Upload
tyrone
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Poisoning-Resilient TCP Stack. Amit Mondal Aleksandar Kuzmanovic Northwestern University. http://networks.cs.northwestern.edu/. Large-scale TCP Poisoning Attack. Poison clients instead of servers Counter-DoS solutions at the server cannot protect - PowerPoint PPT Presentation
Citation preview
A Poisoning-Resilient TCP Stack
Amit Mondal
Aleksandar Kuzmanovic
Northwestern University
http://networks.cs.northwestern.edu/
2 A. Mondal A Poisoning-Resilient TCP Stack
3 A. Mondal A Poisoning-Resilient TCP Stack
4 A. Mondal A Poisoning-Resilient TCP Stack
5 A. Mondal A Poisoning-Resilient TCP Stack
Large-scale TCP Poisoning Attack
Poison clients instead of servers– Counter-DoS solutions at the server cannot protect
Simple “see and shoot” strategy enough for this kind of attack
C1
C2
C3
A1
A2
Server
A1 can inject a spoof packet with
acceptable sequence number with RST/FIN
flag setA1 monitors flows in the
network
Only monitoring capability is enough
6 A. Mondal A Poisoning-Resilient TCP Stack
Possible Scenarios
Increasing trend of compromising Internet routers [Mızrak et al. DSN’05]– A malicious hacker with only monitoring capability can
randomly poison TCP connections and avoid detection
Music industry against P2P– Direct Poisoning
• Corrupt content to frustrate users
– Poison P2P connections instead of “direct poisoning”
Net Neutrality– ISPs actively resetting flows like VoIP calls etc.
7 A. Mondal A Poisoning-Resilient TCP Stack
Why TCP Vulnerable to Poisoning Attack?
Visibility of TCP headers in the network
TCP end-points behave as “dummy” state machines– Easily desynchronized by an outside third party
We seek solution to this problem through DoS resilient protocol design– Upgrade TCP from “dummy” state machine – Implicit authentication of data packets and packet stream
We are solving security problem through congestion control
8 A. Mondal A Poisoning-Resilient TCP Stack
Why Not Stronger Solutions?
Explicit monitoring of packet headers are required in networks– Advanced congestion control protocols (e.g., RCP,
XCP)– Intrusion-detection mechanisms
Not implemented/used widely
Our Goal– Adopt an alternate approach– Solve the problem through DoS-
resilient protocol design
9 A. Mondal A Poisoning-Resilient TCP Stack
Our Approach
How to detect attack?– Deferred protocol reaction
How to survive the attack?
– Distinguish packet streams from different sources
• Forward nonces
– Identify the valid packet stream• Self-clocking-based correlation
10 A. Mondal A Poisoning-Resilient TCP Stack
How long to defer?
Setting deferring time to 25% of SRTT yields detection probability above 99%
Ideally, deferring time should be the maximum possible inter-arrival time to detect all attacks
Inter-arrival time depends upon burstiness of cross traffic as well as round-trip time of the connection
11 A. Mondal A Poisoning-Resilient TCP Stack
Forward Nonces
Chaining mechanism to distinguish among different packet sources8-bit random number – Overhead 2 bytes/packet
Limits the attack space– Attacker can only inject packet w.r.t. sniffed packet
for meaningful attack
FNPN FNPNFNPN FNPN …
PN FN PN FN …
Concatenation attack
Past Nonce
Future Nonce
PN FNPN FN PN FN
i i+1 i+2
i i+1i+1 i+2
12 A. Mondal A Poisoning-Resilient TCP Stack
Server Client
IATi
IDTi+1
IDTi+2
IDTi
IATi+1
IATi+2
ACKiACKi+1
ACKi+2
ACKi+3
DATAiDATAi+1
DATAi+2DATAi+3
Self Clocking Based CorrelationIdea: Exploit strong correlation among packet inter-departure and inter-arrival times at an endpoint
Inter-departuresamples
Inter-arrivalsamples
Infer legitimate flow based on σ
13 A. Mondal A Poisoning-Resilient TCP Stack
Internet Experiment
Confirms the accuracy of self-clocking-based detection method
14 A. Mondal A Poisoning-Resilient TCP Stack
Experimental Setup
Taping Point
15 A. Mondal A Poisoning-Resilient TCP Stack
Evaluation (1)
Variable queuing delay Congested environment
Attack detection accuracy remains high for moderately highly congested network environments
16 A. Mondal A Poisoning-Resilient TCP Stack
Evaluation (2)
Link utilization remains high even at very high attack rate with deferred TCP
Link utilization drops sharply even at low attack rate
Utilization remains high even at high
attack rate
Does not go to zero because of
high rate of arrival of short
flows
17 A. Mondal A Poisoning-Resilient TCP Stack
Incremental Deployability
Presence of attack Absence of attack
Deferring TCP flows remain highly resilient during attack and utilize their bandwidth fair share in absence of attack
Modified AIMD parameters to compensate degradation due to deferred reaction
Link utilization increases as
percentage of deferring TCP increases
Deferring TCP consume its fair
bandwidth share
Regular TCP flows’ service is easily denied
18 A. Mondal A Poisoning-Resilient TCP Stack
Conclusion
• Large-scale TCP poisoning attack• Next stage of thriving DDoS attacks• Stealthy and hard to detect
• Our approach• Raise the bar instead of providing 100%
protection
• Our solution• Uses network measurement for implicit
authentication
• Incrementally deployable• TCP friendly in absence of attack• Poisoning resilient in presence of attack
19 A. Mondal A Poisoning-Resilient TCP Stack
Questions?
20 A. Mondal A Poisoning-Resilient TCP Stack