Low-Rate TCP Denial of Low-Rate TCP Denial of Service DefenseService Defense

Johnny TsaoPetros Efstathopoulos

Tutor: Guang Yang

UCLA 2003

What is a Low-Rate DoS Attack?What is a Low-Rate DoS Attack?

Floods bottleneck with packets to overflow Floods bottleneck with packets to overflow queues and produce dropped packetsqueues and produce dropped packetsTCP connections senses congestion and waits TCP connections senses congestion and waits retransmission timeout (one second)retransmission timeout (one second)While TCP connections are waiting the timeout, While TCP connections are waiting the timeout, the attacker does not need to attackthe attacker does not need to attackIt then resumes attacking after waiting the RTOIt then resumes attacking after waiting the RTOThe attacker has a low throughput relative to The attacker has a low throughput relative to traditional DoS attackers so it can avoid traditional DoS attackers so it can avoid detectiondetection

Proposed SolutionProposed Solution

Randomize the RTO so that we start Randomize the RTO so that we start retransmitting in between attacksretransmitting in between attacks

This should help improve throughputThis should help improve throughput

Various possible randomization Various possible randomization techniques: simulations show that choice techniques: simulations show that choice doesn’t make significant differencedoesn’t make significant difference

Related WorksRelated Works

A. Kuzmanovic and E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal DraftThese papers run simulations only, we will test These papers run simulations only, we will test their findings with experimentstheir findings with experiments

Our TaskOur Task

Analyze the effectiveness of randomized Analyze the effectiveness of randomized RTO against a low-rate TCP DoS attackRTO against a low-rate TCP DoS attack

Evaluate effectiveness by performing Evaluate effectiveness by performing experiments on a TCP testbed using experiments on a TCP testbed using DummyNet to simulate an internet DummyNet to simulate an internet bottleneckbottleneck

Compare experimental results to Compare experimental results to simulation resultssimulation results

The Linux KernelThe Linux Kernel

Linux implements TCP New RenoLinux implements TCP New Reno

The Linux kernel actually uses a minimum The Linux kernel actually uses a minimum RTO of 200ms (max is 120sec)RTO of 200ms (max is 120sec)

This reduces the effectiveness of a low-This reduces the effectiveness of a low-rate attack since it must transmit more rate attack since it must transmit more often, leaving it more susceptible to often, leaving it more susceptible to detectiondetection

The Linux Kernel The Linux Kernel (cont)(cont)

Linux uses the value of RTOmin to Linux uses the value of RTOmin to initialize the value of rttvar when a new initialize the value of rttvar when a new connection is establisedconnection is establised

Setting RTOmin to 1sec heavily affected Setting RTOmin to 1sec heavily affected rttvarrttvar

Solution: bound the value of RTO Solution: bound the value of RTO dynamically without changing the defined dynamically without changing the defined values that affect rttvarvalues that affect rttvar

Linux Kernel ModificationsLinux Kernel Modifications

Kernel 1: make minimum RTO = 1sec in Kernel 1: make minimum RTO = 1sec in order to match the papers by Knightly and order to match the papers by Knightly and YangYang

Kernel 2: Randomize RTO around 1sec to Kernel 2: Randomize RTO around 1sec to see if randomization can defend against a see if randomization can defend against a low rate attacklow rate attack

Experiment SetupExperiment Setup

Sender, ReceiverSender, Receiver- iperf client and server to produce TCP traffic- iperf client and server to produce TCP trafficAttackerAttacker- Custom UDP traffic generator: 3MBit/s attack, - Custom UDP traffic generator: 3MBit/s attack, 50 byte packets50 byte packetsDummyNet simulates internet bottleneckDummyNet simulates internet bottleneck- 1.5MBit/s link- 1.5MBit/s link- 40ms propagation delay- 40ms propagation delay- 50 slot queue- 50 slot queue

The Square Wave AttackThe Square Wave Attack(approximates a Low-rate TCP DoS Attack)(approximates a Low-rate TCP DoS Attack)

Burst Length

Inter-burst Period

ExperimentsExperiments

4 sets of experiments4 sets of experiments Set 1: standard Linux kernel behaviorSet 1: standard Linux kernel behavior Set 2: modified “1sec” Linux kernel behaviorSet 2: modified “1sec” Linux kernel behavior Set 3: modified “1sec – randomized RTO” Set 3: modified “1sec – randomized RTO”

Linux kernel behaviorLinux kernel behavior For each set we measured throughput for interburst For each set we measured throughput for interburst

periods (IBPs) ranging from 0.3sec to 5sec (burst periods (IBPs) ranging from 0.3sec to 5sec (burst length and network parameters were kept constant)length and network parameters were kept constant)

Set 4: all kernels measured under attack for Set 4: all kernels measured under attack for different burst lengthsdifferent burst lengths

TopologyTopology

AttackAttack

Experimental Results – IExperimental Results – I

The standard Linux kernel is vulnerable, but a high rate attack is The standard Linux kernel is vulnerable, but a high rate attack is needed (minRTO is 200ms)needed (minRTO is 200ms)

Linux kernel throughput (no attack VS under attack)

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

200000

0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5

IBP (sec)

Th

rou

gh

pu

t (b

ytes

/sec

)

Under Attack

No Attack

Experimental Results – IIExperimental Results – II

Changing the minimum value of RTO to 1sec makes the attack very Changing the minimum value of RTO to 1sec makes the attack very effective!effective!

"1sec" kernel throughput (no attack VS under attack)

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

200000

0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5

IBP (s)

Th

rou

gh

pu

t (b

yte

s/s

ec

)

Under Attack

No attack

Experimental Results – IIIExperimental Results – III

Randomizing the value of RTO in the “1sec” kernel (randomization Randomizing the value of RTO in the “1sec” kernel (randomization ranges from -0.5 to +0.5) significantly improves performance ranges from -0.5 to +0.5) significantly improves performance (connection NOT throttled for IBPs of 0.5s and 1s)(connection NOT throttled for IBPs of 0.5s and 1s)

"1sec-randomized RTO" kernel throughput (no attack VS under attack)

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

200000

0.3 0.4 0.5 0.7 1 1.2 1.5 1.7 2 2.5 3 3.5 4 4.5 5

IBP (s)

Th

rou

gh

pu

t (b

ytes

/sec

)

Under Attack

No Attack

Experimental Results – IVExperimental Results – IVRandomization eliminates the throughput throttling problem Randomization eliminates the throughput throttling problem for IBP values of minRTO/2 and minRTOfor IBP values of minRTO/2 and minRTOExperimental results confirm simulation resultsExperimental results confirm simulation results

Throughput vs IBP

00.10.20.30.40.50.60.70.80.9

1

0 1 2 3 4 5 6

Inter-burst Period (seconds)

Th

rou

gh

pu

t (%

)

Linux

1s RTO

randomRTO

Experimental Results – VExperimental Results – V

The burst length greatly affects the effectiveness The burst length greatly affects the effectiveness of the attackof the attack

Throughput VS burst length (interburst period = 1s)

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

50 100 150 200

Burst length (ms)

Th

rou

gh

pu

t (b

ytes

/sec

)

Linux kernel

1sec kernel

randomized kernel

Throughput VS burst length (interburst period = 0.5s)

0

20000

40000

60000

80000

100000

120000

50 100 150 200

Burst length (ms)

Thro

ugpu

t (by

tes/

sec)

Linux kernel

1sec kernel

randomized kernel

Experimental Results – V Experimental Results – V (cont.)(cont.)

Average throughput VS burst length (for IBPs 0.5s and 1s)

0

20000

40000

60000

80000

100000

120000

140000

160000

50 100 150 200

Burst length (ms)

Th

rou

gh

pu

t (b

yte

s/s

ec

)

Linux kernel

1sec kernel

randomized kernel

Our FindingsOur Findings

Low-Rate TCP DoS attack relies heavily Low-Rate TCP DoS attack relies heavily on RTO synchronizationon RTO synchronization

Attack targets low RTT connectionsAttack targets low RTT connections

Randomization of RTO improves Randomization of RTO improves throughput greatly (especially in the throughput greatly (especially in the vulnerable cases of 0.5s and 1s)vulnerable cases of 0.5s and 1s)

Our Findings - IIOur Findings - II

The effectiveness of the attack depends a The effectiveness of the attack depends a lot on the synchronization of the sender lot on the synchronization of the sender and the attackerand the attackerPerformance results for certain cases Performance results for certain cases fluctuated greatly for consecutive runs of fluctuated greatly for consecutive runs of the same experiment. Possible reasons: the same experiment. Possible reasons: Dummynet buffer management, Dummynet buffer management, synchronization issues between the synchronization issues between the attacker and the senderattacker and the sender

ConclusionsConclusions

The experimental results coincide with the The experimental results coincide with the findings of papers by Knightly and Yangfindings of papers by Knightly and Yang

Randomization is an effective way to Randomization is an effective way to reduce the damage done by a Low-Rate reduce the damage done by a Low-Rate TCP DoS attackTCP DoS attack

Such an attack may not be realistic if Such an attack may not be realistic if modern systems implement a low RTO modern systems implement a low RTO

(ie. Linux’s 200ms RTO)(ie. Linux’s 200ms RTO)

Future WorkFuture Work

Determine the fairness of the RTO Determine the fairness of the RTO randomization schemerandomization scheme

Explore probing as a defense against a Explore probing as a defense against a Low Rate TCP DoS attackLow Rate TCP DoS attack

Examine the attack and defense results Examine the attack and defense results with multiple TCP flowswith multiple TCP flows

ReferencesReferences

A. Kuzmanovic and E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants), In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug. 2003G.Yang, M.Gerla and Y.Sanadidi, Randomization and Probing: Defense against Low-rate TCP-targeted DoS Attacks, UCLA Computer Science Department, Internal DraftPasi Sarolathi, Alexey Kuznetsov, Congestion Control in Linux TCPD. Bovet and M. Cesati, Understanding the Linux kernel, O’Reilly press 2003