low-rate tcp-targeted dos attack disrupts internet routing ying zhang z. morley mao jia wang...
TRANSCRIPT
Low-Rate TCP-Targeted Low-Rate TCP-Targeted DoS Attack Disrupts DoS Attack Disrupts
Internet RoutingInternet Routing
Ying Zhang Z. Morley Mao Jia Ying Zhang Z. Morley Mao Jia Wang Wang
Presented in Presented in NDSS07NDSS07
Prepared by : Hale IsmetPrepared by : Hale Ismet
The attacksThe attacks
Attacks targeting end hostsAttacks targeting end hosts Denial of Service attacks, worms, spamDenial of Service attacks, worms, spam
Attacks targeting the routing Attacks targeting the routing infrastructureinfrastructure
Border Gateway ProtocolBorder Gateway Protocolstandard inter-domain routing standard inter-domain routing
protocolprotocol
There are two types of BGP sessions:
eBGP iBGP sessions. It is former are
between routers withindifferent autonomous systems (ASes) or networks
AS 2
To ensure liveness of the neighbor in a To ensure liveness of the neighbor in a BGP session, routers periodically BGP session, routers periodically exchange keepalive messagesexchange keepalive messages
CBRBRAS 1 AS 2
BGP session
Transport: TCP connectionCBRBR
Keepalive Keepalive
confirm peer liveliness; determine peer confirm peer liveliness; determine peer reachabilityreachability
BGP HoldTimer expired
BGP session reset
Low-rate TCP-targeted DoS Low-rate TCP-targeted DoS attacksattacks
minRTO 2 x minRTO 4 x minRTO
Time
TCP congestion window size(segments)
Initial windowsize
Attack flow period approximates minRTO of TCP flowsAttack flow period approximates minRTO of TCP flows
the attacker can indeed bring the attacker can indeed bring down the BGP sessiondown the BGP session
1-Burst Length L needs 1-Burst Length L needs to be long enough to to be long enough to cause cause congestioncongestion
2-Peak magnitude R 2-Peak magnitude R also needs to be also needs to be large to cause large to cause congestioncongestion..
3- Inter-burst period T 3- Inter-burst period T needs to be minRTO needs to be minRTO to cause to cause session session resetreset
To effect of this attack on To effect of this attack on BGPBGP
1.1. that attack traffic lowers the that attack traffic lowers the sending rate of the TCP connection sending rate of the TCP connection carrying BGP traffic ; this increased carrying BGP traffic ; this increased convergence convergence
2.2. the more severe effect on the BGP the more severe effect on the BGP session is the possibility of BGP session is the possibility of BGP session reset caused by all packets session reset caused by all packets dropped within a time interval dropped within a time interval exceeding the hold timer value.exceeding the hold timer value.
TestbedTestbed experimentsexperiments
the high-end Cisco router GSR (It is widely the high-end Cisco router GSR (It is widely used in Internet and is very powerful )used in Internet and is very powerful )
Demonstrating the attack feasibility by Demonstrating the attack feasibility by two computerstwo computers
UDP-based attack flow
Attacker A Receiver B
Router R1
CBR
Router R2
CBR
minRTO 2*minRTO
7th retransmitted BGP Keepalive message
BGP Session Reset
Take 3 minTake 3 min
Kind of routersKind of routers
the probability of session the probability of session reset.reset.
the burst the burst length of 225 length of 225 msec, the msec, the attacker has attacker has around 30% around 30% probability to probability to reset the reset the session with session with 42% 42% available available bandwidthbandwidth
Attack peak magnitude’s Attack peak magnitude’s impact on session reset and impact on session reset and
table transfer durationtable transfer duration
Necessary conditions for Necessary conditions for single attacksingle attack
Inter-burst period approximates Inter-burst period approximates minRTOminRTO
The attack flow’s path traverses at The attack flow’s path traverses at least one link of the BGP sessionleast one link of the BGP session
Attack flow’s bottleneck link is the Attack flow’s bottleneck link is the target linktarget link
bring down the BGP sessionbring down the BGP session
To avoid sending too much traffic from each node, we perform time synchronization designed
Conditions for Coordinated Conditions for Coordinated attacksattacks
1’. Sufficiently strong combined 1’. Sufficiently strong combined attack flows to cause congestionattack flows to cause congestion
2. The attack flow’s path traverses 2. The attack flow’s path traverses the BGP sessionthe BGP session
3’. Identify the target link location3’. Identify the target link location
AttackAttack preventionprevention hiding informationhiding information-Kuzmanovic03 :Randomize minRTO-Kuzmanovic03 :Randomize minRTO-Hide network topology from end-hosts.-Hide network topology from end-hosts. prioritize routing trafficprioritize routing traffic Weighted Random Early Detection Weighted Random Early Detection
(WRED) [It is a mechanism ](WRED) [It is a mechanism ] Prevent TCP synchronizationPrevent TCP synchronization Selectively drop packets : Drop low-priority Selectively drop packets : Drop low-priority
packets first when the queue size exceeds packets first when the queue size exceeds defined thresholdsdefined thresholds
** ** WRED relies on the IP precedence field in WRED relies on the IP precedence field in the packet header the packet header
BGP table transfer with BGP table transfer with WREDWRED enabled under attackenabled under attack
ConclusionConclusion
Feasibility of attacks against Internet Feasibility of attacks against Internet routing infrastructurerouting infrastructure
Prevention solution using Prevention solution using existing existing router configurationsrouter configurations
Difficulties in detecting and Difficulties in detecting and defending against coordinated defending against coordinated attacksattacks
Thanks Thanks
Any Questions?Any Questions?
Attacker A
Receiver B
BGP Session Reset