

1
Defending Against Low-rate TCP AttackDynamic
Detection and Protection
David K.Y.Yau CS Dept. Purdue U.

• Haibin Sun John C.S.Lui
• CSE Dept. CUHK

2
Outline

• Introduction to the Low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Detection
• Defense Mechanism
• Conclusion

3
Introduction to the Low-rate TCP Attack

• Common DoS attack

• Consume resources (bandwidth, buffer etc)
• Keep legitimate users away form service
• Large number of machines or agents are involved
• Harmful, but relatively easy to be detected

• Low-rate DoS attack

• Aim to deny the bandwidth of legitimate TCP flows
• Attacker sends the attack stream with low volume
• Exploit the TCP congestion control feature
• Attacker sends a periodic short burst to
  victim/router

4
TCP Retransmission Mechanism

• TCP congestion control

• If under severe network congestion
• Wait until retransmission timeout (RTO)
• Reduce the congestion window double the RTO
  retransmit the packet
• If succeed, enter slow start phase
• else, exponential back off again

• Calculation of RTO

• In RFC 2988
• RTOmax(minRTO,SRTTmax(G,4RTTVAR))
• Usually, RTO minRTO when slow start
• minRTO1 second (recommended in RFC 2988)

5
Low-rate DoS Attack to TCP Flow

• A example of low-rate DoS attack

Avg BW lR/T

• Sufficiently large attack burst
• Packet loss at congested router
• TCP time out retransmit after RTO
• Attack period RTO of TCP flow,
• TCP continually incurs loss achieves zero or
  very low throughput.

6
What is the next?

• Introduction to the low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Detection
• Defense Mechanism
• Conclusion

7
Formal Description

• Mathematical Description

• T Attack period
• l Length of attack burst
• R Rate of attack burst
• N Background noise
• S Time shift

8
Low-rate DoS Traffic Pattern

• The periodic burst may have different patterns

• Simple Square wave (Kuzmanovic Knightly in
  Sigcomm 03)

• Attack traffic is not easy to remain the same as
  the original at the victim router.
• Attack traffic between different period may not
  be the same, thus T, l, R may vary.
• We need a ROBUST method to identify attack

• Step-like double rate stream (Kuzmanovic
  Knightly in Sigcomm 03)

• General peaks with background noise

9
Low-rate DoS Traffic Pattern

• Multiple distributed attack sources

• Small Burst combination

• Long Period combination

10
What is the next?

• Introduction to the low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Detection
• Defense Mechanism
• Conclusion

11
Distributed Detection

• Overall Idea of Distributed Detection

12
Distributed Detection

• Traffic signature Detection

• Small average throughput gt Throughput based IDS
• No signature in packet gt per packet
  approaches
• Extract the essential signature of attack traffic

X
X
v
13
Algorithm of Detection
Pattern match
Pattern match
Extract the signature
Extract the signature
Filter the noise
Filter the noise
Samplethe traffic
Samplethe traffic

• Similarity between the template and input should
  be calculated.
• We use the Dynamic Time Warping (DTW).
• (The detail algorithm of DTW is provided in
  the paper)
• The smaller the DTW value, the more similar they
  are.
• DTW values will be clustered threshold can be
  set to distinguish them.

• Autocorrelation is adopted to extract the
  periodic signature of input signal.periodic
  input gt special pattern of its
  autocorrelation.(Autocorrelation can also mask
  the difference of time shift S)
• Unbiased normalizationM length of input
  sequencem index of autocorrelation

• The background noise of samples need to be
  filtered
• Background noise(UDP flows and other TCP flows
  that less sensitive to attack)
• For simplicity, a threshold filter can be used.

• Sample recent instantaneous throughput at a
  constant rate(The rate should be frequent enough
  but not over burden system)
• Each time of detection consists of a sequence of
  instantaneous throughput(The length of sequence
  should also be properly adjusted)
• Normalization is necessary

Demo in Matlab
14
Robustness of Detection

• Attack traffic simulations

• DTW values for low-rate attack

• Square, step, general peaks
• T ,l Uniformly distributed
• s.t. l /Tlt0.25
• R 1 (full bandwidth)
• N,S Uniformly distributed
• 1000 simulations /type

DTW Value of Low-rate TCP Attack DTW Value of Low-rate TCP Attack DTW Value of Low-rate TCP Attack DTW Value of Low-rate TCP Attack
Square General Peaks Step
Max 39.48 29.89 57.10
Min 0.25 0.22 0.49
Mean 5.73 5.11 7.97
Stdv 6.93 4.61 11.39
15
Robustness of Detection

• DTW values for Legitimate traffic

• Legitimate traffic composition.
• Legitimate traffic simulation C
  Gaussian(0, N)
• Run simulation 100 times for each C
• Large DTW value for legitimated traffic

Max 286.60
Min 62.51
Mean 205.24
Stdv 66.63
16
Robustness of Detection

• Probability distribution of DTW values

• Attack flows V.S. legitimate flows
• Expect a separation between them.

17
What is the next?

• Introduction to the low-rate DoS Attack
• Formal Description of Low-rate TCP Attack
• Distributed Detection
• Defense Mechanism
• Conclusion

18
Defense Mechanism

• Router deployment

• Pushback detection
• Pushback to deployed router
• distributed attack
• Deficit round robin (DRR)

Resource Management
19
Defense Mechanism

• Deficit Round Robin (DRR)

• 1st Round
• As count 1000
• Bs count 200 (served twice)
• Cs count 400

• Classify packets according to the input port i.
• deficit_counteri Quantum
• If packets sizelt deficit_counteri , serve the
  packet
• deficit_counteri -packets size.
• If no packeti, deficit_counteri 0.

• 2nd Round
• As count 500 (served)
• Bs count 0
• Cs count 800 (served)

20
Experiment of Defense Mechanism

• Multiple TCP flows vs. single source attacker

Drop Tail Drop Tail DRR DRR
Throughput (Kbps) of link capacity Throughput (Kbps) of link capacity
Attack 928.76 18.58 343.09 6.86
TCP1 8.71 0.17 965.91 19.32
TCP2 210.77 4.22 645.79 12.92
TCP3 4.75 0.10 629.15 12.58
TCP4 11.09 0.22 618.05 12.36
TCP5 5.54 0.11 468.3 9.37
TCP6 267.82 5.36 356.57 7.13
TCP7 72.11 1.44 293.97 5.88
TCP8 3.17 0.06 194.93 3.90
TCP Sum 583.96 11.68 4172.67 83.45

• Eight TCP flows
• Single low-rate attacker
• Go through the same router
• Link Capacity 5Mbps

21
Experiment of Defense Mechanism

• Network model of attack vs. Multiple TCP flows

Drop Tail DRR on R6 DRR on R6,R4 DRR on R6,R4,R2 DRR on R6,R4,R2,R1
?(Kbps) ?(Kbps) ?(Kbps) ?(Kbps) ?(Kbps)
Attack 640.00 561.00 453.00 419.00 404.00
TCP1 386.00 358.00 311.00 314.00 778.00
TCP2 264.00 329.00 282.00 874.00 763.00
TCP3 324.00 251.00 1245.00 924.00 788.00
TCP4 425.00 1719.00 1154.00 966.00 765.00
Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00

• 4 TCP flows
• Single attacker
• 7 routers network
• R1,R2,R4,R6 may run DRR
• Link capacity 5 Mb

22
What is the next?

• Introduction to the low-rate TCP Attack
• Formal Description of Low-rate TCP Attack
• Distributed Detection
• Defense Mechanism
• Conclusion

23
Conclusion

• Conclusions

• Formal model to describe low-rate TCP attack.
• Distributed detection mechanism using
  
  Dynamic Time Wrapping
• The push back mechanism
• DRR approach protection and isolation