15-441 Computer Networking

1
15-441 Computer Networking

• Other Transport Issues,
• Attacks and Security Threats,
• Firewalls

2
TCP Overview Revisited

• TCP modern loss recovery
• TCP options
• TCP interactions
• TCP modeling
• Workload changes
• TCP routers
• TCP header compression

3
Queuing Disciplines

• Each router must implement some queuing
  discipline
• Queuing allocates both bandwidth and buffer
  space
• Bandwidth which packet to serve (transmit) next
• Buffer space which packet to drop next (when
  required)
• Queuing also affects latency

4
Packet Drop Dimensions
Aggregation
Single class
Per-connection state
Class-based queuing
Drop position
Tail
Head
Random location
Overflow drop
Early drop
5
Typical Internet Queuing

• FIFO drop-tail
• Simplest choice
• Used widely in the Internet
• FIFO (first-in-first-out)
• Implies single class of traffic
• Drop-tail
• Arriving packets get dropped when queue is full
  regardless of flow or importance
• Important distinction
• FIFO scheduling discipline
• Drop-tail drop policy

6
FIFO Drop-tail Problems

• Leaves responsibility of congestion control to
  edges (e.g., TCP)
• Does not separate between different flows
• No policing send more packets ? get more service
• Synchronization end hosts react to same events

7
Active Queue Management

• Design active router queue management to aid
  congestion control
• Why?
• Router has unified view of queuing behavior
• Routers can distinguish between propagation and
  persistent queuing delays
• Routers can decide on transient congestion, based
  on workload

8
Internet Problems

• Full queues
• Routers are forced to have have large queues to
  maintain high utilizations
• TCP detects congestion from loss
• Forces network to have long standing queues in
  steady-state
• Lock-out problem
• Drop-tail routers treat bursty traffic poorly
• Traffic gets synchronized easily ? allows a few
  flows to monopolize the queue space

9
Design Objectives

• Keep throughput high and delay low
• Accommodate bursts
• Queue size should reflect ability to accept
  bursts rather than steady-state queuing
• Improve TCP performance with minimal hardware
  changes

10
Lock-out Problem

• Random drop
• Packet arriving when queue is full causes some
  random packet to be dropped
• Drop front
• On full queue, drop packet at head of queue
• Random drop and drop front solve the lock-out
  problem but not the full-queues problem

11
Full Queues Problem

• Drop packets before queue becomes full (early
  drop)
• Intuition notify senders of incipient congestion
• Example early random drop (ERD)
• If qlen gt drop level, drop each new packet with
  fixed probability p
• Does not control misbehaving users

12
Random Early Detection (RED)

• Detect incipient congestion, allow bursts
• Keep power (throughput/delay) high
• Keep average queue size low
• Assume hosts respond to lost packets
• Avoid window synchronization
• Randomly mark packets
• Avoid bias against bursty traffic
• Some protection against ill-behaved users

13
RED Algorithm

• Maintain running average of queue length
• If avg lt minth do nothing
• Low queuing, send packets through
• If avg gt maxth, drop packet
• Protection from misbehaving sources
• Else mark packet in a manner proportional to
  queue length
• Notify sources of incipient congestion

14
RED Operation
Min thresh
Max thresh
Average Queue Length
P(drop)
1.0
maxP
minth
maxth
Avg queue length
15
Explicit Congestion Notification(ECN)

• The goal is to provide explicit congestion
  notification to senders.
• Complements the implicit feedback through packet
  drops
• Bits 6-7 of the TOS bit form the ECN field.
• The ECN-Capable Transport (ECT) bit is set by the
  sender to indicate that the end-points are
  ECN-capable
• The Congestion Experience (CE) bit is set by the
  router to signal congestion
• The ECN is received by the receiver, who is
  responsible for forwarding the information to the
  sender

DSCP
ECT /CE
V/HL
TOS
Length
ID
Flags/Offset
TTL
Prot.
H. Checksum
Source IP address
Destination IP address
Options..
16
ECN in TCP

• Receiver signals congestion to the sender by
  setting the ECN-Echo flag in the TCP header.
• Bit 9 in the reserved field of the TCP header
• Handles asymmetric routes
• ECN-Echo flag also used to negotiate ECN use

HL
ECE /CWR
Flags
Source Port
Dest. Port
Sequence Number
Acknowledgment
HL/Flags
Window
D. Checksum
Urgent Pointer
Options..
TCP
IP
17
Use of ECN with TCP

• The TCP sender should respond to ECN feedback as
  if a single packet loss occurred.
• Reduce the congestion window size
• Send Congestion Window Reduced flag (Bit 8) to
  ack
• So receiver knows to stop ECE bit
• ECN and RED can leverage each other.
• The router should set the CE bit if it would
  otherwise have dropped the packet (for a non-ECN
  enabled flow)
• When RED is used, this happens before the queues
  fill up so ECN and RED combined can result in
  congestion notification without packet loss
• Deployment seems quite practical.
• Can be introduced one router at a time
• Strong incentive for end-points to adopt ECN

18
Attacks and Security Threats

• Packet Sniffing
• IP Spoofing
• TCP Connection Spoofing
• Denial of Service

19
Packet Sniffing

• broadcast media
• promiscuous NIC reads all packets passing by
• can read all unencrypted data (e.g. passwords)
• e.g. C sniffs Bs packets
• many protocols (ftp, telnet) send passwords in
  the clear!

C
A
B
20
IP Spoofing

• can generate raw IP packets, putting any value
  into IP source address field
• routers process IP packets based on destination
  address alone (not quite in reality)
• receiver cant tell if source is spoofed
• e.g. C pretends to be B

C
A
B
21
IP Spoofing

• Many applications use IP address as a simple
  authentication method
• Solution reverse path forwarding checks, better
  authentication
• Fragmentation can consume memory resources at
  destination or otherwise trick destination/firewal
  ls
• Solution disallow fragments

22
TCP Connection Spoofing

• Each TCP connection has an agreed upon/negotiated
  set of associated state
• Starting sequence numbers, port numbers
• Knowing these parameters is sometimes used to
  provide some sense of security (in addition to
  3-way handshake)
• Problem
• Easy to guess these values
• Listening ports s are well known and connecting
  port s are typically allocated sequentially
• Starting sequence numbers are chosen in
  predictable way
• Solution make sequence number selection more
  random

23
Sequence Number Guessing Attack

• Attacker ? Victim SYN(ISNx), SRCTrusted Host
• Victim ? Trusted Host SYN(ISNs), ACK(ISNx)
• Attacker ? Victim ACK(ISNguess of s),
  SRCTrusted Host
• Attacker ? Victim ACK(ISNguess of s),
  SRCTrusted Host, data rm -r /
• Attacker must also make sure that Trusted Host
  does not respond to SYN ACK
• Can repeat until guess is accurate

24
More TCP Attacks

• TCP senders assume that receivers behave in
  certain ways (e.g. when they send acks, etc.)
• Congestion control is typically done on a
  packet basis while the rest of TCP is based on
  bytes
• Problem misbehaving receiver can trick sender
  into ignoring congestion control
• Ack every byte in packet!
• Send (one) extra duplicate ack
• Ack before the data is received (needs some
  application level retransmission e.g. HTTP 1.1
  range requests)
• Solutions
• Make congestion control byte oriented
• Add nonces to packets acks return nonce to
  truly indicate reception

25
Routing

• (Strict) Source routing
• Destinations are expected to reverse source route
  for replies
• Problem Can force packets to be routed through
  convenient monitoring point
• Solution Disallow source routing doesnt work
  well anyway!
• Routing protocol
• Malicious hosts may advertise routes into network
• Problem Bogus routes may enable host to monitor
  traffic or deny service to others
• Solutions
• Use policy mechanisms to only accept routes from
  or to certain networks/entities
• In link state routing, can use something like
  source routing to force packets onto valid route

26
ICMP

• Reports errors and other conditions from network
  to end hosts
• End hosts take actions to respond to error
• Problem
• An entity can easily forge a variety of ICMP
  error messages
• Redirect informs end-hosts that it should be
  using different first hop route
• Fragmentation can confuse path MTU discovery
• Destination unreachable can cause transport
  connections to be dropped

27
DNS

• Users/hosts typically trust the host-address
  mapping provided by DNS
• Problems
• Zone transfers can provide useful list of target
  hosts
• Interception of requests or compromise of DNS
  servers can result in bogus responses
• Solution authenticated requests/responses

28
Denial of Service

• flood of maliciously generated packets swamp
  receiver
• Distributed DOS (DDOS) multiple coordinated
  sources swamp receiver
• e.g., C and remote host SYN-attack A

C
A
B
29
SYN Flooding Attack

• Server responds with SYNACK keeps state about TCP
  half-open connection
• Eventually server memory is exhausted with this
  state
• Solution SYN cookies make the SYNACK contents
  purely a function of SYN contents, therefore, it
  can be recomputed on reception of next ACK
• More recent attacks have used bandwidth floods
• How do we stop these?

30
Bandwidth DOS Attacks

• Possible solutions
• Ingress filtering examine packets to identify
  bogus source addresses
• Link testing how routers either explicitly
  identify which hops are involved in attack or use
  controlled flooding and a network map to perturb
  attack traffic
• Logging log packets at key routers and
  post-process to identify attackers path
• ICMP traceback sample occasional packets and
  copy path info into special ICMP messages
• IP traceback

31
IP Traceback

• Node append (record route) high computation and
  space overhead
• Node sampling each router marks its IP address
  with some probability p
• P(receiving mark from router d hops away) p(1
  p)d-1
• p gt 0.5 prevents any attacker from inserting
  false router
• Must infer distance by marking rate ? relatively
  slow
• Doesnt work well with multiple routers at same
  distance ? I.e. multiple attackers

32
IP Traceback

• Edge sampling
• Solve node sampling problems by encoding edges
  distance from victim in messages
• Start router sets start field with probability
  p and sets distance to 0
• If distance is 0, router sets end field
• All routers increment distance
• As before, P(receiving mark from router d hops
  away) p(1 p)d-1
• Multiple attackers can be identified since edge
  identifies splits in reverse path

33
Edge Sampling

• Major problem need to add about 72bits (2
  address hop count) of info into packets
• Solution
• Encode edge as xor of nodes ? reduce 64 bits to
  32 bits
• Ship only 8bits at a time and 3bits to indicate
  offset ? 32 bits to 11bits
• Use only 5 bit for distance ? 8bits to 5bits
• Use IP fragment field to store 16 bits
• Some backward compatibility issues
• Fragmentation is rare so not a big problem

34
Firewalls

• Basic problem many network applications and
  protocols have security problems that are fixed
  over time
• Difficult for users to keep up with changes and
  keep host secure
• Solution
• Administrators limit access to end hosts by using
  a firewall
• Firewall and limited number of machines at site
  are kept up-to-date by administrators

35
Typical Firewall Topology
Internet
DMZ
Web server, email server, web proxy, etc
Firewall
Firewall
Intranet
36
Types of Firewalls

• Proxy
• End host connects to proxy and asks it to perform
  actions on its behalf
• Policy determines if action is secure or insecure
• Transport level relays (SOCKS)
• Ask proxy to create, accept TCP (or UDP)
  connection
• Cannot secure against insecure application
• Application level relays (e.g. HTTP, FTP, telnet,
  etc.)
• Ask proxy to perform application action (e.g.
  HTTP Get, FTP transfer)
• Can use application action to determine security
• Requires applications (or dynamically linked
  libraries) to be modified to use the proxy
• Considered to be the most secure since it has
  most information to make decision

37
Types of Firewalls

• Packet filters
• Set of filters and associated actions that are
  used on a packet by packet basis
• Filters specify fields, masks and values to match
  against packet contents, input and output
  interface
• Actions are typically forward or discard
• Such systems have difficulty with things like
  fragments and a variety of attacks
• Typically a difficult balance between the access
  given and the ability to run applications
• E.g. FTP often needs inbound connections on
  arbitrary port numbers either make it difficult
  to use FTP or limit its use

38
Types of Firewalls

• Stateful packet filters
• Typically allow richer parsing of each packet
  (variable length fields, application headers,
  etc.)
• Actions can include the addition of new rules and
  the creation of state to process future packets
• Often have to parse application payload to
  determine intent and determine security
  considerations
• Rules can be based on packet contents and state
  created by past packets
• Provides many of the security benefits of proxies
  but without having to modify applications