Transcript Impact of Low-Rate TCP-Targeted DoS Attacks on BGP

Low-Rate TCP-Targeted DoS Attack
Disrupts Internet Routing
Ying Zhang Z. Morley Mao Jia Wang
1
Attacks on the Internet
 Attacks targeting end hosts
 Denial of Service attacks, worms, spam
 Attacks targeting the routing infrastructure
 Compromised routers
 Stealthy denial of service attacks
Internet
BR
C
BR
C
Target link
Bots
BR
C
Target
Destination
Attackers
2
Border Gateway Protocol
De facto standard inter-domain routing protocol
Keepalive
BGP session reset
Keepalive
confirm peer liveliness; determine peer reachability
BGP HoldTimer expired
AS 1
BGP session
BR
BR
C
Transport: TCP connection
BR
BR
C
AS 2
3
Low-rate TCP-targeted DoS attacks
[Kuzmanovic03]
 Exploiting TCP’s deterministic retransmission behavior
No packet loss
ACKs received
TCP
Congestion
Window
Size
(packets)
Initial
window
size
packet loss
No ACK received
minRTO
2 x minRTO
4 x minRTO
Time
4
Low-rate TCP-targeted DoS attacks
 Attack flow period approximates minRTO of TCP flows
TCP
congestion
window
size
(segments)
Initial
window
size
minRTO
2 x minRTO
4 x minRTO
Time
5
Impact of low-rate TCP DoS attacks
Impact on any TCP connections
TCP continuously experiences loss
TCP obtains near zero throughput
Difficult to detect due to low-rate property
Our finding:
Low-rate TCP DoS attacks can disrupt BGP
(with default configurations)
6
Impact of routing disruption
Reduced sending rate
Increasing convergence delay
BGP session reset
Routing instability
Unreachable destinations
Traffic performance degradation
7
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
8
Testbed experiments
Using high-end commercial routers
Demonstrating the attack feasibility
Gigabit Ethernet
Gigabit Ethernet
OC3 155Mbps
Sender A
BR
C
Router R1
(Cisco GSR)
Receiver B
BR
C
Router R2
(Cisco GSR)
9
The attack to bring down a BGP session
UDP-based attack flow
Attacker A
Packet is dropped
due to congestion
BGP Keepalive
message
BR
C
Router R1
Receiver B
BR
C
Router R2
10
The attack to bring down a BGP session
UDP-based attack flow
Attacker A
Retransmitted BGP
Keepalive message
minRTO
BR
C
Router R1
Receiver B
BR
C
Router R2
11
The attack to bring down a BGP session
UDP-based attack flow
2nd Retransmitted BGP
Keepalive message
Attacker A
minRTO
BR
C
Router R1
2*minRTO
Receiver B
BR
C
Router R2
12
The attack to bring down a BGP session
UDP-based attack flow
7th retransmitted BGP
Keepalive message
Attacker A
minRTO
BR
C
Router R1
2*minRTO
BGP
Session Reset
Receiver B
BR
C
Router R2
Hold Timer expired!
13
Basic attack flow properties
Burst length L
Magnitude of the peak R
Inter-burst period T
14
How likely is BGP session reset?
R:185Mbps
T: 600msec
Min duration:216 sec
30% session reset
probability with
42% capacity usage
15
Router implementation diversity
Router
Type
Router
OS Version
minRTO Keepalive HoldTimer
(msec)
(sec)
(sec)
300
60
180
Cisco
3600
IOS 12.2(25a)
Cisco
7200
IOS 12.2(28)S3
600
60
180
Cisco
7300
IOS 12.3(3b)
300
60
180
Cisco
12000
IOS 12.0(23)S
600
60
180
Juniper
M10
JUNOS[6.0R1.3]
1000
30
90
16
Explanation of packet drops
 BGP packet drop locations:
 Ingress or egress line card buffer queues
 Resource sharing across interfaces
 Interfaces share buffers and processing time
Router
BGP
pkt
BGP
pkt
Interface 1
Interface 2
Interface 3
Ingress
line card
Egress
line card
Interface 4
17
Buffer allocation in line cards
 Line card memory is divided into buckets of different packet sizes
 Packets cannot utilize buckets of a different size
Switch fabric
BGP
pkt
Full!
Drop!
Line card
buffer queues
Packet size
(0,80Byte]
[81Byte,270Byte]
Empty
[271Byte, 502Byte]
[503Byte, 908Byte]
[909Byte,1500Byte]
18
Necessary conditions for session reset
 Inter-burst period approximates minRTO
 The attack flow’s path traverses at least one link of the BGP session
 Attack flow’s bottleneck link is the target link
Attack flow’s path
Attacker
BR
C
BR
C
BR
C
Receiver
Bottleneck link
BR
C
BR
C
Router R1
Multi-hop BGP Session
BR
C
Router R2
19
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
20
Coordinated low-rate DoS attacks
Attack host A
Destination C
BR
C
Router R1
BR
C
Target BGP session
Router R2
Destination D
Attack host B
21
Coordinated low-rate DoS attacks
Attack Host A
Destination C
BR
C
Router R1
BR
C
Target BGP session
Router R2
Destination D
Attack Host B
22
Coordinated low-rate DoS attacks
BR
C
BR
C
Target
BGP session
23
Host selection for coordinated attacks
Selecting attack host-destination pairs to
traverse target link
Identify the target link’s geographic location
and ASes
Identify prefixes with AS-level path through
the target link
Identify IP-level paths
24
Wide-area experiments
 Internet bottleneck link available bandwidth
measurement
 160 peering links
 330 customer and provider links
 Attack host selection
 PlanetLab hosts as potential attack hosts
 Attack hosts geographically close to the target link
 Attacks targeting a local BGP session
25
Wide-area coordinated attacks against
a local BGP session
R=5Mbps L=300msec T=1s
Average Rate = 1.5Mbps
UW1 (US)
100Mbps
10Mbps
Targeted
UW2
WAN
BGP
session
Software router 1
Software router 2
THU1(China)
THU2
26
a single attack
attacks
flow
Conditions for Coordinated
 1. Inter-burst period approximates minRTO
 1’. Sufficiently strong combined attack flows to cause
congestion
 2. The attack flow’s path traverses the BGP session
 3. Attack flow’s bottleneck link is the target link
 3’. Identify the target link location
27
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
28
Attack prevention: hiding information
 Randomize minRTO [Kuzmanovic03]
 minRTO is any value within range [a,b]
 Does not eliminate BGP session reset
 Hide network topology from end-hosts
 Disabling ICMP TTL Time Exceeded replies at routers
29
Attack prevention:
prioritize routing traffic
 Weighted Random Early Detection (WRED)
 Prevent TCP synchronization
 Selectively drop packets
 Drop low-priority packets first when the queue size
exceeds defined thresholds
 Assumption of WRED
 The IP precedence field is not spoofed
 We need to police the IP precedence markings
30
Support from existing commercial routers
 Router supported policing features
 Committed Access Rate (CAR)
 Class-based policing
 Traffic marking
 Reset the incoming packets to be low priority
 Class-based queuing
 Drop the packets with low priority when the traffic burst is high
Effective in isolating BGP packets from attack traffic!
31
Conclusion
 Feasibility of attacks against Internet routing
infrastructure
 Lack of protection of routing traffic
 Prevention solution using existing router
configurations
 Ubiquitous deployment is challenging
 Difficulties in detecting and defending against
coordinated attacks
 may affect any network infrastructure
32
Thank you!
33
Backup slides
34
Attack flow notations
 Periodic, on-off square-wave flow
 Burst period length L
 Inter-burst period T
 Burst magnitude of the peak R
Burst Length L
Magnitude of the peak R
Inter-burst period T
35
Attack inter-burst period’s impact on table
transfer duration
(R=185Mbps,L=200msec)
36
Attack peak magnitude’s impact on session
reset and table transfer duration
(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200msec)
Normalized avg rate
0.48
Normalized avg rate
0.24
37
Synchronization accuracy
38
BGP table transfer with WRED enabled
under attack
39