Transcript [ppt]
On the Effect of Router Buffer Sizes
on Low-rate Denial of Service Attacks
Sandeep Sarat
Andreas Terzis
Johns Hopkins university
Router Buffers
Packets are buffered during congestion
epochs.
Buffer sizing.
“Traditional” rule of thumb: B RTT C
[AKM04] result:
B' RTT C
B,B’ – buffer size.
RTT – average round trip time.
N - the number of flows sharing the link.
C - the capacity of the link.
N
Consequences
Link utilization not affected by smaller
buffer size [AKM04].
Question: are denial of service attacks
more effective in this setting?
Router dos attack categories:
Brute force: flood the link.
Low-rate: pulsing attack, with low average
rate.
Shrew: Low Rate Denial of
Service Attack
Idea: keep the buffer
full for a sufficiently
long time: O(RTT).
Result: multiple drops
from the same flow.
Average attack rate =
p*l/t.
T = min{RTO} of flows
(= 1 second).
Shrew Attack (Continued)
Low-RTT flows
penalized more
heavily.
Overall link
utilization is
reduced.
Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice vs. the elephant).
A. Kuzmanovic, E. Knightly, SIGCOMM 03 .
Traffic Analysis
Minimum input traffic to keep the buffer full
for seconds= B ( B 0 C )
B0 is the instantaneous queue size.
B m RTT C
N
Worst case scenario: link is fully utilized by
TCP and other traffic.
Total shrew traffic B B0 m(1 ). C RTT N
Is the fraction of the buffer full at the onset of the attack.
Traffic Analysis (Contd.)
( P l ) s m (1 ) C RTT
P m (1 ) C RTT
N
(l s N )
•
With a unit increase in m, each shrew needs to increase its mean
rate by O( 1
)
N
• Fair queuing schemes can limit a flow’s average sending rate to
O(C/N).
• As m increases, shrews are forced to increase their sending rate
above C/N threshold
Evaluation
Used ns-2 for verification.
Classic dumb-bell topology.
RTTs range uniformly between 20-460 ms
[FK02].
Buffer size is varied as B m RTT C
N
Use a fairness enforcing active queue
Management (AQM) scheme.
Red-pd.
Red-pd
Use RED packet drop history to determine
malicious flows.
Configurable target round trip time parameter
–R
Calculate the average sending rate f of a flow
f 1.5 ( R p )
Intuition: more drops higher bandwidth.
P is the ambient loss rate.
Protects flows with RTT > R.
We experiment with R=40ms and R=120ms.
Low-speed Link
10 mbps, 20 TCP flows, 1
shrew.
P = 10 mbps, l = 200 ms,
T = 1.2 sec.
Compare utilization with
an equivalent CBR flow.
Utilization of link:
M = 2, R = 120 ms,
within 91% of nonshrew scenario.
High Speed Link
OC-3 (155 mbps).
250 flows, 10
shrews ( 4%).
P = 20 mbps, l =
200 ms, T = 1.2 s.
Utilization of link:
M = 5, R = 120
ms, within 99% of
non-shrew
scenario.
Shrew Rate Increase
From analysis.
Increase in buffer size
size increase in
sending rate.
Almost linear increase,
as analysis shows.
The shrew rate grows
to a considerable
proportion of the link
capacity: no longer lowrate.
Summary
A moderate increase in buffer size over the
Stanford model renders the shrew ineffective.
Shrews need to send faster to fill up the
buffer, and are no longer low-rate.
Caveat: we need an AQM scheme to detect
the malicious flow.
Question: can we detect without an AQM
scheme?