A Smart DenialofService Attack and its Defense

1
A Smart Denial-of-Service Attack and its Defense

• Supervisor Prof. Daniel Yeung
• Co-examiner Dr. Man-wai Mak
• Edmond Wun-wah Chan
• (01490305D)
• May 24th, 2005

2
Outline

• Introduction
• Methodology
• Conclusion Future Work
• Demonstration
• QA Session

3
Overview

• Distributed Denial-of-Service (DoS) attacks
  struck a number of local universitys networks
  including the PolyUs network PolyU, 2005.
• DoS attacks constitute one of the major security
  issues in todays Internet.
• Considered to be the most damaging computer crime
  CSI,2004.

4
Flooding-based DoS vs Pulsing DoS
Attack Periods
45 Degradation
80 Degradation
5
PDoS Attack Mechanism

• TCP congestion control mechanism

CWND
CWND under Normal
CWND under Attack
Time
Attack epochs
6
PDoS Attack Mechanism

• PDoS attack pulses

Attack Traffic Rate Rattack (Mbps)
Textent
Tspace
Time t (Seconds)
Tperiod
7
Problem Definition

• The PDoS attack could pose serious threat to the
  Internet due to popularity of TCP.
• TCP between 60 and 90 of the total traffic, UDP
  between 10 and 40, and others less than 5
  Fomenkov, 2004
• No study shows that the PDoS attack is practical,
  effective in reality and defensible in real-time.
• Previous works are mainly based on simulation
  studies.

8
Objectives

• Explore the PDoS attack
• Practicability analysis
• Effectiveness analysis
• Defend against the PDoS attack
• Real-time, anomaly-based two-stage defense system
• Evaluate its performance

9
Contributions

• Practicability to launch PDoS attack using widely
  available packet injection libraries
• Development of a PDoS attack agent
• Effectiveness of PDoS attacks
• Development of a real-time PDoS defense system
• Defensibility of PDoS attacks in real-time

10
Practicability Analysis

• Evaluation on commonly available packet injection
  libraries

11
Effectiveness Analysis

• Flooding-based DoS VS PDoS

12
PDoS Defense System

• Features
• Real-time monitoring both the incoming TCP
  traffic and outgoing TCP ACK traffic at the
  victims network
• Implemented as a Snort plug-in
• Adopt the anomaly-based two-stage detection model
  Luo and Chang, 2004
• First stage Wavelet-based network traffic
  analysis
• Second stage CUSUM change-point detection

13
PDoS Defense System

• Foundations of the defense system
• Two traffic anomalies due to the PDoS attack
• Periodic fluctuation in incoming TCP traffic
• Quasi-global synchronization
• Sudden decline in outgoing TCP ACK traffic

14
PDoS Defense System

• Foundations of the defense system
• Extract the anomalies using multi-resolution
  analysis (Discrete wavelet transform)
• Traffic Signal
• Fluctuation High Frequency
• Trend Low Frequency
• Detect the anomalies automatically using CUSUM

• Wavelet Coefficients High Frequency
• Scaling Coefficients Low Frequency

15
PDoS Defense System

• Architecture

16
PDoS Defense System

• Evaluation
• Different combinations of the wavelet and scaling
  coefficients
• Incoming TCP traffic using wavelet coefficients
• Outgoing ACK traffic using scaling coefficients

17
PDoS Defense System

• Result for incoming TCP traffic using wavelet
  coefficients

18
PDoS Defense System

• Result for outgoing ACK traffic using scaling
  coefficients

19
PDoS Defense System

• False Alarm
• n aggregates of Web-like traffic with
  Pareto(1.5,1.1)

20
PDoS Defense System

• Conclusion
• The PDoS attack is defensible in real-time.
• For incoming TCP traffic
• A smaller attack period with wavelet coefficients
• For outgoing TCP ACK traffic
• A smaller attack period with scaling coefficients
  

21
Conclusion

• The PDoS attack is
• Practical
• Effective in reality
• Defensible in real-time

22
Demonstration

• Capacity of the bottleneck link is 10Mbps.
• There are 10 TCP connections between FEDORA2_A
  and FEDORA2B.
• Average attack throughput is 2Mbps.

Attack Pulses
10 TCP flows
23
Q A Session
Thanks
24
Supplementary Slides
25
Overview

• Flooding-based DoS attacks
• DNS reply flooding attack and ICMP flooding
  attack
• Deprive the finite bandwidth possessed by victims
• Present high volume of attack traffic
• Various detection schemes, e.g., the
  statistical-based detection scheme Collins, 2004

26
Overview

• Pulsing DoS (PDoS) attacks
• Produce similar damage to victims as
  flooding-based DoS attacks
• Present a smaller amount of attack traffic
• Evade the detection mechanisms for flooding-based
  DoS attacks
• PDoS attacks do exist in the Internet.
• Pulsing zombies in the Internet2 Abilene backbone
  Delio, 2001.

27
PDoS Attack Mechanism

• Target on TCP traffic
• Inject bursts of attack packets in high rate but
  with short duration (attack pulses)
• Congest the queue in the bottleneck gateway and
  produce packet loss in the TCP traffic
• TCP Sender receives a sequence of false
  congestion signals.
• Shrink its congestion window (CWND) due to
• Congestion control mechanism RFC 2581
• Retransmission timeout mechanism RFC 2988
• Control amount of data to be transmitted

28
PDoS Attack Mechanism

• TCP retransmission timeout mechanism
• Minimum retransmission timeout value (RTOmin)

CWND
Attack epochs
RTOmin
RTOmin
RTOmin
RTOmin
1
Time
29
Practicability Analysis

• To implement a PDoS attack agent, we can make use
  of those commonly available packet injection
  libraries.
• Are the libraries suitable for generating the
  PDoS attack?
• Based on their maximum instantaneous throughputs
  (Rinstantaneous)
• Packet preparation time
• Theoretical transmission delay
• Requirements
• Rattack Rinstantaneous Rbandwidth

30
Practicability Analysis

• Evaluate 4 commonly available libraries
• WinPcap v3.0 for Win32
• Winsock v2.2 for Win32
• Linux Socket for Linux
• Libnet v1.1.2.1 for Win32 and Linux
• Packet sizes from 64 bytes to 1500 bytes
• Win32 and Linux due to their popularity
• 50 of servers from 276465 sites running Windows,
  while 27 running Linux Netcraft, 2004

31
Practicability Analysis

• Conclusion
• The PDoS attack is practical.
• By using packet injection libraries.
• With sufficiently large packet size
• The maximum attack traffic rate of each library
  is close to the available bandwidth (at least
  90).
• Allow the attacker making use of more bandwidth
  available from the host

32
Effectiveness Analysis

• Aim
• Compare between the flooding-based DoS attack and
  the PDoS attack
• Investigate the performance of the PDoS attack on
  various
• Bottleneck gateways queue sizes
• Bottleneck gateways queue management policies
  (RED and droptail)
• Attack traffic rates
• Attack packet sizes
• Attack pulse widths
• RTOmin possessed by the TCP Sender

33
Effectiveness Analysis

• Experiment procedures

The bottleneck queues with size Q Bytes each
One-way propagation delay of 100 ms
One-way propagation delay of 50 ms
Each experiment lasts for 370 seconds.
Attack stream is started after 130 seconds.
Attack stream continues for another 240 seconds
Therefore, Round Trip Time (RTT) 100 50
150ms
Attack Stream
TCP flows
34
Effectiveness Analysis

• Various gateways queue sizes

35
Effectiveness Analysis

• Various attack packet sizes

36
Effectiveness Analysis

• Different attack pulse widths

37
Effectiveness Analysis

• Different RTOmin

38
Effectiveness Analysis

• Conclusion
• The PDoS attack throttles the TCP traffic more
  effectively than the flooding-based DoS attack.
• Both droptail and RED are susceptible to the PDoS
  attack, especially for small queue sizes.
• The PDoS attack with various attack packet sizes
  generates similar damage to TCP traffic.

39
Effectiveness Analysis

• Conclusion
• Attack pulses with larger pulse widths produce
  more damage to TCP traffic.
• The PDoS attack is more effective on TCP traffic
  with a greater minimum retransmission timeout.

40
PDoS Defense System

• Wavelet-based network traffic analysis
• Compute the coefficients from the traffic fIn and
  fOut, and determine their energy-based statistics
  EIn(n) and EOut(n) for the n-th G continuous
  samples based on Parseval's theorem

41
PDoS Defense System

• CUSUM change-point detection
• Automatically detect the change points in the
  sequences EIn(n) and EOut(n) as soon as
  possible
• Transform EIn(n) and EOut(n) into ZIn(n) and
  ZOut(n), which are both negative in the normal
  period
• The current CUSUM values y (n) are evaluated by
  the previous CUSUM values y (n-1) and
  ZIn(n), which is similar for y (n).

ZIn
ZIn
ZOut
42
PDoS Defense System

• CUSUM change-point detection
• Identifies the PDoS attack when y (n) and y
  (n) are both greater than their corresponding
  threshold CCUSUM and CCUSUM

ZIn
ZOut
In
Out
43
PDoS Defense System

• Result for incoming TCP traffic using scaling
  coefficients

44
PDoS Defense System

• Result for outgoing ACK traffic using wavelet
  coefficients

45
PDoS Defense System

• Conclusion
• The PDoS attack is defensible in real-time.
• For incoming TCP traffic
• A smaller attack period with both types of
  coefficients
• For outgoing TCP ACK traffic
• A smaller attack period with scaling coefficients
  
• A larger attack period with wavelet coefficients

46
Future Work

• Implement an intelligent PDoS attack agent
• Maximize the throughput degradation
• Minimize the risk of being detected
• Extend the defense system to filter the attack
  packets