1 Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang

11

Low-Rate TCP-Targeted DoS Attack DisrLow-Rate TCP-Targeted DoS Attack Disrupts Internet Routingupts Internet Routing

Ying Zhang Z. Morley Mao Jia Wang Ying Zhang Z. Morley Mao Jia Wang

22

Attacks on the InternetAttacks on the Internet Attacks targeting end hostsAttacks targeting end hosts

Denial of Service attacks, worms, spamDenial of Service attacks, worms, spam Attacks targeting the routing infrastructureAttacks targeting the routing infrastructure

Compromised routersCompromised routers Stealthy denial of service attacksStealthy denial of service attacks

Target

Internet

CBR

CBR CBR

Attackers

BotsTarget link

Destination

33

Border Gateway ProtocolBorder Gateway ProtocolDe facto standard inter-domain routing De facto standard inter-domain routing

protocolprotocol

CBRBRAS 1 AS 2

BGP session

Transport: TCP connection

Keepalive

CBRBR

Keepalive

confirm peer liveliness; determine peer confirm peer liveliness; determine peer reachabilityreachability

BGP HoldTimer expired

BGP session reset

44

Low-rate TCP-targeted DoS attacks Low-rate TCP-targeted DoS attacks [K[Kuzmanovic03]uzmanovic03] Exploiting TCP’s deterministic retransmission behaviorExploiting TCP’s deterministic retransmission behavior

TCP Congesti

on Window

Size(packets)

Time

minRTO 2 x minRTOInitial

windowsize

No packet lossACKs received

packet lossNo ACK received

4 x minRTO

55

Low-rate TCP-targeted DoS attacksLow-rate TCP-targeted DoS attacks

Attack flow period approximates minRTO of TCP flowsAttack flow period approximates minRTO of TCP flows

TCP congestion window size(segments)

Time

minRTO 2 x minRTOInitial windowsize

4 x minRTO

66

Impact of low-rate TCP DoS attacksImpact of low-rate TCP DoS attacks

Impact on any TCP connectionsImpact on any TCP connectionsTCP continuously experiences loss TCP continuously experiences loss TCP obtains near zero throughputTCP obtains near zero throughputDifficult to detect due to low-rate propertyDifficult to detect due to low-rate property

Our finding: Our finding: Low-rate TCP DoS attacks can disrupt BGP Low-rate TCP DoS attacks can disrupt BGP

(with default configurations)(with default configurations)

77

Impact of routing disruptionImpact of routing disruption

Reduced sending rateReduced sending rateIncreasing convergence delayIncreasing convergence delay

BGP session reset BGP session reset Routing instabilityRouting instabilityUnreachable destinationsUnreachable destinationsTraffic performance degradationTraffic performance degradation

88

OutlineOutline

Description of a potential attack Description of a potential attack against Internet routingagainst Internet routing

Attack demonstration using testbed Attack demonstration using testbed experimentsexperiments

Increased attack sophisticationIncreased attack sophisticationUsing multi-host coordinationUsing multi-host coordination

Defense solutions through preventionDefense solutions through prevention

99

Testbed experimentsTestbed experiments

Using high-end commercial routersUsing high-end commercial routersDemonstrating the attack feasibilityDemonstrating the attack feasibility

Gigabit Ethernet

OC3 155Mbps

Gigabit Ethernet

CBR

Router R1(Cisco GSR)

Router R2(Cisco GSR)

Sender AReceiver B

CBR

1010

The attack to bring down a BGP The attack to bring down a BGP sessionsession

BGP Keepalive message

UDP-based attack flow

Packet is dropped due to

congestionAttacker A

Receiver B

Router R1

CBR

Router R2

CBR

1111



Attacker A

Receiver B

Router R1

CBR

Router R2

CBR

Retransmitted BGP Keepalive message

minRTO

1212



Attacker A

Receiver B

Router R1

CBR

Router R2

CBR

minRTO

2nd Retransmitted BGP Keepalive message

2*minRTO

1313



Attacker A

Receiver B

Router R1

CBR

Router R2

CBR

minRTO 2*minRTO

7th retransmitted BGP Keepalive message

Hold Timer expired!

BGP Session Reset

1414

Basic attack flow propertiesBasic attack flow properties

Burst length L

Magnitude of the peak R

Inter-burst period T

1515

How likely is BGP session reset?How likely is BGP session reset?

R:185MbpsR:185MbpsT: 600msecT: 600msecMin duration:216 secMin duration:216 sec

30% session reset probability with 42% capacity usage

1616

Router implementation diversityRouter implementation diversity

Router Router TypeType

Router Router

OS VersionOS VersionminRTOminRTO(msec)(msec)

KeepaliveKeepalive(sec)(sec)

HoldTimerHoldTimer(sec)(sec)

Cisco Cisco 36003600

IOS 12.2(25a)IOS 12.2(25a) 300300 6060 180180


IOS IOS 12.2(28)S312.2(28)S3

600600 6060 180180


IOS 12.3(3b)IOS 12.3(3b) 300300 6060 180180


IOS 12.0(23)SIOS 12.0(23)S 600600 6060 180180

Juniper Juniper M10M10

JUNOS[6.0R1.JUNOS[6.0R1.3]3]

10001000 3030 9090

1717

Explanation of packet dropsExplanation of packet drops

BGP packet drop locations:BGP packet drop locations: Ingress or egress line card buffer queuesIngress or egress line card buffer queues

Resource sharing across interfacesResource sharing across interfaces Interfaces share buffers and processing timeInterfaces share buffers and processing time

Ingress line card

Egress line card

Router

Interface 1

Interface 2

Interface 3

Interface 4

BGP pktBGP

pkt

1818

Buffer allocation in line cardsBuffer allocation in line cards

Line card memory is divided into buckets of different Line card memory is divided into buckets of different packet sizespacket sizes Packets cannot utilize buckets of a different sizePackets cannot utilize buckets of a different size

Line card buffer queues

BGP pkt

Switch fabric

(0,80Byte]

[81Byte,270Byte]

Packet size

[271Byte, 502Byte]

[503Byte, 908Byte]

[909Byte,1500Byte]

Drop!

Full!

Empty

1919

Necessary conditions for session Necessary conditions for session resetreset

Inter-burst period approximates minRTOInter-burst period approximates minRTO The attack flow’s path traverses at least one link of the BGP sessionThe attack flow’s path traverses at least one link of the BGP session Attack flow’s bottleneck link is the target linkAttack flow’s bottleneck link is the target link

Attacker

Receiver

Router R1Router R2

CBR

Multi-hop BGP Session

Attack flow’s path

Bottleneck link

CBR CBR CBR

CBR

CBR

2020

OutlineOutline





2121

Coordinated low-rate DoS attacks Coordinated low-rate DoS attacks

Attack host A

Attack host B

Destination C

Destination D

Target BGP sessionRouter R1

CBR

Router R2

CBR

2222

Coordinated low-rate DoS attacks Coordinated low-rate DoS attacks

Attack Host A

Attack Host B

Destination C

Destination D

Target BGP sessionRouter R1

CBR

Router R2

CBR

2323

Coordinated low-rate DoS attacksCoordinated low-rate DoS attacks

CBR CBR

Target BGP session

2424

Host selection for coordinated attacksHost selection for coordinated attacks

Selecting attack host-destination Selecting attack host-destination pairs to traverse target linkpairs to traverse target linkIdentify the target link’s geographic Identify the target link’s geographic

location and ASeslocation and ASesIdentify prefixes with AS-level path Identify prefixes with AS-level path

through the target linkthrough the target linkIdentify IP-level pathsIdentify IP-level paths

2525

Wide-area experimentsWide-area experiments

Internet bottleneck link available bandwidth mInternet bottleneck link available bandwidth measurementeasurement 160 peering links160 peering links 330 customer and provider links330 customer and provider links

Attack host selectionAttack host selection PlanetLab hosts as potential attack hosts PlanetLab hosts as potential attack hosts Attack hosts geographically close to the target linkAttack hosts geographically close to the target link

Attacks targeting a local BGP sessionAttacks targeting a local BGP session

2626

Wide-area coordinated attacks against Wide-area coordinated attacks against a local BGP sessiona local BGP session

WAN

UW1 (US)

UW2

THU1(China)

THU2

100Mbps 10Mbps

Targeted

BGPsession

R=5Mbps L=300msec T=1sAverage Rate = 1.5Mbps

Software router 1 Software router 2

2727

Conditions forConditions for

1. Inter-burst period approximates minRTO1. Inter-burst period approximates minRTO 1’. Sufficiently strong combined attack flows to caus1’. Sufficiently strong combined attack flows to caus

e congestione congestion 2. The attack flow’s path traverses the BGP session2. The attack flow’s path traverses the BGP session

3. Attack flow’s bottleneck link is the target link3. Attack flow’s bottleneck link is the target link 3’. Identify the target link location3’. Identify the target link location

Coordinated attacksCoordinated attacks a single attack a single attack flow flow

2828

OutlineOutline





2929

Attack prevention: hiding Attack prevention: hiding informationinformation

Randomize minRTO [Kuzmanovic03]Randomize minRTO [Kuzmanovic03] minRTO is any value within range [a,b]minRTO is any value within range [a,b] Does not eliminate BGP session resetDoes not eliminate BGP session reset

Hide network topology from end-hostsHide network topology from end-hosts Disabling ICMP TTL Time Exceeded replies at routerDisabling ICMP TTL Time Exceeded replies at router

ss

3030

Attack prevention: Attack prevention: prioritize routing trafficprioritize routing traffic

Weighted Random Early Detection (WRED)Weighted Random Early Detection (WRED) Prevent TCP synchronizationPrevent TCP synchronization Selectively drop packets Selectively drop packets Drop low-priority packets first when the queue Drop low-priority packets first when the queue

size exceeds defined thresholdssize exceeds defined thresholds

Assumption of WREDThe IP precedence field is not spoofedWe need to police the IP precedence markings

3131

Support from existing commercial Support from existing commercial routersrouters

Router supported policing featuresRouter supported policing features Committed Access Rate (CAR) Committed Access Rate (CAR) Class-based policingClass-based policing

Traffic markingTraffic marking Reset the incoming packets to be low priorityReset the incoming packets to be low priority

Class-based queuingClass-based queuing Drop the packets with low priority when the traffic burst Drop the packets with low priority when the traffic burst

is highis high

Effective in isolating BGP packets from attack Effective in isolating BGP packets from attack traffic!traffic!

3232

ConclusionConclusion

Feasibility of attacks against Internet Feasibility of attacks against Internet routing infrastructurerouting infrastructure Lack of protection of routing trafficLack of protection of routing traffic

Prevention solution using existing router Prevention solution using existing router configurationsconfigurations Ubiquitous deployment is challengingUbiquitous deployment is challenging

Difficulties in detecting and defending Difficulties in detecting and defending against coordinated attacksagainst coordinated attacks may affect any network infrastructuremay affect any network infrastructure

3333

Thank you!Thank you!

3434

Backup slidesBackup slides

3535

Attack flow notationsAttack flow notations

Periodic, on-off square-wave flow Periodic, on-off square-wave flow Burst period length LBurst period length L Inter-burst period TInter-burst period T Burst magnitude of the peak RBurst magnitude of the peak R

Burst Length L

Magnitude of the peak R

Inter-burst period T

3636

Attack inter-burst period’s impact on Attack inter-burst period’s impact on table transfer durationtable transfer duration(R=185Mbps,L=200msec)(R=185Mbps,L=200msec)

3737

Attack peak magnitude’s impact on sessiAttack peak magnitude’s impact on session reset and table transfer durationon reset and table transfer duration(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200mse(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200msec)c)

Normalized avg rate 0.48

Normalized avg rate 0.24

3838

Synchronization accuracySynchronization accuracy

3939

BGP table transfer with WRED BGP table transfer with WRED enabled under attackenabled under attack

Documents

1 Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang