Survey of Low Rate DoS Attack Detection Mechanisms Rejo Mathew
Vijay Katkar
Department of Information Technology Mukesh Patel School of Technology Management & Engineering, NMIMS University, Mumbai, India +919833240117
Department of Computer Engineering Mukesh Patel School of Technology Management & Engineering, NMIMS University, Mumbai, India +919323134570
[email protected]
[email protected]
As opposed to the conventional DoS attacks, Low rate DOS attacker injects a short burst of traffic periodically to fill up the bottleneck buffers right before the expiration of the sender’s RTO. This forces the sender’s TCP connections to timeout with very low throughput. These attacks are hard to detect and prevent, as most of the DoS attack detection systems are triggered by high- rate traffic. This paper presents the survey of techniques available for detecting Low rate DoS attacks and compares them using various parameters.
detection [7]. The low rate TCP-targeted DoS attacks disrupt inter domain routing on today's Internet [3]. This paper tries to analyze and classify the current solutions by examining the pros and cons of each solution with regards to the effectiveness of those solutions. Section 2 of this paper describes how an LDoS attack takes place.Section 3 discusses the current LDoS attack detection schemes. Section 4 analyses the various LDoS counter measures and desirability of those solutions. Section 5 discusses the challenges and issues for LDoS attack detection and Section 6 concludes the paper.
Categories and Subject Descriptors
2. LOW RATE DOS ATTACK
C.2.0 Security and Protection
In LDoS attack attacker periodically sends short burst of packets to overflow a router’s queue and cause packet loss of legitimate users. A well behaving TCP source will back off to recover from the congestion and retransmit only after one Retransmission Timeout (RTO). If the attacker congests the router again at the times of retransmission, little or no real user traffic can get through. Hence, by synchronizing the attack period to the RTO duration, the attacker can essentially shut off most legitimate TCP sources even though the longterm rate of attack can be very low. One form of attack is a periodic square wave.The period of the square wave is denoted by T, which is approximately one second. Within each period, the square wave has a magnitude of zero except for l units of time. During this time, the square wave has a magnitude of a normalized burst of R.
ABSTRACT
General Terms Algorithms, Management, Performance, Design, Security
Keywords DoS Attacks, Shrew Attacks, LDoS Attacks, RTO Exploitation Attack
1. INTRODUCTION Early detection and prevention of denial of service (DoS) attacks, link congestion and other traffic anomalies are vital for efficient network management [5]. The existing DoS defense mechanisms anticipates a flood of packets as attack but low rate DoS attack goes undetected which can later expose and exploit the vulnerabilities of the system. The low rate DoS attacks are difficult to detect as compared to other forms of DoS attacks as it exploits many factors and vulnerabilities that vary from iterative servers [2] to fixed minimum RTO property of TCP implementation [3]. Most systems follow the guidelines of RFC2988 [12] making synchronisation far from impossible, while operating systems using lower min RTO values (e.g. Linux) are still vulnerable to an attacker using a low latency network. The focus is on malicious LDoS traffic that exploits TCP's RTO to thwart legitimate TCP flows to a fraction of ideal rate eluding Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICWET’11, February 25–26, 2011, Mumbai, Maharashtra, India. Copyright © 2011 ACM 978-1-4503-0449-8/11/02…$10.00.
3. EXISTING LDOS DETECTION MECHANISMS This section discusses the various LDoS detection techniques in brief.
3.1 Dynamic Detection Method The detection mechanism described in [8] is installed on a set of routers few hops away from the victim site. Each router needs to perform attack detection at the output port of packets being forwarded to the victim site. If a low-rate TCP attack is detected, the router needs to determine the input port (s) from which the attack traffic is being received. Detection is then carried out at all the input ports of the affected router. If a low-rate attack is detected at an input port, then the affected router will push back the detection to all the upstream routers connected to the input P. If the affected router cannot detect a low-rate attack at any of its input port, this means that the low-
rate attack is being carried out in a distributed manner. When a low-rate attack is present, this pushback mechanism is used to identify the attack as close to the attack source as possible. The pushback mechanism minimises the number of affected TCP flows.
3.2 Periodic attack detection (PAD) and Modelled attack Detection Method (MAD) The mechanism in [13] uses an IP to hop-count (IP2HC) mapping table to detect and discard spoofed IP packets. The attacker can’t modify the number of hops an IP packet takes to reach its destination although other details can be imitated. This hop-count information can be formed from the Time-to-Live (TTL) value in the IP header. On collectively combining the various address prefixes based on hop-counts, Hop-Count Filtering (HCF) builds an accurate IP to hop-count (IP2HC) mapping table to detect and discard spoofed IP packets. Rodriguez, Briones and Nolazco [14] have applied fuzzy logic on the Hop count mechanism to make it more accurate in terms of finding out the packet arrival time-series data; The MAD operates on the sampled time-series and can detect attacks more quickly than the PAD, which relies on the nearperiodic nature of the traffic [5].
3.3 Packet percentage and threshold at cache queue of target router investigation method The method suggested in [9] investigates the cache queue of target router. Based on the flow arriving at the router the detection mechanism regulates the traffic flow thus providing active queue management.[16] Proposes a method called HAWK(halting anomaly with weighted choking) for LDOS attack detection. The focus is on dropping algorithms for detection of DoS flows and achieving fairness among adaptive and non adaptive flows.Two parameters are considered for detection, one is packet percentage at the cache queue of a target router, i.e. when the attacker flow has higher number of packets than the legitimate TCP packets. Another parameter is the threshold percentage which is calculated on the basis of the number of packets of client as well as the number of packets of the attacker. If the support threshold exceeds some set limit, the TCP flow will include the LDoS flow.
3.4 Buffer size and shrew sending rates [10] Suggests increasing the buffer storage capacity of the target router alongwith queue management and flow management techniques to achieve high link utilization protecting TCP flow from shrew attacks. The existing Random Early Detection (RED) schemes would be effective to avoid congestion at router only for high burst rates and longer queues whereas LDoS attack goes undetected. To fill a larger buffer the attacker has to transmit at high speeds, at which point they are no longer low-rate attacks and can be easily detected by existing Active Queue Management (AQM) schemes such as Random Early Detection.
3.5 Detection of attacks at the Edge Routers In this mechanism the edge routers are given additional responsibility to perform the transport layer functions of maintaining few connection parameters. It helps to avoid
changes to the TCP congestion control algorithms. The extra system monitors the flow and filters the malicious objects based on comparison with standard objects stored in memory. The relative RTT of each connection is computed by the sub-module from the packet arrival times maintained for both source and destination side packets. In a similar way, the time period is estimated, and compared with the fixed minimum RTO of one second [1].
3.6 RTO randomization The low rate DoS attack exploits the fact that most systems have RTO=1sec (standard value). So [11] suggested that it would be difficult for the attacker to predict the next RTO value if the RTO is set to any random values and this ultimately would help in controlling the rate of attack. In short RTO randomization along with proper flow monitoring helps to detect the problems with the packet and back tracking will lead us to the attacker. [15] Performed real-time implementation of this work in a Linux based system to highlight the major achievements and throttle the attacker traffic.
3.7 Detection Based on Self- Similarity The various incoming traffic patterns have been studied by various researchers which led to a conclusion that most of the attacks have a self- similar nature [4]. The models help to find out the changes in the energy levels which lead to detection of the malicious packet flow and ultimately the constant monitoring will lead us to the attacker and we can isolate the normal TCP flow from the unintended one.
4. LDOS ATTACK SOLUTION CONSIDERATIONS An ideal LDoS solution should have the following characteristics: Effectiveness, Modification to the existing infrastructure, Overhead, Scalable, whether the defence systems themselves are vulnerable to attacks (Intrusion Tolerant) and no impact on the legitimate traffic.
4.1 Effective Whether this can detect all kinds of LDoS attacks on the spot regardless of whether it is a disruptive attack or degrading attack. Dynamic Detection facilitates locating routers close to the attack sources. Yet it does not work well for highly distributed attacks and it result is not accurate. It is more effective for non-distributed attacks and for highly overlapping attack paths. The PAD and MAD models as well as Edge Router mechanism depends on the predictive schemes to measure the packet inter arrival times and hence totally depends on the effectiveness of the various algorithms used. The Hawk model focuses on the parameters of the cache queue and its effectiveness depends on the threshold level set. The buffer size increment method is also not effective as the costs increases and different states have to be maintained for controlling the partial flow of information. Randomizing the fixed minimum RTO will reduce the TCP connection performance even in absence of an attack. An unnecessary
TCP timeout results in loss of useful throughput, and TCP begins a new slow start.TCP will also require a long time to adapt its RTT estimate after every timeout, since the RTTs of retransmitted packets are not measured.Most of the generic detection mechanism rely on “signature or pattern matching techniques” with is effective only if the attack is of any standard or known pattern. Distributed LDOS attack mechanisms cannot be handled effectively.
4.2 Modification to the existing infrastructure The existing mechanisms require modifications to be made to the existing router thus make the solution not so applicable. For example, signature matching has to be performed which requires memory for storing the various patterns. Also the packet arrival times have to be monitored and stored all these leads to likely purchase of new hardware i.e. memory. The comparison with the Threshold value for cache method requires separate configurations to set and manage the threshold of cache router. Detection at the edge routers requires pseudo transport layer and other functions to be incorporated in the router which is not feasible. Randomisation method needs modification to the TCP congestion control mechanism which is also a big disadvantage.
4.3 Overhead Dynamic Detection, PAD and MAD models, pattern matching and Hawk techniques involve prediction based on the flow which makes it complex for processing and memory overheads, Hawk involves setting threshold value leading to delay and wastage of time and memory, Randomizing the RTO value requires modification to the congestion control mechanism itself and incurs maximum overhead and the existing infrastructure Methods Vs Features
Effective
Modification to the existing infrastructure
cannot be used. Detection at the edge routers is far better as compared to other techniques because after a flow is classified as normal, flow objects are destroyed, and then the occupied memory is released.
4.4 Scalable Most of the mechanisms are scalable but the Dynamic Detection method finds out the source of attack by tracing the path of the attack backwards so longer the path more delay and less efficient leading to performance depreciation.
4.5 Whether the defense systems themselves are vulnerable to attacks Most of the approaches use the stateless way of operation. Thus attackers cannot launch state- consumption attack on these defense systems. For example, in Self-Similar nature model, all legitimacy tests are stateless, thus defense system cannot be target of state-consumption attacks. Challenge generation may exhaust defense. Some systems resort to redundancy and encryption to prevent attack. Yet when one of the node is compromised by the attacker, the target will be exposed to the outside world.
4.6 Accuracy LDoS defense usually requires dropping packets. At the same time, legitimate traffic should be protected and collateral damage should be kept minimum. Dynamic detection minimizes collateral damage by placing response close to the sources. Collateral damage is inflicted by response, whenever attack traffic is not clearly different than legitimate traffic.
Table 1 Comparison of existing LDoS Attack detection mechanisms Dynamic PAD and HAWK At EDGE RTO Detection MAD Router Randomisation Models Not Effective Depends Depends For Non- Depends on on Distributive on Signature Threshold Type of Signature database value set database LDoS Attack No Extra Monitoring Monitoring Extra Congestion Memory is mechanism mechanism Memory control Needed Needed required at needed mechanism router needs to be modified
SelfSimilarity Depends on Signature database Extra Memory Needed
Processing and memory overhead
Processing and memory overhead
Processing overhead
Processing overhead
Changes needed to Congestion Control Method
Processing overhead
Scalable
Yes
Yes
Yes
Yes
Yes
Yes
Accuracy
Fails against Distributed LDOS Attack
Depends on accuracy of fuzzy controller designer
Depends on Threshold value set
Depends on known patterns matched
Fails for Distributive LDoS Attack
Depends on known patterns matched
Overhead
5. CHALLENGES AND ISSUES All the detection mechanisms require modification to the existing routers which is not practical.Also the delay and cost factor poses serious problems to implement these mechanisms in a global perspective.Most of the detection approaches perform analysis based on packet contents rather than packet inter-arrival times. If any attacker can imitate even one packet of the genuine TCP flow then the whole mechanism fails.It should act upon aggregate traffic without flow separation, enabling analysis of encrypted traffic even in a passivemonitoring framework.The detection method must be robust to changes in the transportlayer headers, e.g. time-to- live (TTL) in the IP header.The detection mechanisms assume the attack parameters a priori and not real-time which is inaccurate in today’s real world scenario.Most of the researchers have not explored the LDoS attacks at the application layer.
6. CONCLUSION This paper surveys and compares various techniques available for detection of LDoS attack. It also highlights the issues present in currently available LDoS detection mechanisms. Existing detection mechanisms are far away from effective practical solution.
7. REFERENCES [1] Amey Shevtekar, Karunakar Anantharam, and Nirwan Ansari, “Low Rate TCP Denial-of- Service Attack Detection at Edge Routers”,IEEE COMMUNICATIONS LETTERS, VOL.9, NO. 4 (2005) [2] Gabriel Macia-Fernandez, Jesus E.Diaz- Verdejoand Pedro García-Teodoro, “Evaluation of a low-rate DoS attack against iterative servers”, Department of Signal Theory,University of Granada, c/Daniel Saucedo Aranda, s/n, 18071 Granada, Spain (2006) [3] A.Kuzmanovic and E. Knightly, “Low-Rate TCP Targeted Denial of Service Attacks (The Shrew vs.the Mice and Elephants)”, Proc. ACM SIGCOMM pp. 75-86 ( 2003) [4] Wuhan, Hubei,“Detection of Low-rate DDoS Attack Based on Self-Similarity”, China in 2010 Second International Workshop on Education Technology and Computer Science (March 06-March 07) [5] Gautam Thatte, Urbashi Mitra and John Heidemann, “Detection of Low-Rate Attacks in Computer Networks”, University of Southern California IEEE (2005) [6] Aditya Akella, Ashwin Bharambe, Mike Reiter, Srinivasan Seshan, “Detecting DDoS Attacks on ISP Networks”, Carnegie Mellon University [7] Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants In: Proceedings of the 2003 conference on Applications, technologies, architectures,
and protocols for computer communications Pages: 75 – 86 Year of Publication: ISBN: 1-58113-735-4 (2003) [8] Haibin Sun, John C.S. Lui, David K.Y. Yau, “Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection”, Proceedings of the 12th IEEE International Conference on Network Protocols (2004) [9] Zenghui Liu, Liguo Gua, “Attack simulation and signature extraction of low-rate DoS.” 3rd International Symposium on Intelligent Information Technology and Security Informatics IEEE 2010 Computer Society (2010) [10] Sandeep Sarat and Andreas Terz, “On the Effect of Router Buffer Sizes on Low-Rate Denial of Service Attacks”, IEEE Computer Society (2005) [11] G.Yang, M.Gerla, and M.Y.Sanadidi, “Defense against low rate tcp-targeted denial- of-service attacks”, ISCC ’04 Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC”04), pages 345–350,Washington, DC, USA. IEEE Computer Society (2004) [12] Computing TCP’s Retransmission Timer—RFC 2988 [13] C.Jin, H.Wang and K.Shin: Hop-Count Filtering, “An Effective Defense against Spoofed DoS Traffic”, ACM CCS (2003) [14] J.C.C.Rodriguez, A.P. Briones and J.A.Nolazco, “Dynamic DDoS Mitigation based on TTL field using Fuzzy logic”, CONIELECOMP ’07, Mexico (2007) [15] Petros Efstathopoulos, “Practical Study of a Defense against Low-Rate TCP-Targeted DoS Attack”, IEEE (2009) [16] Y.K. Kwok, R .Tripathi, Y.Chen and H.K.HAWK, “Halting anomalies with weighted choking to rescue wellbehaved TCP sessions from shrew DDoS attacks”, Proc. of the 3rd Int’l Conf. on Networking and Mobile Computing (ICCNMC 2005). New York: Springer-Verlag, pp: 423-432 (2005)
