Transcript [ppt]

On the Effect of Router Buffer Sizes
on Low-rate Denial of Service Attacks
Sandeep Sarat
Andreas Terzis
Johns Hopkins university
Router Buffers


Packets are buffered during congestion
epochs.
Buffer sizing.


“Traditional” rule of thumb: B  RTT  C
[AKM04] result:
B'  RTT  C
B,B’ – buffer size.
RTT – average round trip time.
N - the number of flows sharing the link.
C - the capacity of the link.
N
Consequences



Link utilization not affected by smaller
buffer size [AKM04].
Question: are denial of service attacks
more effective in this setting?
Router dos attack categories:


Brute force: flood the link.
Low-rate: pulsing attack, with low average
rate.
Shrew: Low Rate Denial of
Service Attack




Idea: keep the buffer
full for a sufficiently
long time: O(RTT).
Result: multiple drops
from the same flow.
Average attack rate =
p*l/t.
T = min{RTO} of flows
(= 1 second).
Shrew Attack (Continued)


Low-RTT flows
penalized more
heavily.
Overall link
utilization is
reduced.
Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice vs. the elephant).
A. Kuzmanovic, E. Knightly, SIGCOMM 03 .
Traffic Analysis

Minimum input traffic to keep the buffer full
for  seconds= B  ( B 0  C )




B0 is the instantaneous queue size.
B  m  RTT  C
N
Worst case scenario: link is fully utilized by
TCP and other traffic.
Total shrew traffic  B  B0  m(1   ). C  RTT N


Is the fraction of the buffer full at the onset of the attack.
Traffic Analysis (Contd.)
( P  l )  s  m  (1   )  C  RTT
P  m  (1   )  C  RTT
N
(l  s  N )
•
With a unit increase in m, each shrew needs to increase its mean
rate by O( 1
)
N
• Fair queuing schemes can limit a flow’s average sending rate to
O(C/N).
• As m increases, shrews are forced to increase their sending rate
above C/N threshold
Evaluation
Used ns-2 for verification.
 Classic dumb-bell topology.
 RTTs range uniformly between 20-460 ms
[FK02].
 Buffer size is varied as B  m  RTT  C
N
 Use a fairness enforcing active queue
Management (AQM) scheme.


Red-pd.
Red-pd

Use RED packet drop history to determine
malicious flows.


Configurable target round trip time parameter
–R

Calculate the average sending rate f of a flow

f  1.5 ( R  p )



Intuition: more drops  higher bandwidth.
P is the ambient loss rate.
Protects flows with RTT > R.
We experiment with R=40ms and R=120ms.
Low-speed Link




10 mbps, 20 TCP flows, 1
shrew.
P = 10 mbps, l = 200 ms,
T = 1.2 sec.
Compare utilization with
an equivalent CBR flow.
Utilization of link:
 M = 2, R = 120 ms,
within 91% of nonshrew scenario.
High Speed Link




OC-3 (155 mbps).
250 flows, 10
shrews ( 4%).
P = 20 mbps, l =
200 ms, T = 1.2 s.
Utilization of link:

M = 5, R = 120
ms, within 99% of
non-shrew
scenario.
Shrew Rate Increase

From analysis.



Increase in buffer size
size  increase in
sending rate.
Almost linear increase,
as analysis shows.
The shrew rate grows
to a considerable
proportion of the link
capacity: no longer lowrate.
Summary




A moderate increase in buffer size over the
Stanford model renders the shrew ineffective.
Shrews need to send faster to fill up the
buffer, and are no longer low-rate.
Caveat: we need an AQM scheme to detect
the malicious flow.
Question: can we detect without an AQM
scheme?