Impact of Low-Rate TCP-Targeted DoS Attacks on BGP
Download
Report
Transcript Impact of Low-Rate TCP-Targeted DoS Attacks on BGP
Low-Rate TCP-Targeted DoS Attack
Disrupts Internet Routing
Ying Zhang Z. Morley Mao Jia Wang
1
Attacks on the Internet
Attacks targeting end hosts
Denial of Service attacks, worms, spam
Attacks targeting the routing infrastructure
Compromised routers
Stealthy denial of service attacks
Internet
BR
C
BR
C
Target link
Bots
BR
C
Target
Destination
Attackers
2
Border Gateway Protocol
De facto standard inter-domain routing protocol
Keepalive
BGP session reset
Keepalive
confirm peer liveliness; determine peer reachability
BGP HoldTimer expired
AS 1
BGP session
BR
BR
C
Transport: TCP connection
BR
BR
C
AS 2
3
Low-rate TCP-targeted DoS attacks
[Kuzmanovic03]
Exploiting TCP’s deterministic retransmission behavior
No packet loss
ACKs received
TCP
Congestion
Window
Size
(packets)
Initial
window
size
packet loss
No ACK received
minRTO
2 x minRTO
4 x minRTO
Time
4
Low-rate TCP-targeted DoS attacks
Attack flow period approximates minRTO of TCP flows
TCP
congestion
window
size
(segments)
Initial
window
size
minRTO
2 x minRTO
4 x minRTO
Time
5
Impact of low-rate TCP DoS attacks
Impact on any TCP connections
TCP continuously experiences loss
TCP obtains near zero throughput
Difficult to detect due to low-rate property
Our finding:
Low-rate TCP DoS attacks can disrupt BGP
(with default configurations)
6
Impact of routing disruption
Reduced sending rate
Increasing convergence delay
BGP session reset
Routing instability
Unreachable destinations
Traffic performance degradation
7
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
8
Testbed experiments
Using high-end commercial routers
Demonstrating the attack feasibility
Gigabit Ethernet
Gigabit Ethernet
OC3 155Mbps
Sender A
BR
C
Router R1
(Cisco GSR)
Receiver B
BR
C
Router R2
(Cisco GSR)
9
The attack to bring down a BGP session
UDP-based attack flow
Attacker A
Packet is dropped
due to congestion
BGP Keepalive
message
BR
C
Router R1
Receiver B
BR
C
Router R2
10
The attack to bring down a BGP session
UDP-based attack flow
Attacker A
Retransmitted BGP
Keepalive message
minRTO
BR
C
Router R1
Receiver B
BR
C
Router R2
11
The attack to bring down a BGP session
UDP-based attack flow
2nd Retransmitted BGP
Keepalive message
Attacker A
minRTO
BR
C
Router R1
2*minRTO
Receiver B
BR
C
Router R2
12
The attack to bring down a BGP session
UDP-based attack flow
7th retransmitted BGP
Keepalive message
Attacker A
minRTO
BR
C
Router R1
2*minRTO
BGP
Session Reset
Receiver B
BR
C
Router R2
Hold Timer expired!
13
Basic attack flow properties
Burst length L
Magnitude of the peak R
Inter-burst period T
14
How likely is BGP session reset?
R:185Mbps
T: 600msec
Min duration:216 sec
30% session reset
probability with
42% capacity usage
15
Router implementation diversity
Router
Type
Router
OS Version
minRTO Keepalive HoldTimer
(msec)
(sec)
(sec)
300
60
180
Cisco
3600
IOS 12.2(25a)
Cisco
7200
IOS 12.2(28)S3
600
60
180
Cisco
7300
IOS 12.3(3b)
300
60
180
Cisco
12000
IOS 12.0(23)S
600
60
180
Juniper
M10
JUNOS[6.0R1.3]
1000
30
90
16
Explanation of packet drops
BGP packet drop locations:
Ingress or egress line card buffer queues
Resource sharing across interfaces
Interfaces share buffers and processing time
Router
BGP
pkt
BGP
pkt
Interface 1
Interface 2
Interface 3
Ingress
line card
Egress
line card
Interface 4
17
Buffer allocation in line cards
Line card memory is divided into buckets of different packet sizes
Packets cannot utilize buckets of a different size
Switch fabric
BGP
pkt
Full!
Drop!
Line card
buffer queues
Packet size
(0,80Byte]
[81Byte,270Byte]
Empty
[271Byte, 502Byte]
[503Byte, 908Byte]
[909Byte,1500Byte]
18
Necessary conditions for session reset
Inter-burst period approximates minRTO
The attack flow’s path traverses at least one link of the BGP session
Attack flow’s bottleneck link is the target link
Attack flow’s path
Attacker
BR
C
BR
C
BR
C
Receiver
Bottleneck link
BR
C
BR
C
Router R1
Multi-hop BGP Session
BR
C
Router R2
19
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
20
Coordinated low-rate DoS attacks
Attack host A
Destination C
BR
C
Router R1
BR
C
Target BGP session
Router R2
Destination D
Attack host B
21
Coordinated low-rate DoS attacks
Attack Host A
Destination C
BR
C
Router R1
BR
C
Target BGP session
Router R2
Destination D
Attack Host B
22
Coordinated low-rate DoS attacks
BR
C
BR
C
Target
BGP session
23
Host selection for coordinated attacks
Selecting attack host-destination pairs to
traverse target link
Identify the target link’s geographic location
and ASes
Identify prefixes with AS-level path through
the target link
Identify IP-level paths
24
Wide-area experiments
Internet bottleneck link available bandwidth
measurement
160 peering links
330 customer and provider links
Attack host selection
PlanetLab hosts as potential attack hosts
Attack hosts geographically close to the target link
Attacks targeting a local BGP session
25
Wide-area coordinated attacks against
a local BGP session
R=5Mbps L=300msec T=1s
Average Rate = 1.5Mbps
UW1 (US)
100Mbps
10Mbps
Targeted
UW2
WAN
BGP
session
Software router 1
Software router 2
THU1(China)
THU2
26
a single attack
attacks
flow
Conditions for Coordinated
1. Inter-burst period approximates minRTO
1’. Sufficiently strong combined attack flows to cause
congestion
2. The attack flow’s path traverses the BGP session
3. Attack flow’s bottleneck link is the target link
3’. Identify the target link location
27
Outline
Description of a potential attack against
Internet routing
Attack demonstration using testbed
experiments
Increased attack sophistication
Using multi-host coordination
Defense solutions through prevention
28
Attack prevention: hiding information
Randomize minRTO [Kuzmanovic03]
minRTO is any value within range [a,b]
Does not eliminate BGP session reset
Hide network topology from end-hosts
Disabling ICMP TTL Time Exceeded replies at routers
29
Attack prevention:
prioritize routing traffic
Weighted Random Early Detection (WRED)
Prevent TCP synchronization
Selectively drop packets
Drop low-priority packets first when the queue size
exceeds defined thresholds
Assumption of WRED
The IP precedence field is not spoofed
We need to police the IP precedence markings
30
Support from existing commercial routers
Router supported policing features
Committed Access Rate (CAR)
Class-based policing
Traffic marking
Reset the incoming packets to be low priority
Class-based queuing
Drop the packets with low priority when the traffic burst is high
Effective in isolating BGP packets from attack traffic!
31
Conclusion
Feasibility of attacks against Internet routing
infrastructure
Lack of protection of routing traffic
Prevention solution using existing router
configurations
Ubiquitous deployment is challenging
Difficulties in detecting and defending against
coordinated attacks
may affect any network infrastructure
32
Thank you!
33
Backup slides
34
Attack flow notations
Periodic, on-off square-wave flow
Burst period length L
Inter-burst period T
Burst magnitude of the peak R
Burst Length L
Magnitude of the peak R
Inter-burst period T
35
Attack inter-burst period’s impact on table
transfer duration
(R=185Mbps,L=200msec)
36
Attack peak magnitude’s impact on session
reset and table transfer duration
(Top:T=600msec,L=200msec) (Bottom:T=1.2s,L=200msec)
Normalized avg rate
0.48
Normalized avg rate
0.24
37
Synchronization accuracy
38
BGP table transfer with WRED enabled
under attack
39