Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble

  • View
    24

  • Download
    0

Embed Size (px)

DESCRIPTION

Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble. Aleksandar Kuzmanovic Northwestern University. http://networks.cs.northwestern.edu. The Internet. 1969. 2007. The system of astonishing scale and complexity. Denial of Service Problem. Assumption - PowerPoint PPT Presentation

Text of Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble

  • Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble

    Aleksandar KuzmanovicNorthwestern University

    http://networks.cs.northwestern.edu

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Internet1969The system of astonishing scale and complexity2007

    A. Kuzmanovic

    Towards Robust Protocol Design

    Denial of Service ProblemAssumptionTrust and cooperation among endpoints

    Denial of Service AttacksA malicious way to consume resources in a network, a server cluster or in an end host, thereby denying service to other legitimate users

    FBI Computer Crime & Security Survey:Overall financial losses: $201,000,000Denial of Service: $65,000,000

    A. Kuzmanovic

    Towards Robust Protocol Design

    Approach

    Should we find ways to defend the Internet from DoS attacks?Of course!

    Anticipating novel types of DoS attacks is essentialMore relevant and more challenging

    My focus: TCPMore than 90% of traffic today is TCP

    A. Kuzmanovic

    Towards Robust Protocol Design

    Outline

    Brief background on TCP

    Four ways to kill TCPShrew attacksPadding misbehaviorTCP poisoning attacksReceiver-driven TCP stacks

    A. Kuzmanovic

    Towards Robust Protocol Design

    Slow-start phase Double the sending ... ... rate each round-trip ... time Reach high throughput ...quicklyTCP Congestion Control

    A. Kuzmanovic

    Towards Robust Protocol Design

    TCP Congestion Control Additive Increase ...Multiplicative Decrease Fairness among flows

    A. Kuzmanovic

    Towards Robust Protocol Design

    TCP Congestion Control Exponential.backoff System stability Vulnerability to ... ..high-rate attacks

    A. Kuzmanovic

    Towards Robust Protocol Design

    Shrew AttacksTCP is vulnerable to low-rate DoS attacks

    A. Kuzmanovic

    Towards Robust Protocol Design

    Shrew

    Very small but aggressive mammal that ferociously attacks and kills much larger animals with a venomous bite

    Reviewer 3: only some shrews are venomous and the amount of venom in even the venomous species is very mild.

    A. Kuzmanovic

    Towards Robust Protocol Design

    TCP: a Dual Time-Scale PerspectiveTwo time-scales fundamentally requiredRTT time-scales (~10-100 ms)AIMD controlRTO time-scales (RTO=SRTT+4*RTTVAR)Avoid congestion collapseLower-bounding the RTO parameter:[AllPax99]: minRTO = 1 secto avoid spurious retransmissionsRFC2988 recommends minRTO = 1 sec

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Shrew Attack

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Shrew Attack

    A short burst (~RTT) sufficient to create outageOutage event of correlated packet losses that forces TCP to enter RTO mechanism

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Shrew AttackThe outage synchronizes all TCP flowsAll flows react simultaneously and identically backoff for minRTO

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Shrew Attack

    Once the TCP flows try to recover hit them again

    Exploit protocol determinism

    A. Kuzmanovic

    Towards Robust Protocol Design

    The Shrew Attack

    And keep repeating

    RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP traffic

    A. Kuzmanovic

    Towards Robust Protocol Design

    Shrews are Hard to Detect

    l/T Circuit switched

    A. Kuzmanovic

    Towards Robust Protocol Design

    GainFully-backlogged flows always achieve

    gain relative to interactive flows

    A. Kuzmanovic

    Towards Robust Protocol Design

    Sustainable CountermeasuresShort-term padding with dummy packets Enable that a packet loss is detected via fast retransmit mechanismActual packet followed by three tiny dummy packets.

    A diversity approachTCP sends k (k>1, k is a small integer) copies of the packet without violating congestion control mechanismIn reality k=2 is sufficient

    Both approaches de-motivate greedy users

    from using the fully-backlogged approach

    A. Kuzmanovic

    Towards Robust Protocol Design

    Outline

    Brief background on TCP

    Four ways to kill TCPShrew attacksPadding misbehaviorTCP poisoning attacksReceiver-driven TCP stacks

    A. Kuzmanovic

    Towards Robust Protocol Design

    A TCP Poisoning AttackBackgroundMis-configured load balancers can reset TCP connectionsSimply send a RST packet to an endpoint

    ImplicationMonitoring -> DoS attacksJust send a bogus packet and poison an endpointTCP behaves as a dummy state machineBoth control and data planes are vulnerable

    A. Kuzmanovic

    Towards Robust Protocol Design

    Large-Scale TCP Poisoning AttacksExamplePoison clients instead of a serverC1C2CnA1A2Server

    A. Kuzmanovic

    Towards Robust Protocol Design

    Why Not Cryptography?

    Explicit monitoring required in networksAdvanced congestion control protocols (e.g., XCP)Intrusion-detection mechanisms

    Not implemented widelyE.g., IPSec

    Even cryptography wont helpKey exchange vulnerable to poisoning

    A. Kuzmanovic

    Towards Robust Protocol Design

    Our Approach

    Deferred protocol reactionAttack detection

    Forward noncesDistinguish packet streams from different hosts

    Self-clocking based correlationIdentify the valid packet stream

    A. Kuzmanovic

    Towards Robust Protocol Design

    How long to defer?

    A. Kuzmanovic

    Towards Robust Protocol Design

    Forward NoncesChaining mechanism to distinguish among different packet sourcesPast and future nonce8-bit random numbers Overhead: 2 bytes/packet

    A. Kuzmanovic

    Towards Robust Protocol Design

    Self Clocking Based CorrelationIATiIDTi+1IDTi+2IDTiIATi+1IATi+2ACKiACKi+1ACKi+2ACKi+3DATAiDATAi+1DATAi+2DATAi+3Idea: Exploit strong correlation among inter-

    departure and inter-arrival times at an endpoint

    A. Kuzmanovic

    Towards Robust Protocol Design

    EvaluationOur approach dramatically improves performance over standard TCP

    A. Kuzmanovic

    Towards Robust Protocol Design

    Outline

    Brief background on TCP

    Four ways to kill TCPShrew attacksPadding misbehaviorTCP poisoning attacksReceiver-driven TCP stacks

    A. Kuzmanovic

    Towards Robust Protocol Design

    Why Receiver-Based TCP?Example: Busy web serverReceiver-based TCP distributes the state management across a large number of clientsGenerallyWhenever a feedback is needed from the receiver, receiver-based TCP has advantage over sender-based schemes due to the locality of informationBenefits [RCP03]Performance Functionality- Loss recovery- Seamless handoffs- Congestion control- Server migration - Power management for - Bandwidth aggregation mobile devices - Web response times- Network-specific congestion control

    A. Kuzmanovic

    Towards Robust Protocol Design

    VulnerabilityReceivers remotely control servers by deciding which packets and when to be sentReceivers have both means and incentive to manipulate the congestion control algorithm Means: open source OSIncentive: faster web browsing & file download

    A. Kuzmanovic

    Towards Robust Protocol Design

    An Example: Request-Flood AttackRequest flood attackA misbehaving receiver floods the server with requests, which replies and congests the network

    A. Kuzmanovic

    Towards Robust Protocol Design

    Conclusions

    Think of attacks, not just defensesMore challenging and more relevant

    Robust protocol designAvoid determinism whenever you canUnderstand extreme scenariosExplore novel defense mechanismsE.g., use measurements to achieve DoS resilienceAnticipate effects before applying a change

    A. Kuzmanovic

    Towards Robust Protocol Design

    Thank You!

    More information available athttp://networks.cs.northwestern.edu

    Questions?

    Well by simply sending periodic bursts into the network.

    In the figure I have shown a simple square-wave DoS stream, which is a general Denial of Service pattern that we use. It has magnitude of the peak R, length of the peak l and period of the attack of T

    Recall that the burst length should be on the order of flows roundtrip time and that the period of the attack is on the time-scale of the minRTO parameter, and this implies that this denial of service stream will have very low average rate.

    And the point about these attacks being low rate is the fact that these types ofattacks are hard to detect. This is because most counter-DoS mechanisms are tuned for sledge-hammer attacks which are high rate. On the other hand, detecting Shrews is inherently hard due to fact that many legitimate flows in the Internet can burst for very short intervals and thus detecting shrews may have unacceptably many false alarms.

    We next want to see if such a stream can accurately create outages in the networkand what happens when we multiplex this stream with a TCP flow?