Fairness Attacks in the Fairness Attacks in the eXplicit Control ProtocoleXplicit Control Protocol

Christo WilsonChristopher Coakley

Ben Y. ZhaoUniversity of California Santa Barbara

MotivationMotivation

Heavy research in recent years into explicit feedback protocols Demonstrate desirable qualities

◦ Fairness between flows

◦ High utilization

◦ Few drops

◦ No slow start

Not security aware “Honesty is for the most part less profitable than dishonesty” --

Plato, The Republic Our work: quantifying the impact of attackers through detailed

experiments

Table of ContentsTable of Contents

Background and Attack ModelExperimental SetupSender-side Attacker

◦ Congestion controlled

◦ Fully Unresponsive

Receiver-side AttackerProposed DefensesConclusion

Background – Explicit FeedbackBackground – Explicit Feedback

Bottleneck

Explicit Feedback Enabled InternetFeedback =

-42

Throughput =-42

Throughput =

1000

Attack ModelAttack Model

Feedback mechanism abuse enables attacks:◦ Selective compliance with feedback

◦ Falsified feedback

Two attack types:◦ Sender-side ignores feedback

◦ Receiver-side falsifies header information

Attacker goals:◦ Control as much bandwidth as possible

◦ Denial of Service (DoS) remote hosts

Experimental SetupExperimental Setup

Attacker models implemented using XCPTests performed in ns2

◦ 10ms latency

◦ 1KB packets

◦ Drop-tail queues

◦ 20 Mbit bottleneck link

◦

Sender-side AttackerSender-side Attacker

Explicit Feedback Enabled Internet

Feedback =

-42

Throughput =

1000

Throughput =

-42

Sender-side AttackerSender-side Attacker

Two types of attackers implemented:◦ Congestion controlled

TCP like behavior Continuous additive c_wnd growth Multiplicative c_wnd back off after packet drop

◦ Fully unresponsive Only probes for bandwidth once (1 packet drop) Locks c_wnd at 50% of current size Trumps congestion controlled attackers Resumes probing in response to:

◦ positive feedback

◦ 25% reduction in RTT

Sender-side Attacker (Congestion Controlled)Sender-side Attacker (Congestion Controlled)

9 Sender-Side Attackers w/ 1 Normal Flow

Normal Flow

Utilization

Sender-side AttackerSender-side Attacker

Two types of attackers implemented:◦ Congestion controlled

TCP like behavior Continuous additive c_wnd growth Multiplicative c_wnd back off after packet drop

◦ Fully unresponsive Only probes for bandwidth once (1 packet drop) Locks c_wnd at 50% of current size Trumps congestion controlled attackers Resumes probing in response to:

◦ positive feedback

◦ 25% reduction in RTT

Sender-side Attacker (Fully Unresponsive)Sender-side Attacker (Fully Unresponsive)

1 Sender-Side Attacker w/ 49 Normal Flows

A+10

B

+35

Total Flows = 5 Total Flows = 15 Total Flows = 50

Sender-side Attacker (Fully Unresponsive)Sender-side Attacker (Fully Unresponsive)

4 Sender-Side Attackers w/ 1 Normal Flow

A+1 B

+1C+1

D-1

Normal Flow

Receiver-side AttackerReceiver-side Attacker

Explicit Feedback Enabled Internet

Feedback =

9999

Throughput =

1000Throughput =

-42

Receiver-side AttackerReceiver-side Attacker

1 Receiver-Side Attacker w/ 49 Normal Flows

Proposed Defenses: Edge Proposed Defenses: Edge MonitorsMonitors

Edge monitors◦ Must be ubiquitous

◦ Requires per flow monitoring/state

Sender-side attacks detected by monitoring actual versus expected throughput

Receiver-side attacks are trivially detectedIssues:

◦ Ubiquity of monitors can not be guaranteed

◦ Unfeasible router overhead

◦ Network edge does not exist

Proposed Defenses: Attack SeverityProposed Defenses: Attack Severity

Sender-side attacks are tractable problem◦ Elephant flow monitors exist

◦ Detectable anywhere in network path

◦ Motivation for attack is lacking

◦ Can not be used to DoS

Receiver-side attacks represent difficult challenge◦ Can target/break well behaved hosts

◦ DoS potential

◦ Motivation for attack is much stronger

Proposed Defenses: Nonce Feedback InjectionProposed Defenses: Nonce Feedback Injection

Explicit Feedback Enabled Internet

Feedback =

-H4X0R3D

Throughput =

-H4X0R3D

Proposed Defenses: Nonce Feedback InjectionProposed Defenses: Nonce Feedback Injection

Explicit Feedback Enabled Internet

Feedback =

9999

Throughput =

-H4X0R3D

ConclusionConclusion

Existing explicit feedback protocols are vulnerable to exploitation◦ Sender-side attacks

◦ Receiver-side attacks

Attacks are highly effectiveApplies to existing explicit feedback protocols

◦ XCP, RCP, MaxNet, JetMax, etc

Proposed solutions are inadequate◦ Potential solution: nonce feedback injection

Questions?Questions?