Upload
henry-sparks
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
11
Low-Rate TCP-Targeted DoS Attack DisrLow-Rate TCP-Targeted DoS Attack Disrupts Internet Routingupts Internet Routing
Ying Zhang Z. Morley Mao Jia Wang Ying Zhang Z. Morley Mao Jia Wang
22
Attacks on the InternetAttacks on the Internet Attacks targeting end hostsAttacks targeting end hosts
Denial of Service attacks, worms, spamDenial of Service attacks, worms, spam Attacks targeting the routing infrastructureAttacks targeting the routing infrastructure
Compromised routersCompromised routers Stealthy denial of service attacksStealthy denial of service attacks
Target
Internet
CBR
CBR CBR
Attackers
BotsTarget link
Destination
33
Border Gateway ProtocolBorder Gateway ProtocolDe facto standard inter-domain routing De facto standard inter-domain routing
protocolprotocol
CBRBRAS 1 AS 2
BGP session
Transport: TCP connection
Keepalive
CBRBR
Keepalive
confirm peer liveliness; determine peer confirm peer liveliness; determine peer reachabilityreachability
BGP HoldTimer expired
BGP session reset
44
Low-rate TCP-targeted DoS attacks Low-rate TCP-targeted DoS attacks [K[Kuzmanovic03]uzmanovic03] Exploiting TCP’s deterministic retransmission behaviorExploiting TCP’s deterministic retransmission behavior
TCP Congesti
on Window
Size(packets)
Time
minRTO 2 x minRTOInitial
windowsize
No packet lossACKs received
packet lossNo ACK received
4 x minRTO
55
Low-rate TCP-targeted DoS attacksLow-rate TCP-targeted DoS attacks
Attack flow period approximates minRTO of TCP flowsAttack flow period approximates minRTO of TCP flows
TCP congestion window size(segments)
Time
minRTO 2 x minRTOInitial windowsize
4 x minRTO
66
Impact of low-rate TCP DoS attacksImpact of low-rate TCP DoS attacks
Impact on any TCP connectionsImpact on any TCP connectionsTCP continuously experiences loss TCP continuously experiences loss TCP obtains near zero throughputTCP obtains near zero throughputDifficult to detect due to low-rate propertyDifficult to detect due to low-rate property
Our finding: Our finding: Low-rate TCP DoS attacks can disrupt BGP Low-rate TCP DoS attacks can disrupt BGP
(with default configurations)(with default configurations)
77
Impact of routing disruptionImpact of routing disruption
Reduced sending rateReduced sending rateIncreasing convergence delayIncreasing convergence delay
BGP session reset BGP session reset Routing instabilityRouting instabilityUnreachable destinationsUnreachable destinationsTraffic performance degradationTraffic performance degradation
88
OutlineOutline
Description of a potential attack Description of a potential attack against Internet routingagainst Internet routing
Attack demonstration using testbed Attack demonstration using testbed experimentsexperiments
Increased attack sophisticationIncreased attack sophisticationUsing multi-host coordinationUsing multi-host coordination
Defense solutions through preventionDefense solutions through prevention
99
Testbed experimentsTestbed experiments
Using high-end commercial routersUsing high-end commercial routersDemonstrating the attack feasibilityDemonstrating the attack feasibility
Gigabit Ethernet
OC3 155Mbps
Gigabit Ethernet
CBR
Router R1(Cisco GSR)
Router R2(Cisco GSR)
Sender AReceiver B
CBR
1010
The attack to bring down a BGP The attack to bring down a BGP sessionsession
BGP Keepalive message
UDP-based attack flow
Packet is dropped due to
congestionAttacker A
Receiver B
Router R1
CBR
Router R2
CBR
1111
The attack to bring down a BGP The attack to bring down a BGP sessionsession
UDP-based attack flow
Attacker A
Receiver B
Router R1
CBR
Router R2
CBR
Retransmitted BGP Keepalive message
minRTO
1212
The attack to bring down a BGP The attack to bring down a BGP sessionsession
UDP-based attack flow
Attacker A
Receiver B
Router R1
CBR
Router R2
CBR
minRTO
2nd Retransmitted BGP Keepalive message
2*minRTO
1313
The attack to bring down a BGP The attack to bring down a BGP sessionsession
UDP-based attack flow
Attacker A
Receiver B
Router R1
CBR
Router R2
CBR
minRTO 2*minRTO
7th retransmitted BGP Keepalive message
Hold Timer expired!
BGP Session Reset
1414
Basic attack flow propertiesBasic attack flow properties
Burst length L
Magnitude of the peak R
Inter-burst period T
1515
How likely is BGP session reset?How likely is BGP session reset?
R:185MbpsR:185MbpsT: 600msecT: 600msecMin duration:216 secMin duration:216 sec
30% session reset probability with 42% capacity usage
1616
Router implementation diversityRouter implementation diversity
Router Router TypeType
Router Router
OS VersionOS VersionminRTOminRTO(msec)(msec)
KeepaliveKeepalive(sec)(sec)
HoldTimerHoldTimer(sec)(sec)
Cisco Cisco 36003600
IOS 12.2(25a)IOS 12.2(25a) 300300 6060 180180
Cisco Cisco 72007200
IOS IOS 12.2(28)S312.2(28)S3
600600 6060 180180
Cisco Cisco 73007300
IOS 12.3(3b)IOS 12.3(3b) 300300 6060 180180
Cisco Cisco 1200012000
IOS 12.0(23)SIOS 12.0(23)S 600600 6060 180180
Juniper Juniper M10M10
JUNOS[6.0R1.JUNOS[6.0R1.3]3]
10001000 3030 9090
1717
Explanation of packet dropsExplanation of packet drops
BGP packet drop locations:BGP packet drop locations: Ingress or egress line card buffer queuesIngress or egress line card buffer queues
Resource sharing across interfacesResource sharing across interfaces Interfaces share buffers and processing timeInterfaces share buffers and processing time
Ingress line card
Egress line card
Router
Interface 1
Interface 2
Interface 3
Interface 4
BGP pktBGP
pkt
1818
Buffer allocation in line cardsBuffer allocation in line cards
Line card memory is divided into buckets of different Line card memory is divided into buckets of different packet sizespacket sizes Packets cannot utilize buckets of a different sizePackets cannot utilize buckets of a different size
Line card buffer queues
BGP pkt
Switch fabric
(0,80Byte]
[81Byte,270Byte]
Packet size
[271Byte, 502Byte]
[503Byte, 908Byte]
[909Byte,1500Byte]
Drop!
Full!
Empty
1919
Necessary conditions for session Necessary conditions for session resetreset
Inter-burst period approximates minRTOInter-burst period approximates minRTO The attack flow’s path traverses at least one link of the BGP sessionThe attack flow’s path traverses at least one link of the BGP session Attack flow’s bottleneck link is the target linkAttack flow’s bottleneck link is the target link
Attacker
Receiver
Router R1Router R2
CBR
Multi-hop BGP Session
Attack flow’s path
Bottleneck link
CBR CBR CBR
CBR
CBR
2020
OutlineOutline
Description of a potential attack Description of a potential attack against Internet routingagainst Internet routing
Attack demonstration using testbed Attack demonstration using testbed experimentsexperiments
Increased attack sophisticationIncreased attack sophisticationUsing multi-host coordinationUsing multi-host coordination
Defense solutions through preventionDefense solutions through prevention
2121
Coordinated low-rate DoS attacks Coordinated low-rate DoS attacks
Attack host A
Attack host B
Destination C
Destination D
Target BGP sessionRouter R1
CBR
Router R2
CBR
2222
Coordinated low-rate DoS attacks Coordinated low-rate DoS attacks
Attack Host A
Attack Host B
Destination C
Destination D
Target BGP sessionRouter R1
CBR
Router R2
CBR
2323
Coordinated low-rate DoS attacksCoordinated low-rate DoS attacks
CBR CBR
Target BGP session
2424
Host selection for coordinated attacksHost selection for coordinated attacks
Selecting attack host-destination Selecting attack host-destination pairs to traverse target linkpairs to traverse target linkIdentify the target link’s geographic Identify the target link’s geographic
location and ASeslocation and ASesIdentify prefixes with AS-level path Identify prefixes with AS-level path
through the target linkthrough the target linkIdentify IP-level pathsIdentify IP-level paths
2525
Wide-area experimentsWide-area experiments
Internet bottleneck link available bandwidth mInternet bottleneck link available bandwidth measurementeasurement 160 peering links160 peering links 330 customer and provider links330 customer and provider links
Attack host selectionAttack host selection PlanetLab hosts as potential attack hosts PlanetLab hosts as potential attack hosts Attack hosts geographically close to the target linkAttack hosts geographically close to the target link
Attacks targeting a local BGP sessionAttacks targeting a local BGP session
2626
Wide-area coordinated attacks against Wide-area coordinated attacks against a local BGP sessiona local BGP session
WAN
UW1 (US)
UW2
THU1(China)
THU2
100Mbps 10Mbps
Targeted
BGPsession
R=5Mbps L=300msec T=1sAverage Rate = 1.5Mbps
Software router 1 Software router 2
2727
Conditions forConditions for
1. Inter-burst period approximates minRTO1. Inter-burst period approximates minRTO 1’. Sufficiently strong combined attack flows to caus1’. Sufficiently strong combined attack flows to caus
e congestione congestion 2. The attack flow’s path traverses the BGP session2. The attack flow’s path traverses the BGP session
3. Attack flow’s bottleneck link is the target link3. Attack flow’s bottleneck link is the target link 3’. Identify the target link location3’. Identify the target link location
Coordinated attacksCoordinated attacks a single attack a single attack flow flow
2828
OutlineOutline
Description of a potential attack Description of a potential attack against Internet routingagainst Internet routing
Attack demonstration using testbed Attack demonstration using testbed experimentsexperiments
Increased attack sophisticationIncreased attack sophisticationUsing multi-host coordinationUsing multi-host coordination
Defense solutions through preventionDefense solutions through prevention
2929
Attack prevention: hiding Attack prevention: hiding informationinformation
Randomize minRTO [Kuzmanovic03]Randomize minRTO [Kuzmanovic03] minRTO is any value within range [a,b]minRTO is any value within range [a,b] Does not eliminate BGP session resetDoes not eliminate BGP session reset
Hide network topology from end-hostsHide network topology from end-hosts Disabling ICMP TTL Time Exceeded replies at routerDisabling ICMP TTL Time Exceeded replies at router
ss
3030
Attack prevention: Attack prevention: prioritize routing trafficprioritize routing traffic
Weighted Random Early Detection (WRED)Weighted Random Early Detection (WRED) Prevent TCP synchronizationPrevent TCP synchronization Selectively drop packets Selectively drop packets Drop low-priority packets first when the queue Drop low-priority packets first when the queue
size exceeds defined thresholdssize exceeds defined thresholds
Assumption of WREDThe IP precedence field is not spoofedWe need to police the IP precedence markings
3131
Support from existing commercial Support from existing commercial routersrouters
Router supported policing featuresRouter supported policing features Committed Access Rate (CAR) Committed Access Rate (CAR) Class-based policingClass-based policing
Traffic markingTraffic marking Reset the incoming packets to be low priorityReset the incoming packets to be low priority
Class-based queuingClass-based queuing Drop the packets with low priority when the traffic burst Drop the packets with low priority when the traffic burst
is highis high
Effective in isolating BGP packets from attack Effective in isolating BGP packets from attack traffic!traffic!
3232
ConclusionConclusion
Feasibility of attacks against Internet Feasibility of attacks against Internet routing infrastructurerouting infrastructure Lack of protection of routing trafficLack of protection of routing traffic
Prevention solution using existing router Prevention solution using existing router configurationsconfigurations Ubiquitous deployment is challengingUbiquitous deployment is challenging
Difficulties in detecting and defending Difficulties in detecting and defending against coordinated attacksagainst coordinated attacks may affect any network infrastructuremay affect any network infrastructure
3333
Thank you!Thank you!
3434
Backup slidesBackup slides
3535
Attack flow notationsAttack flow notations
Periodic, on-off square-wave flow Periodic, on-off square-wave flow Burst period length LBurst period length L Inter-burst period TInter-burst period T Burst magnitude of the peak RBurst magnitude of the peak R
Burst Length L
Magnitude of the peak R
Inter-burst period T
3636
Attack inter-burst period’s impact on Attack inter-burst period’s impact on table transfer durationtable transfer duration(R=185Mbps,L=200msec)(R=185Mbps,L=200msec)
3737
Attack peak magnitude’s impact on sessiAttack peak magnitude’s impact on session reset and table transfer durationon reset and table transfer duration(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200mse(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200msec)c)
Normalized avg rate 0.48
Normalized avg rate 0.24
3838
Synchronization accuracySynchronization accuracy
3939
BGP table transfer with WRED BGP table transfer with WRED enabled under attackenabled under attack