Docstoc

Thesis Defense

Document Sample
Thesis Defense Powered By Docstoc
					  Edge-based Inference,
Control, and DoS Resilience
     for the Internet

   Ph.D. Thesis Presentation

     Aleksandar Kuzmanovic
                              The Internet

      1969                            2004




   SR           UTAH

UCSB     UCLA




         The system of astonishing scale and complexity
      Aleksandar Kuzmanovic
                      Internet Design Principles

       Network as a black-box




   End-to-end argument [Clark84]        Implications
     – The core is simple                  – Easy to upgrade the
                                             network
        – Intelligence at the              – Easy to incrementally
          endpoints                          deploy new services


    Aleksandar Kuzmanovic
         Why End-Point Approach Today?

   Scalability

                        e2e             scalability

   Deployability
    – IP and network core are not extensible and
      are slowly evolving:
            IPv6 (10 years)
            IP Multicast (domain dependent)


Goal:                   Improve network performance
                           right here – right now!

Aleksandar Kuzmanovic
                        Network Performance

   Internet traffic
     – HTTP (web browsing)
     – FTP (file transfer)
          Fact: 95% of the traffic today is TCP-based
   Performance
     – QoS differentiation
          Net win for both HTTP and FTP flows
          End-point-based two-level differentiation scheme
    – Denial of Service
          DoS attacks can demolish network performance
          Prevent DoS attacks via a robust end-point protocol
           design


Aleksandar Kuzmanovic
             End-Point Service Differentiation

    TCP-Low Priority
      – Utilizes only the excess network bandwidth
    Key mechanism
      – Early congestion indications: one-way packet delay
    Performance
      – Can improve the HTTP file transfers for more than 90%
        when FTP flows use TCP-LP
    Deployability
      – no changes in the network core
      – sender side modification of TCP
    High-speed version developed in cooperation with SLAC
      – tested over Gb/s networks in US

     http://www.ece.rice.edu/networks/TCP-LP

    Aleksandar Kuzmanovic
                        Denial of Service

   A malicious way to consume resources in a
    network, a server cluster or in an end host,
    thereby denying service to other legitimate users



   Example                                        Victim

     – Well-known TCP‟s
       vulnerability to
       high-rate
                                                Attacker
       non-responsive flows



Aleksandar Kuzmanovic
                   Design Principles - Revisited
     Design Principles                Implications
       – Intelligence at the             – Easy to incrementally
         endpoints                    .    implement new services
       – The core is simple              – Easy to upgrade the
                                      .    network
       – Trust and cooperation
         among the endpoints             – Large-scale system


                                                         Core Routers
    Implement more intelligence
     at routers?
      – Scalability issue
      – Detect misbehaving flows
        in routers is a hard
        problem
              Needle in a haystack



    Aleksandar Kuzmanovic
                   Design Principles - Revisited
     Design Principles                Implications
       – Intelligence at the             – Malicious clients may
         endpoints                    .    misuse the intelligence
       – The core is simple              – Easy to upgrade the
                                      .    network
       – Trust and cooperation
         among the endpoints             – Large-scale system


    Implement more intelligence                           Core Routers
     at routers?
      – Scalability issue
      – Detect misbehaving flows
        in routers is a hard
        problem
              Needle in a haystack



    Aleksandar Kuzmanovic
                   Design Principles - Revisited
     Design Principles                Implications
       – Intelligence at the             – Malicious clients may
         endpoints                    .    misuse the intelligence
       – The core is simple              – Hard to detect endpoint
                                      .    misbehavior
       – Trust and cooperation
         among the endpoints             – Large-scale system


    Implement more intelligence                          Core Routers
     at routers?
      – Scalability issue
      – Detect misbehaving flows
        in routers is a hard
        problem
              Needle in a haystack



    Aleksandar Kuzmanovic
                   Design Principles - Revisited
     Design Principles                Implications
       – Intelligence at the             – Malicious clients may
         endpoints                    .    misuse the intelligence
       – The core is simple              – Hard to detect endpoint
                                      .    misbehavior
       – Trust and cooperation
         among the endpoints             – Large-scale system


    Implement more intelligence                          Core Routers
     at routers?
      – Scalability issue
      – Detect misbehaving flows
        in routers is a hard
        problem
              Needle in a haystack



    Aleksandar Kuzmanovic
                      End-Point Protocol Design

    Performance vs. Security
      – End-point protocols are designed to maximize
        performance, but ignore security
      – 95% of the Internet traffic is TCP traffic
          Can have catastrophic consequences


                                                       Endpoints

    DoS-resilient protocol design
      – Jointly optimize
        performance
        and security
      – Outperforms the
        core-based solutions


    Aleksandar Kuzmanovic
                        Remaining Outline

   End-point protocol vulnerabilities
     – Low-rate TCP-targeted DoS attacks
     – Receiver-based TCP stacks with a misbehaving
       receiver

   Limitations of network-based solutions

   DoS-resilient end-point protocol design




Aleksandar Kuzmanovic
                         Low-Rate Attacks

   TCP is vulnerable to low-rate DoS attacks
                   TCP
                              DoS
                              Rate
                   DoS

                                            DoS Inter-burst Period




Aleksandar Kuzmanovic
      TCP: a Dual Time-Scale Perspective

   Two time-scales fundamentally required
     – RTT time-scales (~10-100 ms)
          AIMD control
    – RTO time-scales (RTO=SRTT+4*RTTVAR)
          Avoid congestion collapse
   Lower-bounding the RTO parameter:
     – [AllPax99]: minRTO = 1 sec
          to avoid spurious retransmissions
    – RFC2988 recommends minRTO = 1 sec

Discrepancy between RTO and RTT time-scales is
a key source of vulnerability to low rate attacks

Aleksandar Kuzmanovic
                                       The Low-Rate Attack
TCP Sending Rate




                                                                Victim




                                                             Attacker


                                         Time
 DoS Rate




                                         Time

               Aleksandar Kuzmanovic
                                      The Low-Rate Attack
TCP Sending Rate




                                                                              Victim
                                        outage




                                                                           Attacker


                                        Time
        short burst (~RTT)                          At a random initial time
                                                    A short burst (~RTT)
DoS Rate




                                                     sufficient to create outage
                                                      – Outage – event of
                                                        correlated packet losses
                                                        that forces TCP to enter
                                                        RTO mechanism
                                        Time        The impact of outage is
     random initial phase                            distributed to all TCP flows
              Aleksandar Kuzmanovic
                                      The Low-Rate Attack
TCP Sending Rate




                                                                            Victim




                            minRTO                                       Attacker


                                        Time

                                                    The outage synchronizes all
                                                     TCP flows
DoS Rate




                                                      – All flows react
                                                        simultaneously and
                                                        identically
                                                          backoff for minRTO

                                        Time        The attacker stops
     random initial phase                            transmitting to elude
                                                     detection
              Aleksandar Kuzmanovic
                                       The Low-Rate Attack
TCP Sending Rate




                                                                             Victim




                              minRTO
                                                                          Attacker


                                         Time


                                                     Once the TCP flows try to
 DoS Rate




                                                      recover
                                                       – hit them again
                                                     Exploit protocol determinism

                                         Time
       random initial phase
               Aleksandar Kuzmanovic
                                       The Low-Rate Attack
TCP Sending Rate




                                                                                 Victim




                              minRTO       minRTO
                                                                              Attacker


                                         Time


                                                       And keep repeating…
 DoS Rate




                                                       RTT-time-scale outages
                                                        inter-spaced on minRTO
                                                        periods can deny service to
                                         Time           TCP traffic
       random initial phase
               Aleksandar Kuzmanovic
                         Low-Rate Attacks

   TCP is vulnerable to low-rate DoS attacks
                   TCP
                              DoS
                              Rate
                   DoS

                                            DoS Inter-burst Period




Aleksandar Kuzmanovic
                     Vulnerability of Receiver-Based
                          TCP to Misbehaviors

     Sender-based TCP
       – Control functions given to the sender

               SND.NXT                            SEG.ACK
               SND.UNA           Reliability

send buffer
                                       SendMuch             SEG.ACK
                     NextSend
                                                            SEQ.WND
          Loss/                                                                     RCV.NXT
                                         Flow     SEG.WND
        Progress                RWND                                  Resequencing RCV.WND
                                        Control             SEG.SEQ
                                                                                              recv buffer


                                                  SEG.SEQ
              CWND    Congestion Control
                                                                              TCP RECEIVER



               TCP SENDER



    Aleksandar Kuzmanovic
                                Receiver-Based TCP

       Receiver decides how much data can be sent, and
        which data should be sent by the sender
       DATA – ACK communication
        becomes REQ - DATA                   SEG.SEQ                      RCV.NXT
                                                       Reliability        SEG.WND
                                                                          REQ.NXT

                                                                                           recv/req buffer
                                                         ReqMuch
                                                                          NextReq
                                   SEG.SEQ
                                             SEG.DEQ
              SND.NXT
                         Send                           Flow       RWND
                                                                                  Loss/
                                                                                Progress
                                   SEG.REQ
                                                       Control
send buffer                        SEG.DEQ
                                                         ReqMuch

                                             SEG.REQ
                                                       Congestion Control             CWND
               RCP SENDER
       Example protocols
         – TFRC [RFC3448], WebTP, and RCP                            RCP RECEIVER



      Aleksandar Kuzmanovic
                  Why Receiver-Based TCP?

   Example: Busy web server
    – Receiver-based TCP distributes the state management
      across a large number of clients
   Generally
    – Whenever a feedback is needed from the receiver,
      receiver-based TCP has advantage over sender-based
      schemes due to the locality of information
   Benefits [RCP03]
      Performance                     Functionality
       - Loss recovery                  - Seamless handoffs
       - Congestion control             - Server migration
       - Power management for           - Bandwidth aggregation
         mobile devices                 - Web response times
       - Network-specific congestion control

Aleksandar Kuzmanovic
                        Vulnerability




   Receivers decide which packets and when to be
    sent
     – Receivers remotely control servers
   Receivers have both means and incentive to
    manipulate the congestion control algorithm
     – Means: open source OS
     – Incentive: faster web browsing & file download


Aleksandar Kuzmanovic
            Receiver-Induced DoS Attacks

   Request flood attack
    – A misbehaving receiver
     floods the server with
     requests, which replies and
     congests the network

   Goals
    – Evaluate
      network-based
      schemes

    – Develop
      end-point
      solutions

Aleksandar Kuzmanovic
                        Remaining Outline

   End-Point protocol vulnerabilities

   Limitations of network-based solutions
     – Low rate attacks                 Core Routers



     – Misbehaving receivers




   DoS-resilient end-point protocol design




Aleksandar Kuzmanovic
              Random Early Detection with
                 Preferential Dropping

   RED-PD [MFW01] designed to detect and thwart
    non-responsive flows
     – Monitors only a subset of flows at the router and
       compares their rates to the targeted bandwidth
       (TB)
          TB is computed as a TCP-fair throughput for
            » Observed Ploss & RTT=40ms
          If Ti > TB => flow i malicious


   Key questions
    – Can algorithms intended to find high-rate attacks
      detect low-rate attacks?
    – Could we tune the algorithms to detect low-rate
      attacks without having too many false alarms?

Aleksandar Kuzmanovic
                            The Time-Scale Issue

    Scenario: 9 TCP Sack flows with RED and RED-PD




       – RED-PD detects high
        bandwidth flows
              DoS inter-burst period < 500 ms


    Aleksandar Kuzmanovic
                            The Time-Scale Issue

    Scenario: 9 TCP Sack flows with RED and RED-PD




       – RED-PD detects high          but fails to detect low-rate attacks
        bandwidth flows                  DoS inter-burst period > 500 ms
              DoS inter-burst period < 500 ms


    Aleksandar Kuzmanovic
                            CHOKe

   CHOKe [PPP00] controls misbehaving flows by
    preventing a flow to monopolize buffer resources




                        =
                        =
    Question:
     – Why don‟t we use CHOKe against low-rate
       attacks?

Aleksandar Kuzmanovic
                           Flow Filtering Scenario

      Heterogeneous RTT environment:
       – Short-RTT flows are the most vulnerable to low-
         rate attacks


                cut-off time scale
flow         no pass      pass
                                                Implications:
                                                 – Long-RTT flows
                                                   „collaborate‟ in
                                                   the attack
                                                 – Less-than
                                                   bottleneck rates
                                                   needed to attack
      outage length                                short-RTT flows
                                       RTT

   Aleksandar Kuzmanovic
                   CHOKe and Flow Filtering

        TCP (long-RTT)
        TCP (short-RTT)

                        C
           DoS
                                     DoS flow utilizes
                                      only 3.3% of the
                                      bottleneck capacity
                                     CHOKe fails to
                                      throttle the low-rate
                                      attack against
                                      short-RTT flows

Aleksandar Kuzmanovic
              Request Flooding DoS Attack

   Pushback [RFC3168]
     – Network nodes coordinate efforts to detect a
       malicious (flooding) node




   But in the request flooding scenario, the flooding
    machine is not malicious
     – moreover, it is a victim…


Aleksandar Kuzmanovic
                            Bandwidth Stealing

    Fact
      – Network-based schemes
        lack the exact knowledge of
        end-point parameters

    Example
      – RED-PD doesn‟t know about
        RTT: TB=f(Ploss, RTT=40ms)

    Implication
      – Clients with RTT > 40 ms
        can exploit this vulnerability

    Algorithmic misbehavior
      – We generalized the TCP
        formula
          T=f(Ploss, RTT, a, b)

      – Our algorithm tells how to
        re-tune AIMD parameters to
        steal bandwidth, yet elude
        detection
    Aleksandar Kuzmanovic
                        Summary of Limitations

   Low rate attacks
     – RED-PD: issue of time-scales
     – CHOKe: flow filtering
   Misbehaving receivers
     – Pushback: No distinction of causes and effects
     – RED-PD: No knowledge of endpoint parameters
   Can we do better from the endpoints?
     – End-point parameter randomization
     – End-point TCP-fairness verification
                                               Endpoints




Aleksandar Kuzmanovic
        End-point minRTO Randomization

   Observe:
    – Low-rate attacks exploit protocol determinism
          minRTO=1sec
   Question:
     – Can minRTO randomization alleviate the
       problem?
   Approach:
     – Randomize the minRTO parameter
     – min RTO  uniform(a, b)
   Insight:
    – The most vulnerable time-scale is T=b
          Wait for flows to recover and then hit them again


Aleksandar Kuzmanovic
          End-point minRTO Randomization

     TCP throughput formula on T=b time-scale of
      the low-rate attack
                   n ba
      (T  b)                                 n - number of TCP flows
                 n 1 b                         a,b - param. of unif. dist.

         (T  b; b  1)                          (T  b; a  1)
 1                                        1
                 Spurious                                Bad for short-lived
              re-transmissions                            (HTTP) traffic
                [AllPax99]
                        high
1/2                       aggregation    1/2          high
                               low                 aggregation
                           aggregation             low
                                               aggregation
                                   a                                           b
                               1                     1                    2
  Aleksandar Kuzmanovic
        End-point minRTO Randomization

   TCP throughput formula on T=b time-scale of
    the Shrew attack

                  n ba
     (T  b)               n - number of TCP flows
                            a,b - param. of unif. dist.
                n 1 b
   Randomizing the minRTO parameter shifts and
    smoothes TCP‟s null time-scales

   Fundamental tradeoff between TCP
    performance and vulnerability to low-rate DoS
    attacks remains

Aleksandar Kuzmanovic
                            An End-Point Solution


   Sender-side
    verification:
      – Ping Agent:
             Measures RTT
              without a
              cooperation from                                                 SEG.SEQ
              the receiver                       SND.NXT
                                                               Send
      – TFRC Agent:                                                            SEG.REQ
                                   send buffer                                 SEG.DEQ
             Computes “TCP-                     Measured   Throughput
              fair” rate                                       Ploss
                                    Control
      – Control Agent:              Agent              TFRC                    PNG.SND
             Enforces the              Computed       Agent   RTT     Ping
              sending rate              Throughput                     Agent   PNG.RCV


    Aleksandar Kuzmanovic
                        Evaluation

   Scenarios:
     – with behaving receiver (to study false positives)
     – with misbehaving receivers (to study detection)




                                           End-point
                                           scheme is able
                                           to detect even
                                           very moderate
                                           misbehaviors
        Slight inaccuracy for higher
        packet loss ratios (due to TFRC
        conservatism)
Aleksandar Kuzmanovic
                             Summary

   Denial of Service attacks represent a
    fundamental threat to today‟s Internet

   Network-based solutions are necessary, yet are
    quite often very limited

   End-point protocols optimized for performance,
    not security

   DoS-resilient protocol design
          Parameter randomization
          Ability to control the other end-point


Aleksandar Kuzmanovic
                        Conclusions

   Improve network performance via
    – End-point QoS differentiation
    – DoS-resilient protocol design


   QoS differentiation
    – Developed, implemented, and tested TCP-LP
    – Can significantly improve the network performance

   Denial of Service
    – Pro-active approach
    – Jointly consider both performance and security
      aspects


Aleksandar Kuzmanovic
                         Publications
[1] Measuring Service in Multi-Class Networks, In IEEE INFOCOM 2001.
[2] Measurement Based Characterization and Classification of QoS-
   Enhanced Systems, In IEEE TPDS, 14(7): 671-685, 2003.
[3] TCP-LP: A Distributed Algorithm for Low Priority Data Transfer, In
   IEEE INFOCOM 2003.
[4] TCP-LP: Low-Priority Service via End-Point Congestion Control, To
   appear in IEEE/ACM ToN.
[5]* HSTCP-LP: A Protocol for Low-Priority Bulk Data Transfer in High-
   Speed High-RTT Networks, In PFLDnet 2004.
[6] Low-Rate TCP-Targeted Denial of Service Attacks
   (The Shrew vs. the Mice and Elephants), In ACM SIGCOMM 2003.
[7] Low-Rate TCP-Targeted Denial of Service Attacks and Counter
   Strategies, Submitted to IEEE/ACM ToN.
[8] A Performance vs. Trust Perspective in the Design of End-Point
   Congestion Control Protocols, In IEEE ICNP 2004.
[9] Receiver-based Congestion Control with a Misbehaving Receiver:
   Vulnerabilities and End-Point Solutions, Submitted to IEEE/ACM ToN.
* With R. Les Cottrell, SLAC.
 Aleksandar Kuzmanovic

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:10/10/2011
language:English
pages:44