A Poisoning-Resilient TCP Stack

A Poisoning-Resilient TCP Stack

Amit Mondal

Aleksandar Kuzmanovic

Northwestern University

http://networks.cs.northwestern.edu/

2 A. Mondal A Poisoning-Resilient TCP Stack




Large-scale TCP Poisoning Attack

Poison clients instead of servers– Counter-DoS solutions at the server cannot protect

Simple “see and shoot” strategy enough for this kind of attack

C1

C2

C3

A1

A2

Server

A1 can inject a spoof packet with

acceptable sequence number with RST/FIN

flag setA1 monitors flows in the

network

Only monitoring capability is enough


Possible Scenarios

Increasing trend of compromising Internet routers [Mızrak et al. DSN’05]– A malicious hacker with only monitoring capability can

randomly poison TCP connections and avoid detection

Music industry against P2P– Direct Poisoning

• Corrupt content to frustrate users

– Poison P2P connections instead of “direct poisoning”

Net Neutrality– ISPs actively resetting flows like VoIP calls etc.


Why TCP Vulnerable to Poisoning Attack?

Visibility of TCP headers in the network

TCP end-points behave as “dummy” state machines– Easily desynchronized by an outside third party

We seek solution to this problem through DoS resilient protocol design– Upgrade TCP from “dummy” state machine – Implicit authentication of data packets and packet stream

We are solving security problem through congestion control


Why Not Stronger Solutions?

Explicit monitoring of packet headers are required in networks– Advanced congestion control protocols (e.g., RCP,

XCP)– Intrusion-detection mechanisms

Not implemented/used widely

Our Goal– Adopt an alternate approach– Solve the problem through DoS-

resilient protocol design


Our Approach

How to detect attack?– Deferred protocol reaction

How to survive the attack?

– Distinguish packet streams from different sources

• Forward nonces

– Identify the valid packet stream• Self-clocking-based correlation


How long to defer?

Setting deferring time to 25% of SRTT yields detection probability above 99%

Ideally, deferring time should be the maximum possible inter-arrival time to detect all attacks

Inter-arrival time depends upon burstiness of cross traffic as well as round-trip time of the connection


Forward Nonces

Chaining mechanism to distinguish among different packet sources8-bit random number – Overhead 2 bytes/packet

Limits the attack space– Attacker can only inject packet w.r.t. sniffed packet

for meaningful attack

FNPN FNPNFNPN FNPN …

PN FN PN FN …

Concatenation attack

Past Nonce

Future Nonce

PN FNPN FN PN FN

i i+1 i+2

i i+1i+1 i+2


Server Client

IATi

IDTi+1

IDTi+2

IDTi

IATi+1

IATi+2

ACKiACKi+1

ACKi+2

ACKi+3

DATAiDATAi+1

DATAi+2DATAi+3

Self Clocking Based CorrelationIdea: Exploit strong correlation among packet inter-departure and inter-arrival times at an endpoint

Inter-departuresamples

Inter-arrivalsamples

Infer legitimate flow based on σ


Internet Experiment

Confirms the accuracy of self-clocking-based detection method


Experimental Setup

Taping Point


Evaluation (1)

Variable queuing delay Congested environment

Attack detection accuracy remains high for moderately highly congested network environments


Evaluation (2)

Link utilization remains high even at very high attack rate with deferred TCP

Link utilization drops sharply even at low attack rate

Utilization remains high even at high

attack rate

Does not go to zero because of

high rate of arrival of short

flows


Incremental Deployability

Presence of attack Absence of attack

Deferring TCP flows remain highly resilient during attack and utilize their bandwidth fair share in absence of attack

Modified AIMD parameters to compensate degradation due to deferred reaction

Link utilization increases as

percentage of deferring TCP increases

Deferring TCP consume its fair

bandwidth share

Regular TCP flows’ service is easily denied


Conclusion

• Large-scale TCP poisoning attack• Next stage of thriving DDoS attacks• Stealthy and hard to detect

• Our approach• Raise the bar instead of providing 100%

protection

• Our solution• Uses network measurement for implicit

authentication

• Incrementally deployable• TCP friendly in absence of attack• Poisoning resilient in presence of attack


Questions?


Documents

A Poisoning-Resilient TCP Stack