Low-Rate TCP-Targeted Low-Rate TCP-Targeted DoS Attack Disrupts DoS Attack Disrupts

Internet RoutingInternet Routing

Ying Zhang Z. Morley Mao Jia Ying Zhang Z. Morley Mao Jia Wang Wang

Presented in Presented in NDSS07NDSS07

Prepared by : Hale IsmetPrepared by : Hale Ismet

The attacksThe attacks

Attacks targeting end hostsAttacks targeting end hosts Denial of Service attacks, worms, spamDenial of Service attacks, worms, spam

Attacks targeting the routing Attacks targeting the routing infrastructureinfrastructure

Border Gateway ProtocolBorder Gateway Protocolstandard inter-domain routing standard inter-domain routing

protocolprotocol

There are two types of BGP sessions:

eBGP iBGP sessions. It is former are

between routers withindifferent autonomous systems (ASes) or networks

AS 2

To ensure liveness of the neighbor in a To ensure liveness of the neighbor in a BGP session, routers periodically BGP session, routers periodically exchange keepalive messagesexchange keepalive messages

CBRBRAS 1 AS 2

BGP session

Transport: TCP connectionCBRBR

Keepalive Keepalive

confirm peer liveliness; determine peer confirm peer liveliness; determine peer reachabilityreachability

BGP HoldTimer expired

BGP session reset

Low-rate TCP-targeted DoS Low-rate TCP-targeted DoS attacksattacks

minRTO 2 x minRTO 4 x minRTO

Time

TCP congestion window size(segments)

Initial windowsize

Attack flow period approximates minRTO of TCP flowsAttack flow period approximates minRTO of TCP flows

the attacker can indeed bring the attacker can indeed bring down the BGP sessiondown the BGP session

1-Burst Length L needs 1-Burst Length L needs to be long enough to to be long enough to cause cause congestioncongestion

2-Peak magnitude R 2-Peak magnitude R also needs to be also needs to be large to cause large to cause congestioncongestion..

3- Inter-burst period T 3- Inter-burst period T needs to be minRTO needs to be minRTO to cause to cause session session resetreset

To effect of this attack on To effect of this attack on BGPBGP

1.1. that attack traffic lowers the that attack traffic lowers the sending rate of the TCP connection sending rate of the TCP connection carrying BGP traffic ; this increased carrying BGP traffic ; this increased convergence convergence

2.2. the more severe effect on the BGP the more severe effect on the BGP session is the possibility of BGP session is the possibility of BGP session reset caused by all packets session reset caused by all packets dropped within a time interval dropped within a time interval exceeding the hold timer value.exceeding the hold timer value.

TestbedTestbed experimentsexperiments

the high-end Cisco router GSR (It is widely the high-end Cisco router GSR (It is widely used in Internet and is very powerful )used in Internet and is very powerful )

Demonstrating the attack feasibility by Demonstrating the attack feasibility by two computerstwo computers

UDP-based attack flow

Attacker A Receiver B

Router R1

CBR

Router R2

CBR

minRTO 2*minRTO

7th retransmitted BGP Keepalive message

BGP Session Reset

Take 3 minTake 3 min

Kind of routersKind of routers

the probability of session the probability of session reset.reset.

the burst the burst length of 225 length of 225 msec, the msec, the attacker has attacker has around 30% around 30% probability to probability to reset the reset the session with session with 42% 42% available available bandwidthbandwidth

Attack peak magnitude’s Attack peak magnitude’s impact on session reset and impact on session reset and

table transfer durationtable transfer duration

Necessary conditions for Necessary conditions for single attacksingle attack

Inter-burst period approximates Inter-burst period approximates minRTOminRTO

The attack flow’s path traverses at The attack flow’s path traverses at least one link of the BGP sessionleast one link of the BGP session

Attack flow’s bottleneck link is the Attack flow’s bottleneck link is the target linktarget link

bring down the BGP sessionbring down the BGP session

To avoid sending too much traffic from each node, we perform time synchronization designed

Conditions for Coordinated Conditions for Coordinated attacksattacks

1’. Sufficiently strong combined 1’. Sufficiently strong combined attack flows to cause congestionattack flows to cause congestion

2. The attack flow’s path traverses 2. The attack flow’s path traverses the BGP sessionthe BGP session

3’. Identify the target link location3’. Identify the target link location

AttackAttack preventionprevention hiding informationhiding information-Kuzmanovic03 :Randomize minRTO-Kuzmanovic03 :Randomize minRTO-Hide network topology from end-hosts.-Hide network topology from end-hosts. prioritize routing trafficprioritize routing traffic Weighted Random Early Detection Weighted Random Early Detection

(WRED) [It is a mechanism ](WRED) [It is a mechanism ] Prevent TCP synchronizationPrevent TCP synchronization Selectively drop packets : Drop low-priority Selectively drop packets : Drop low-priority

packets first when the queue size exceeds packets first when the queue size exceeds defined thresholdsdefined thresholds

** ** WRED relies on the IP precedence field in WRED relies on the IP precedence field in the packet header the packet header

BGP table transfer with BGP table transfer with WREDWRED enabled under attackenabled under attack

ConclusionConclusion

Feasibility of attacks against Internet Feasibility of attacks against Internet routing infrastructurerouting infrastructure

Prevention solution using Prevention solution using existing existing router configurationsrouter configurations

Difficulties in detecting and Difficulties in detecting and defending against coordinated defending against coordinated attacksattacks

Thanks Thanks

Any Questions?Any Questions?

Attacker A

Receiver B

BGP Session Reset