![Page 1: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/1.jpg)
Defending Against Low-rate TCP Attack:Dynamic Detection and Protection
Prof. John C.S. LuiCSE Dept. CUHK
![Page 2: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/2.jpg)
.2.
Outline
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 3: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/3.jpg)
.3.
Introduction to the Low-rate TCP Attack
Common DoS attackConsume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Consume resources (bandwidth, buffer …etc) Keep legitimate users away form serviceLarge number of machines or agents are involvedHarmful, but relatively easy to be detected
Low-rate DoS attackAim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
Aim to deny the bandwidth of legitimate TCP flowsAttacker sends the attack stream with low volumeExploit the TCP congestion control feature Attacker sends a periodic short burst to
victim/router
![Page 4: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/4.jpg)
.4.
TCP Retransmission Mechanism
TCP congestion control
If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
If under severe network congestion:Wait till transmission timeout (RTO) Reduce the congestion window
double the RTO
retransmit the packetIf succeed, enter slow start phase
else, exponential back off again
Calculation of RTO
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
In RFC 2988:
RTO=max(minRTO,SRTT+max(G,4RTTVAR))
Usually, RTO = minRTO when slow start
minRTO=1 second (recommended in RFC 2988)
![Page 5: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/5.jpg)
.5.
Low-rate DoS Attack to TCP Flow A example of low-rate DoS attack
Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
Sufficiently large attack burstPacket loss at congested routerTCP waits until timeout & retransmit after RTO Attack period = RTO of TCP flow,TCP continually incurs loss & achieves zero or
very low throughput.
TCP
Avg BW= lR/T
![Page 6: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/6.jpg)
.6.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 7: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/7.jpg)
.7.
T: Attack period
l: Length of burst
R: Rate of burst
N: Background noise
S: Time shift
T: Attack period
l: Length of burst
R: Rate of burst
N: Background noise
S: Time shift
l
Formal Description
Mathematical Description
N
R
T
S
![Page 8: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/8.jpg)
.8.
Low-rate DoS Traffic Pattern The periodic burst may have different patterns:
Step-like double rate stream (Kuzmanovic & Knightly in Sigcomm 03)
Simple Square wave (Kuzmanovic & Knightly in Sigcomm 03)
General peaks with background noise
![Page 9: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/9.jpg)
.9.
Low-rate DoS Traffic Pattern
Attack traffic is not easy to remain the same as the original at the victim router.Attack traffic between different period may not be the same, thus T, l, R may vary.
We need a “We need a “ROBUST ROBUST ” method ” method to identify all possible forms to identify all possible forms of attackof attack
![Page 10: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/10.jpg)
.10.
Low-rate DoS Traffic Pattern Multiple distributed attack sources
Long Period combination
Small Burst combination
![Page 11: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/11.jpg)
.11.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 12: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/12.jpg)
.12.
Dynamic DetectionOverall Idea of Dynamic Detection
![Page 13: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/13.jpg)
.13.
Dynamic Detection
Traffic signature DetectionSmall average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
Small average throughput => Throughput based IDS
No signature in packet => “per packet” approaches
Extract the essential signature of attack traffic
X
X
√√
![Page 14: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/14.jpg)
.15.
Pattern
match
Pattern
matchPattern
match
Pattern
matchExtract the
signature
Extract the
signatureExtract the
signature
Extract the
signatureFilter the
noise
Filter the
noiseFilter the
noise
Filter the
noiseSample
the traffic
Sample
the trafficSample
the traffic
Sample
the traffic
Algorithm of Detection
Sample the throughput of link interface at a
constant rate(The rate should be frequent enough but not over burden
system)
Each time of detection consists of a sequence of
sampled throughput(The length of sequence should also be properly adjusted)
Normalization is necessary
€
Normalized _Throughput =Instantaneous_ throughput
Maximum _ link _bandwidth
The background noise of samples need to be filtered
Background noise(UDP flows and other TCP flows that less sensitive to attack)
For simplicity, a threshold filter can be used.
Autocorrelation is adopted to extract the periodic signature of input signal.periodic input => special pattern of its autocorrelation.Autocorrelation can also mask the difference of time shift SUnbiased normalizationM: length of input sequencem: index of autocorrelation
n
mM
nnmx XX
mMmA ×
−= ∑
+−
=+
1
0
1)(
)min(),(1∑=
=K
kkwInputTemplateDTW
Similarity between the template and input should
be calculated.
We use Dynamic Time Warping (DTW).
(The detail algorithm of DTW is provided in the paper)
The smaller the DTW value is, the more similar
they are.
DTW values will clustered; threshold can be set to
distinguish them.
![Page 15: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/15.jpg)
.16.
Robustness of Detection
DTW Value
0
5
10
15
20
25
30
35
40
0 2000 4000 6000 8000 10000 12000
SPSB RPSB SPGB RPGB
Max 34.88 35.66 34.08 34.69
Min 0 0.80 0.84 1.20
Mean 10.68 9.63 10.89 10.48
Stdv 7.83 6.86 6.77 5.26
Attack traffic simulations DTW values for low-rate attack
4 types of attack traffic:
Strictly Periodic Square Burst (SPSB),
Random Periodic Square Burst (RPSB),
Strictly Periodic General Burst (SPGB),
Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type
4 types of attack traffic:
Strictly Periodic Square Burst (SPSB),
Random Periodic Square Burst (RPSB),
Strictly Periodic General Burst (SPGB),
Random Periodic General Burst (RPGB) T ,l : Uniformly distributed s.t. :l /T<=0.25 R : 1 (full bandwidth)N,S : Uniformly distributedAround 3000 simulations /type
![Page 16: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/16.jpg)
.17.
Robustness of Detection
DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using
Gaussian model:
C+ Gaussian(0, N)Run more than 8000 simulations
DTW values of legitimate trafficLegitimate traffic composition.Legitimate traffic simulation using
Gaussian model:
C+ Gaussian(0, N)Run more than 8000 simulations
Max286.
53
Min113.
50
Mean236.
95
Stdv43.1
0
DTW values for Legitimate traffic
(Gaussian)
![Page 17: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/17.jpg)
.18.
Attack flows V.S.
legitimate
(Gaussian) flows
Expect a
separation between
them.
Attack flows V.S.
legitimate
(Gaussian) flows
Expect a
separation between
them.
Robustness of Detection
Probability distribution of DTW values
![Page 18: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/18.jpg)
.19.
Robustness of Detection
More accurate network traffic model
(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-
similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations
More accurate network traffic model
(Ethernet traffic, WWW traffic) Use FARIMA model to generate self-
similar traffic.Hurst Parameter H: [0.75-0.85] Run more than 10,000 simulations
Max238.
16
Min28.0
1
Mean130.
73
Stdv51.4
4
DTW values for Legitimate traffic (Self-similar)
![Page 19: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/19.jpg)
.20.
Attack flows V.S.
Self-similar flows
Small Overlap
(Around 30)
Attack flows V.S.
Self-similar flows
Small Overlap
(Around 30)
Robustness of DetectionProbability distribution of DTW values (Self-similar)
False Self-similar 141
Total Self-similar
11000
False Positive
1.28%
False Attack 378
Total Attack1149
2
False Negative
3.54%
![Page 20: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/20.jpg)
.21.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 21: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/21.jpg)
.22.
Pushback detection Pushback to
outmost deployed router
distributed attackDeficit Round Robin (DRR)
Pushback detection Pushback to
outmost deployed router
distributed attackDeficit Round Robin (DRR)
Defense Mechanism
Router deployment
}Resource Management
![Page 22: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/22.jpg)
.23.
Deficit Round Robin (DRR)
Defense Mechanism
1500
300
600 600
500
2000 1000
SecondRound
FirstRound
Head ofQueue
A
B
C
0
Quantum[i]=1000 bytes 1st Round
A’s counter : 1000
B’s counter : 200 (served twice)
C’s counter : 400
2nd Round
A’s counter: 500 (served)
B’s counter: 0
C’s counter: 800 (served)
Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
Classify packets according to the input port [i].deficit_counter[i]=0 ; deficit_counter[i] += Quantum[i] If packet’s size<= deficit_counter[i] , serve the packetdeficit_counter[i] -=packet’s size.If no packet[i], deficit_counter[i] =0.
![Page 23: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/23.jpg)
.24.
Definitions in DRR algorithm
Fairness Analysis of DRR Algorithm
Backlogged:A port i is backlogged during an interval (t1; t2)
of a DRR execution if the queue for port i is never empty durin
g the interval.
Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that
fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).
Sent Packets: Let senti(t1; t2) be the total number of bytes se
nt on the output port i in the interval (t1; t2)
Backlogged:A port i is backlogged during an interval (t1; t2)
of a DRR execution if the queue for port i is never empty durin
g the interval.
Flow Share: We assume there is some quantity fi that expresses the ideal share obtained by the port i that
fi = Quantum[i]/Quantum where Quantum = Min(Quantum[i]).
Sent Packets: Let senti(t1; t2) be the total number of bytes se
nt on the output port i in the interval (t1; t2)
Fairness Measurement: Let Fairness Measurement
FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)
over all ports i,j that are backlogged in the interval (t1; t2).
Now we can define a service discipline to be fair if FM(t1; t2)
is bounded by a small constant.
Fairness Measurement: Let Fairness Measurement
FM(t1; t2) be the maximum of (senti(t1; t2)/fi - sentj(t1; t2)/fj)
over all ports i,j that are backlogged in the interval (t1; t2).
Now we can define a service discipline to be fair if FM(t1; t2)
is bounded by a small constant.
![Page 24: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/24.jpg)
.25.
Lemmas of DRR Fairness
Fairness Analysis of DRR Algorithm
Lemma 1: For any port i ,during the execution of DRR
algorithm, the deficit_counter[i] is within the range [0;Max) at
the end of each round, where Max is the maximum size of all
possible packets.
0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero
■
Lemma 1: For any port i ,during the execution of DRR
algorithm, the deficit_counter[i] is within the range [0;Max) at
the end of each round, where Max is the maximum size of all
possible packets.
0 ≤deficit_counter[i] < Max Proof: Initially deficit_counter[i] = 0. After queue i is serviced in each round: 1) If there are packet(s) left in the queue for port i 0 ≤deficit_counter[i] < Max 2) If no packets are left in the queue deficit_counter[i] is reset to zero
■
![Page 25: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/25.jpg)
.26.
Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.
And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)
Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]
bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]
Proof: Let deficit_counter[i][k] be the value of deficit_counter[i] at the end of k round DRR executions. Let bytesi(k) be the bytes sent by port i in round k.
And let senti(k) be the bytes sent by port i from round 1 through k.Thus, senti(k) = ∑ bytesi(k)
Obviously: bytesi(k)+deficit_counter[i][k] = Quantum[i]+deficit_counter[i][k-1]
bytesi(k)= Quantum[i]+deficit_counter[i][k-1]- deficit_counter[i][k]
Lemmas of DRR Fairness
Summing this equation over m rounds of servicing of port i: We have:
senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]
Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.
■
Summing this equation over m rounds of servicing of port i: We have:
senti(m) = m×Quantum[i] + deficit_counter[i][0] – deficit_counter[i][m]
Since deficit_counter[i] is always non negative and upper bounded by Max (Lemma1), the result follows.
■
Fairness Analysis of DRR Algorithm
Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max
Lemma 2: m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max
Lemma 2: During any period in which port i is backlogged
the number of bytes sent on the behalf of port i is roughly equal
to m×Quantum[i] ,specifically bounded as follows:
m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received
by port i during this interval.
Lemma 2: During any period in which port i is backlogged
the number of bytes sent on the behalf of port i is roughly equal
to m×Quantum[i] ,specifically bounded as follows:
m×Quantum[i]-Max ≤ senti(t1; t2) ≤ m×Quantum[i] +Max where m is the number of round-robin service round received
by port i during this interval.
![Page 26: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/26.jpg)
.27.
Theorem of DRR Fairness
Fairness Analysis of DRR Algorithm
Theorem 1: For an interval (t1; t2) in any execution of the
DRR service discipline
FM(t1; t2) ≤ 2×Max + Quantum;
where Quantum = Min(Quantum[i])
Theorem 1: For an interval (t1; t2) in any execution of the
DRR service discipline
FM(t1; t2) ≤ 2×Max + Quantum;
where Quantum = Min(Quantum[i])
Proof:
let m be the number of DRR execution rounds given to port i in interval (t1; t2),
let m’ be the number of DRR execution rounds given to port j in the same interval.
As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1
Proof:
let m be the number of DRR execution rounds given to port i in interval (t1; t2),
let m’ be the number of DRR execution rounds given to port j in the same interval.
As each class is serviced in a strict round-robin mode, then: | m – m’ | ≤ 1
From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)
Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)
From Lemma 2: senti(t1; t2) ≤ m×Quantum[i] +Max since Ideal Share fi = Quantum[i]/Quantum We have the normalized service received by port i: senti(t1; t2)/fi ≤ m×Quantum + Max/fi (1)
Similarly for port j: sentj(t1; t2)/fj ≥ m’×Quantum - Max/fj (2)
Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj
≤ (m-m’) ×Quantum + Max/fi + Max/fj
≤ Quantum+2Max ■
Thus: FM(t1; t2) = senti(t1; t2)/fi- sentj(t1; t2)/fj
≤ (m-m’) ×Quantum + Max/fi + Max/fj
≤ Quantum+2Max ■
![Page 27: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/27.jpg)
.28.
Analytical Results for DRR Algorithm
Analysis of DRR Algorithm
Fairness: Using Golestani's fairness definition, difference in
the normalized bytes sent between ports within a certain interv
al (t1; t2) is bounded by a small constant.
Implementation Cost: DRR algorithm can be implemente
d with less work compared with other scheduling algorithm.
In general, the processing cost of DRR is O(1) per packet.
As a result, DRR can provide not only a fairness scheduling
method, but also work with a low implementation cost.
Fairness: Using Golestani's fairness definition, difference in
the normalized bytes sent between ports within a certain interv
al (t1; t2) is bounded by a small constant.
Implementation Cost: DRR algorithm can be implemente
d with less work compared with other scheduling algorithm.
In general, the processing cost of DRR is O(1) per packet.
As a result, DRR can provide not only a fairness scheduling
method, but also work with a low implementation cost.
![Page 28: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/28.jpg)
.29.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 29: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/29.jpg)
.30.
In a Congested Droptail Router:1. N TCP flows go through
2. Droptail queue at output interface Dropping Function:
P: Drop Prob. xi: length of queue i; Qi: Size of queue i
Behavior of Queue Length: C: Capacity of the link
In a Congested Droptail Router:1. N TCP flows go through
2. Droptail queue at output interface Dropping Function:
P: Drop Prob. xi: length of queue i; Qi: Size of queue i
Behavior of Queue Length: C: Capacity of the link
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
⎩⎨⎧
>≤
= )1(,1
,0)(
ii
iii
Qx
Qxxp
)2(1))]((1[)( )(
1
Ctxptdt
dxtxi
N
i
ii
i−−×=∑−
ρ
![Page 30: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/30.jpg)
.31.
Throughput of TCP flow i:Wi(t) :Window Size
Ri(t) : Round Trip Time
Round Trip Time:
ai :Propagation delay
Throughput of TCP flow i:Wi(t) :Window Size
Ri(t) : Round Trip Time
Round Trip Time:
ai :Propagation delay
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
)3()(
)()(
tR
tWt
i
ii =ρ
)4()(
)(C
txatR
iii +=
![Page 31: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/31.jpg)
.32.
Slow start/ Congestion Avoidance: Hi :threshold
Retransmission Time Out:
where u(n) is a unit step function:
q(W) denotes the Prob. of that loss is caused by timeout
Slow start/ Congestion Avoidance: Hi :threshold
Retransmission Time Out:
where u(n) is a unit step function:
q(W) denotes the Prob. of that loss is caused by timeout
Model of TCP on a Droptail Router
Fluid Model of TCP Flows
)5())'((2
)())]'((1[)'()( ttxp
tWttxpttHtH i
iiii −+−−×−=
)6())](1([))(())'(())(()(
tTtutWqttxptTtdt
tdTiii
i+−××−×−=
)7(0,1
0,0)(
⎩⎨⎧
≥<
=i
ii
nn
nu
)8())(
3,1())((
tWMintWq
ii =
Finally, the behavior of TCP window size:
Overview of TCP droptail scheduling:
Numerical result of differential equations (1-9)
Finally, the behavior of TCP window size:
Overview of TCP droptail scheduling:
Numerical result of differential equations (1-9)
))'(()'(
)'()1)((
)9())'(()'(2
)'()](1[
)]1([])[1
][(
ttxpttR
ttWWWq
ttxpttR
ttWWWq
TtuHWuR
WHuR
W
dt
dW
ii
iii
ii
ii
iiii
iii
ii
i
−−−
−−
−−−×
−−
+−×−+−=
![Page 32: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/32.jpg)
.33.
Modification based on the Droptail Model Different Queue Management may cause:
1. Change of the behavior of Queue Length
2. Change of the calculation of round trip time
Modification based on the Droptail Model Different Queue Management may cause:
1. Change of the behavior of Queue Length
2. Change of the calculation of round trip time
Model of TCP on a DRR Router
Fluid Model of TCP Flows
Behavior of Queue Length in DRR:
where τt : time length for each round
Behavior of Queue Length in DRR:
where τt : time length for each round
)10())(,(
1))]((1[)( )(t
iitxii
i txQuantumMintxpt
dt
dxi τρ −−×=
)11())(,(
C
txQuantumMinN
i
ii
t
∑=τ
Calculation of round trip time :
Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model
Calculation of round trip time :
Fluid Model of TCP on DRR router: Replace the corresponding two equations in Droptail Model
)12()(
)(C
txNatR
iii
×+=
![Page 33: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/33.jpg)
.34.
Attack with Single TCP Flow
(Droptail Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s
Attack starts 2s later
Attack with Single TCP Flow
(Droptail Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1s
Attack starts 2s later
Simulation of TCP fluid model
Fluid Model of TCP Flows
Droptail Queue
Attack
TCP
![Page 34: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/34.jpg)
.35.
Attack with Single TCP Flow
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later
Attack with Single TCP Flow
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Propagation delay=0.1sQuantum = 1kb Buffer size =10kbAttack starts 2s later
Simulation of TCP fluid model
Fluid Model of TCP Flows
Attack
TCP
DRR Queues
![Page 35: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/35.jpg)
.36.
Attack with Multiple TCP Flows
(Droptail Router):
Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Attack with Multiple TCP Flows
(Droptail Router):
Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Attack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Simulation of TCP fluid model
Fluid Model of TCP Flows
TCP1
Attack
TCP2
TCP3
TCP4
Droptail Queue
![Page 36: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/36.jpg)
.37.
Attack with Multiple TCP Flows
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Attack with Multiple TCP Flows
(DRR Router):Settings:
T = 1.1s,l = 0.1s R = 300kb/sC = 100kb/s Quantum = 1kb Buffer size =10kbAttack starts 2s laterPropagation delay=0.1s, 0.2s, 0.4s and 0.8s
Simulation of TCP fluid model
Fluid Model of TCP Flows
Attack
TCP1
DRR Queues
TCP2
TCP3
TCP4
![Page 37: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/37.jpg)
.38.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 38: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/38.jpg)
.39.
Experiment of Defense Mechanism
Single TCP flow vs. single source attacker
Go through the
same router Link Capacity
5Mbp/s
Go through the
same router Link Capacity
5Mbp/s
Drop Tail DRR
TCP (Kbps) Attack (Kbps) TCP (Kbps) Attack (Kbps)
Tahoe224.3
74.49
%1016.
5220.33
%3402.
0768.04
%780.3
915.61
%
Reno 26.300.53
%1022.
5520.45
%946.8
718.94
%1014.
9720.30
%
NewReno 23.62
0.47%
1022.04
20.44%
3690.32
73.81%
913.39
18.27%
![Page 39: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/39.jpg)
.40.
Experiment of Defense Mechanism
Multiple TCP flows vs. single source attacker Drop Tail DRR
Throughput (Kbps)
% of link capacityThroughput (Kbps)
% of link capacity
Attack 928.76 18.58% 343.09 6.86%
TCP1 8.71 0.17% 965.91 19.32%
TCP2 210.77 4.22% 645.79 12.92%
TCP3 4.75 0.10% 629.15 12.58%
TCP4 11.09 0.22% 618.05 12.36%
TCP5 5.54 0.11% 468.3 9.37%
TCP6 267.82 5.36% 356.57 7.13%
TCP7 72.11 1.44% 293.97 5.88%
TCP8 3.17 0.06% 194.93 3.90%
TCP Sum
583.96 11.68% 4172.67 83.45%
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbp/s
Eight TCP flowsSingle low-rate
attackerGo through the
same router Link Capacity
5Mbp/s
![Page 40: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/40.jpg)
.41.
Experiment of Defense MechanismNetwork model of attack vs. Multiple TCP flows Drop Tail DRR on R6
DRR on R6,R4
DRR on R6,R4,R2
DRR on R6,R4,R2,R
1
ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps) ρ(Kbps)
Attack 640.00 561.00 453.00 419.00 404.00
TCP1 386.00 358.00 311.00 314.00 778.00
TCP2 264.00 329.00 282.00 874.00 763.00
TCP3 324.00 251.00 1245.00 924.00 788.00
TCP4 425.00 1719.00 1154.00 966.00 765.00
Total TCP 1399.00 2657.00 2992.00 3078.00 3094.00
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb/s
4 TCP flows Single attacker7 routers network R1,R2,R4,R6 may
run DRRLink capacity 5 Mb/s
![Page 41: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/41.jpg)
.42.
What is the next?
Introduction to Low-rate TCP Attack Formal Description of Low-rate TCP AttackDistributed Dynamic Detection Low-rate Attack Defense Mechanism Fluid Model of TCP FlowsDefence ExperimentsRelated Work & Conclusion
![Page 42: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/42.jpg)
.43.
Related Work & Conclusion
Related Work
Another solution to this attack:
Randomizing RTO 1. Intuitive solution
2. Widespread updates of end user software3. May reduce the performance of TCP
Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi
ents of adaptation.
2. Similar attack form
Another solution to this attack:
Randomizing RTO 1. Intuitive solution
2. Widespread updates of end user software3. May reduce the performance of TCP
Reduction of Quality (RoQ) Attack1. General class of attack exploiting the transi
ents of adaptation.
2. Similar attack form
Conclusions
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation
Formal model to describe low-rate TCP attack.
Distributed detection mechanism using
Dynamic Time Wrapping
The push back mechanism
DRR approach protection and isolation
![Page 43: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/43.jpg)
.44.
Major References
HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Defending Against Low-rate TCP Attack: Dynamic Detection and Protection” IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, October, 2004.
HaiBin Sun, John C.S. Lui, David K.Y. Yau. “Distributed Mechanism in Detecting and Defending Against Low-rate TCP Attack” Computer Networks Journal (Elsevier), July,2005.
![Page 44: Defending Against Low-rate TCP Attack: Dynamic Detection and Protection](https://reader035.vdocument.in/reader035/viewer/2022062519/56815448550346895dc25ad5/html5/thumbnails/44.jpg)
.45.
Thank you for your attention!
Q & A