Outline : Part 1 � Introduction Protocol Attacks � What is a “protocol attack”? � How does it work? � Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow Exploit a specific feature or � � implementation bug of some Weak authentication/encryption � protocol installed at the victim in Inadequate argument checking � order to consume excess amounts of Configuration errors � its resources Insecure program features � Kernel-level problems � Protocol attack � Popular Protocol attack Smurf Attack � Smurf Attack � SYN attack � UDP Attack, ICMP Attack ICMP echo ICMP echo � CGI request attack request response SRC :X SRC :X � Authentication server attack � Attack using DNS systems. � Attack using spoofed address in ping Y X
TCP SYN UDP Attack, ICMP Attack, Ping attack � Uses TCP’s 3 way hand shake � Send a SYN packet with a spoofed IP address � Server is not able to complete the handshake and as a result wastes all its echo response echo request network resources Y SRC:Y CGI request attack Authentication server attack � CGI script uses CPU cycles to satisfy a � Authentication server validates a request. signature � Attacker send multiple CGI requests � It takes more resources to check a bogus signature then to create it. � This consumes precious CPU cycle on the server � Attacker send a bogus signature to the server Server X Attack using DNS systems. Feature of these attacks All attacks need a lot of attackers � (zombies) DNS response Mitigate by changing the protocol � features DNS request Line between protocol and brute force � SRC X commands is very thin X Can these attacks be identified? � YES �
Conclusion : Part 1 Alternate Protocol attacks � Use some feature of the protocol to � High-Rate Protocol attack launch an attack without being � Very close to Brute force attack aggressive � Can this be done? � Yes � Misbehaving receiver attack � Shrew attack Outline : Part 2 TCP Congestion Control Sender’s Congestion Window � TCP mechanism Byte 1 st Last sequence Byte Byte � Congestion window modification Sent and Sent and not Eligible to Ineligible ACKed ACKed be sent � Congestion avoidance � Design attack to make use of congestion nextSeqNum (= LastByteSent + 1) sendBase (= LastByteACKed + 1) window update on acks � Transmission rate is limited by the congestion � Evaluate attack’s efficiency window size, congWin LastByteSent - LastByteACKed � MIN(congWin,RcvWindow) � TCP modification to prevent the attack � Maximum rate is w MSS byte segments sent every RTT throughput = w x MSS bytes/sec RTT TCP Congestion Control TCP Congestion Control Host A Host B Sender’s Congestion Window � If w � MSS / R < RTT , then Byte 1 st Last the maximum rate at which sequence Byte Byte a TCP connection can data wMSS transmit data is data bytes data � TCP connections probe for available bandwidth data w x MSS RTT bytes/sec ACK � Increase the congestion window until loss occurs secs RTT � When loss is detected decrease window, then begin probing (increasing) again data � w is the minimum of the � The congestion window grows in two phases: data number of segments in the � Slow start — Ramp up transmission rate until loss occurs data receiver’s window or the data � Congestion avoidance — Keep connection close to sustainable congestion window bandwidth ACK � A window size threshold (bytes transmitted) distinguishes between slow start and congestion avoidance phases Time
TCP Congestion Control TCP Congestion Control Host A Host B � Increase congestion window by 1 segment each RTT, congWin = 1 MSS decrease by a factor of 2 when packet loss is detected one segment for (each original ACK received) congWin++ � “Additive Increase, Multiplicative Decrease” (AIMD) until (loss event OR congWin > threshold) RTT 12 � Exponential increase in window /* slowstart is over; two segments 11 congWin > threshold size each RTT until: Congestion window size 10 */ � Loss occurs 9 until (loss event) { 8 � congWin = threshold (segments) Threshold whenever congWin segments 7 (Not so slow!) ACKed: 6 f o u r Threshold s e g congWin++ 5 � Note: TCP implementations m e n t Loss s 4 } detect loss differently event 3 /* loss event timeout */ 2 � TCP “Tahoe”: Timeout threshold = congWin/2 1 � TCP “ Reno”: Timeout or three congWin = 1 MSS 0 duplicate ACKs perform slowstart 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Window transmissions Time TCP Congestion Control TCP Congestion Control � The threshold is an estimate Congestion window size (segments) 24 Slow Congestion Congestion window size (segments) 24 of a “safe” level of throughput � Loss (at any time) reduces 22 Slow Congestion Start Avoidance that is sustainable in the the “safe” throughput 22 Start Avoidance 20 network estimate to 1/2 of the 20 18 current throughput 18 � The threshold specifies a 16 16 throughput that was � This is the throughput 14 sustainable in the recent that resulted in loss 14 12 past 12 10 � Slow-start begins anew 10 8 � Slow-start quickly increases whenever there is loss 8 6 throughput to this threshold 6 4 � Throughput at initial 4 2 � Congestion avoidance slows threshold = 1 MB / RTT 2 0 probes for additional � At 1 st threshold: 16 MSS / RTT 0 0 2 4 6 8 10 12 14 16 18 20 available bandwidth beyond 0 2 4 6 8 10 12 14 16 18 20 � At 2 nd threshold: 10 MSS / RTT Window transmissions the threshold Window transmissions Assume RTT > w x MSS Assume RTT > w x MSS R R Outline : Part 2 TCP Congestion Control Congestion window size (segments) Congestion window size (segments) 24 24 � TCP Tahoe: Slow Slow Congestion Congestion 22 22 � TCP mechanism Start Start Avoidance Avoidance � Loss signaled by timeout 20 20 � threshold = congWin /2 � Congestion window modification 18 18 � congWin = 1 MSS 16 16 � Congestion avoidance 14 14 � TCP Reno: 12 12 � Design attack to make use of congestion � “Fast retransmit” — Receipt 10 10 of 3 duplicate ACKs also window update on acks 3 duplicate ACKs 8 8 signals a packet loss 6 6 � “Fast recovery” — Skips � Evaluate attack’s efficiency 4 4 slowstart and continue in 2 2 congestion avoidance new � TCP modification to prevent the attack slowstart threshold 0 0 0 0 2 2 4 4 6 6 8 10 12 14 16 18 20 8 10 12 14 16 18 20 � Others: TCP NewReno, Window transmissions Window transmissions SACK, … Assume RTT > w x MSS R
TCP Mechanism Ack division � Tcp work at two granularities � Acks received and processed at bytes granularity � Updates to window performed at packet granularity A clever receiver can use this to its benefit Expected behavior Misbehavior DupAck spoofing Optimistic Acking Expected behavior Misbehavior Outline : Part 2 Evaluation: Ack division � TCP mechanism � Congestion window modification � Congestion avoidance � Design attack to make use of congestion window update on acks � Evaluate attack’s efficiency � TCP modification to prevent the attack
Evaluation : Ack spoofing Evaluation : Optimistic acking Outline : Part 2 Solution � TCP mechanism � Ack division � Congestion window modification � Increment congestion window only when you get MSS bytes of data � Congestion avoidance � DupAck spoofing � Design attack to make use of congestion window update on acks � Use a Nonce � Optimistic Acking � Evaluate attack’s efficiency � Sum of Nonce in the acks � TCP modification to prevent the attack Conclusion Part 2 Part 3 : Outline � Features of a Protocol can be used to � Design attack to take advantage of the modify its behavior in a harmful way. congestion avoidance mechanism (shrew attack) � Explore TCP’s response to shrew attack � Modeling, simulation, Internet experiments � Evaluate detection mechanism
Shrew TCP mechanism- AIMD n o i t s e g n o C Time � Very small but aggressive mammal that � Operates at the RTT time-scale ferociously attacks and kills much larger animals with a venomous bite TCP mechanism- timeout TCP dual time scale operation � TCP operates at two time-scales n o � RTT time-scales (~10-100 ms) i � AIMD control t s � RTO time-scales ( RTO=SRTT+4*RTTVAR ) e g � Avoid congestion collapse n � RTO must be lower bounded to avoid minRTO o C spurious retransmissions Time � [AllPax99] and RFC2988 recommends � Operates at the RTO timer time-scale minRTO = 1 sec � seconds Outline : Part 3 Shrew Attack � Analyze TCP congestion avoidance � Pulse induced outages � Design attack to take advantage of the � create along enough outage so that all flows experience a loss mechanism (shrew attack) n o � Explore TCP response to shrew attack Short outages (~RTT) i � Modeling, simulation, Internet experiments t force TCP to timeout s � Evaluate detection mechanism e All flows simultaneously g n enter this state minRTO o C Time
Recommend
More recommend
