Defending Against Low-rate TCP Attack:Dynamic Detection and Protection
Haibin Sun John C.S.LuiCSE Dept. CUHK
David K.Y.YauCS Dept. Purdue U.
.2.
Outline
Introduction to the Low-rate TCP AttackFormal Description of Low-rate TCP Attack Distributed DetectionDefense Mechanism Conclusion
.3.
Introduction to the Low-rate TCP Attack
Common DoS attackConsume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Consume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Low-rate DoS attackAim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
Aim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
.4.
TCP Retransmission Mechanism
TCP congestion control
If under severe network congestion:Wait until retransmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
If under severe network congestion:Wait until retransmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
Calculation of RTO
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
.5.
Low-rate DoS Attack to TCP Flow A example of low-rate DoS attack
Sufficiently large attack burstPacket loss at congested routerTCP time out & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
Sufficiently large attack burstPacket loss at congested routerTCP time out & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
TCP
Avg BW= lR/T
.6.
What is the next?
Introduction to the low-rate TCP AttackFormal Description of Low-rate TCP AttackDistributed DetectionDefense MechanismConclusion
.7.
T: Attack period
l: Length of attack
burst
R: Rate of attack burst
N: Background noise
S: Time shift
T: Attack period
l: Length of attack
burst
R: Rate of attack burst
N: Background noise
S: Time shift
l
Formal Description
Mathematical Description
N
R
T
S
.8.
Low-rate DoS Traffic Pattern The periodic burst may have different patterns:
Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)
Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)
General peaks with background noise
Attack traffic is not easy to remain the same as the original at the victim router.Attack traffic between different period may not be the same, thus T, l, R may vary. We need a “ROBUST ” method to identify attack
.9.
Low-rate DoS Traffic Pattern Multiple distributed attack sources
Long Period combination
Small Burst combination
.10.
What is the next?
Introduction to the low-rate TCP AttackFormal Description of Low-rate TCP AttackDistributed DetectionDefense MechanismConclusion
.11.
Distributed DetectionOverall Idea of Distributed Detection
.12.
Distributed Detection
Traffic signature DetectionSmall average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
Small average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
X
X
√√
.13.
Sample recent instantaneous throughput at a
constant rate(The rate should be frequent enough but not over burden
system)
Each time of detection consists of a sequence of
instantaneous throughput(The length of sequence should also be properly adjusted)
Normalization is necessary
Sample recent instantaneous throughput at a
constant rate(The rate should be frequent enough but not over burden
system)
Each time of detection consists of a sequence of
instantaneous throughput(The length of sequence should also be properly adjusted)
Normalization is necessary
Similarity between the template and input should be
calculated.
We use the Dynamic Time Warping (DTW).
(The detail algorithm of DTW is provided in the paper)
The smaller the DTW value, the more similar they
are.
DTW values will be clustered; threshold can be set
to distinguish them.
Similarity between the template and input should be
calculated.
We use the Dynamic Time Warping (DTW).
(The detail algorithm of DTW is provided in the paper)
The smaller the DTW value, the more similar they
are.
DTW values will be clustered; threshold can be set
to distinguish them.
Autocorrelation is adopted to extract the periodic
signature of input signal.periodic input => special pattern of its autocorrelation.
(Autocorrelation can also mask the difference of time
shift S)
Unbiased normalizationM: length of input sequence
m: index of autocorrelation
Autocorrelation is adopted to extract the periodic
signature of input signal.periodic input => special pattern of its autocorrelation.
(Autocorrelation can also mask the difference of time
shift S)
Unbiased normalizationM: length of input sequence
m: index of autocorrelation
The background noise of samples need to be filtered
Background noise
(UDP flows and other TCP flows that less sensitive to
attack)
For simplicity, a threshold filter can be used.
The background noise of samples need to be filtered
Background noise
(UDP flows and other TCP flows that less sensitive to
attack)
For simplicity, a threshold filter can be used.
Pattern
match
Pattern
matchPattern
match
Pattern
matchExtract the
signature
Extract the
signatureExtract the
signature
Extract the
signatureFilter the
noise
Filter the
noiseFilter the
noise
Filter the
noiseSample
the traffic
Sample
the trafficSample
the traffic
Sample
the traffic
Demo in Matlab
Algorithm of Detection
bandwidthlinkMaximum
throughputousInstantaneThroughputNormalized
__
__
n
mM
nnmx XX
mMmA
1
0
1)(
)min(),(1
K
kkwInputTemplateDTW
.14.
Square, step, general pe
aksT ,l : Uniformly distribu
ted
s.t. :l /T<=0.25R : 1 (full bandwidth)N,S : Uniformly distribu
ted1000 simulations /type
Square, step, general pe
aksT ,l : Uniformly distribu
ted
s.t. :l /T<=0.25R : 1 (full bandwidth)N,S : Uniformly distribu
ted1000 simulations /type
DTW Val ue
0
10
20
30
40
50
60
70
0 500 1000 1500 2000 2500 3000
I ndex
Robustness of Detection
DTW Value of Low-rate TCP Attack
Square
General Peaks
Step
Max
39.48
29.89 57.1
0 Min 0.25 0.22 0.49 Me
an
5.73 5.11 7.97
Stdv 6.93 4.61
11.39
Attack traffic simulations DTW values for low-rate attack
.15.
Robustness of Detection
Legitimate traffic composition.Legitimate traffic simulation:
C+ Gaussian(0, N)Run simulation 100 times for each CLarge DTW value for legitimated
traffic
Legitimate traffic composition.Legitimate traffic simulation:
C+ Gaussian(0, N)Run simulation 100 times for each CLarge DTW value for legitimated
traffic
Max286.
60
Min62.5
1 Mean
205.24
Stdv 66.63
DTW values for Legitimate traffic
.16.
Robustness of Detection
Attack flows V.S.
legitimate flows
Expect a
separation between
them.
Attack flows V.S.
legitimate flows
Expect a
separation between
them.
Probability distribution of DTW values
threshold
.17.
What is the next?
Introduction to the low-rate DoS AttackFormal Description of Low-rate TCP AttackDistributed DetectionDefense MechanismConclusion
.18.
Pushback detection Pushback to
deployed router
distributed attackDeficit round robin (DRR)
Pushback detection Pushback to
deployed router
distributed attackDeficit round robin (DRR)
Defense Mechanism
Router deployment
}Resource Management
.19.
Classify packets according to the input port [i].deficit_counter[i] += Quantum If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
Classify packets according to the input port [i].deficit_counter[i] += Quantum If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
Deficit Round Robin (DRR)
Defense Mechanism
1500
300
600 600
500
2000 1000
SecondRound
FirstRound
Head ofQueue
A
B
C
0
Quantum=1000 bytes 1st Round
A’s count : 1000
B’s count : 200 (served twice)
C’s count : 400
2nd Round
A’s count : 500 (served)
B’s count : 0
C’s count : 800 (served)
.20.
Experiment of Defense Mechanism
Multiple TCP flows vs. single source attacker Drop Tail DRR
Throughput (Kbps)
% of link capacityThroughput (Kbps)
% of link capacity
Attack 928.76 18.58% 343.09 6.86%
TCP1 8.71 0.17% 965.91 19.32%
TCP2 210.77 4.22% 645.79 12.92%
TCP3 4.75 0.10% 629.15 12.58%
TCP4 11.09 0.22% 618.05 12.36%
TCP5 5.54 0.11% 468.3 9.37%
TCP6 267.82 5.36% 356.57 7.13%
TCP7 72.11 1.44% 293.97 5.88%
TCP8 3.17 0.06% 194.93 3.90%
TCP Sum
583.96 11.68% 4172.67 83.45%
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbps
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbps
.21.
Experiment of Defense MechanismNetwork model of attack vs. Multiple TCP flows Drop Tail DRR on R6
DRR on R6,R4
DRR on R6,R4,R2
DRR on R6,R4,R2,R
1
ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps)
Attack 640.00 561.00 453.00 419.00 404.00
TCP1 386.00 358.00 311.00 314.00 778.00
TCP2 264.00 329.00 282.00 874.00 763.00
TCP3 324.00 251.00 1245.00 924.00 788.00
TCP4 425.00 1719.00 1154.00 966.00 765.00
Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb
.22.
What is the next?
Introduction to the low-rate TCP AttackFormal Description of Low-rate TCP AttackDistributed DetectionDefense MechanismConclusion
.23.
Conclusion
Conclusions
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation