SIGCOMM

1
SIGCOMM03Low-Rate TCP-Targeted Denial of
Service Attacks

• A. Kuzmanovic and E. W. Knightly
• Rice University
• Reviewed by Haoyu Song
• 9/25/2003

2
Denial of Service Attack

• Preventing or degrading service to legitimate
  users.
• TCP SYN Attack
• ICMP directed broadcasts
• Target
• Network bandwidth
• Server/router CPU cycles
• Interrupt processing capacity
• Operating system/protocol data structure

3
DoS Attack Common Characteristics

• Exploits the bugs or features of the operating
  system or inherent limitations of the networking
• Involves large number of compromised computers
• High-rate traffic toward victim node
• Can be detected, traced back, mitigated or
  cleared.
• Firewall, Intrusion Detect Device, Operating
  System Patches.

4
Low-Rate DoS Attack

• Exploits the vulnerability of the TCPs
  congestion control algorithm
• The rate is so low that it is hard to be
  detected
• Degrade the victims throughput significantly
• Not easy to fix.

5
Layout of the Paper

• Background TCPs Timeout Mechanism
• DoS Modeling
• Extensive Simulation and Experiments
• Counter-DoS Techniques
• Conclusion

6
TCP Retransmission Timeout Mechanism

• If less than 3 duplicate ACKs are received before
  RTO expires
• Shrink its congestion window to 1 packets (slow
  start).
• Set new RTO to 2RTO (exponential backoff)
• Retransmit the lost packet.
• RTO Selection is a tradeoff
• Spurious timeout and extraneous retransmission if
  too small.
• Too slow to recover from congestion if too large.

7
RTO Estimation

• SRTT smoothed round trip time
• RTTVAR round trip time variation
• R RTT sample
• minRTO lower bound for RTO, 1 second
• G clock granularity

8
The Idea of Low-rate DoS Attack

• What to do
• Provoke a TCP flow to repeatedly enter a
  retransmission timeout state
• Throttle the TCP throughput to near-zero
• How to do
• Sending high-rate, RTT scale short duration
  bursts and repeating periodically at RTO scale
  period.
• Low average rate is hard to be detected

9
DoS Modeling
10
DoS TCP Throughput

• Two null point TminRTO/2 and TminRTO

11
In Practice

• Periodic DoS attack are not utilizing TCP
  exponential backoff mechanism but rather exploit
  repeated timeout.
• If only subset of TCP flows satisfy the
  conditions, only the subset obtain the degraded
  throughput (flow filtering)

12
Creating DoS Outages

• Minimize the rate of DoS stream

13
Impact on Long-lived Homogeneous-RTT TCP Traffic

• 1.5Mb/s link
• One way propagation delay 6ms
• RTT varies from 12ms to 132 ms
• DoS Traffic 1.5Mb/s peak rate, 100ms burst and
  50-byte packet
• 5 TCP flows simulation

14
Impact on Long-lived Heterogeneous-RTT TCP Traffic

• 20 TCP flows
• 10 Mb/s link
• RTT varies from 29 to 460 ms
• DoS burst traffic 10Mb/s, 100ms burst and 1.1sec
  period

15
DoS Burst Length

• High-RTT-pass filter
• As burst length increase, more TCP flows are
  filtered thus the aggregate TCP throughput
  decreases.

16
DoS Peak Rate

• Background traffic potentially lower the DoS peak
  rate while maintaining an effective attack
• Senario 1 DoS flow and 4 TCP flows. 3 TCP flows
  with long RTT serve as the background traffic
• Relatively low peak rates are sufficient to
  filter the short-RTT flow

17
Impact on HTTP Traffic

• HTTP traffic is more dynamic
• Have more impact on heavy load
• Have more impact on large file size
• Some flows benefit from the attack avoid the
  outages.

18
DoS on TCP Variants

• Effect attacks depend on the ability to create
  correlated packet loss and force TCP flows to
  enter retransmission timeout.

19
Internet Experiments

• Intra-LAN
• Inter-LAN
• WAN

20
Intra-LAN Scenario

• 10Mb/s Ethernet
• Attacker 10Mb/s peak rate, 200ms burst length.
• Null frequency 1.2 sec.
• DoS average rate 1.67 Mb/s if period is 1.2 sec.
  
• TCP flow throughput drops from 6.6 Mb/s to 780
  kb/s

21
Inter-LAN Scenario

• Attacker and TCP sender are on different 100Mb/s
  Ethernet
• Attacked host is on a 10 Mb/s Ethernet
• DoS peak rate 10Mb/s, burst duration 100ms
• Null frequency 1.1 sec
• At this time scale, DoS average rate is 909Kb/s
• TCP flow throughput drops from 9.8Mb/s to 800 kb/s

22
WAN Scenario

• DoS source is 8 hops away, 10Mb/s peak rate and
  100ms burst duration.
• T 1.1 sec, TCP througput drops to 909Kb/s from
  9.8Mb/s

23
Router-Assisted Counter-DoS

• Consider only dropping algorithms rather than
  scheduling
• RED and RED-PD

24
Router-Assisted Counter-DoS cont

• Vary the DoS peak rate or burst length
• 9 TCP SACK flows
• Bottleneck Rate 1.5 Mb/s

25
End-point minRTO Randomization Counter-DoS

• Fact low rate attacks exploit minRTO homogeneity
• Remedy Radomize end systems minRTO to randomize
  their null fequecnies
• Experiment minRTO uniform(a,b)
• Result the longest most vulnerable timescale
  becomes T b

26
Conclusion

• This attack can against both short and long-lived
  TCP flows.
• In heterogeneous RTT environment, it shows to be
  a high-RTT pass filter.
• No effective way to defend the system in the
  presence of this low-rate DoS attack.