Rob Sherwood Bobby Bhattacharjee Ryan Braud. University of Maryland. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.

Transcription

1 Rob Sherwood Bobby Bhattacharjee Ryan Braud University of Maryland UCSD Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.1

2 Sender Receiver Sender transmits packet 1:1461 Time Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.2

3 Sender Receiver Sender transmits packet Receiver ACKs Time 1:1461 ack 1461 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.2

4 Sender Receiver Sender transmits packet Receiver ACKs Congestion window grows as long as ACKs continue Time 1:1461 ack : :4381 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.2

5 Sender Receiver Sender transmits packet Receiver ACKs Congestion window grows as long as ACKs continue ACKs are cumulative Time 1:1461 ack : :4381 ack 4381 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.2

6 From ACKs, sender infers: Packet Loss Sender Receiver 1:1461 Time ack : :4381 ack 4381 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

7 From ACKs, sender infers: Packet Loss When to send Data is buffered Time Sender 1:1461 ack :2921 Receiver 2921:4381 ack 4381 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

8 From ACKs, sender infers: Packet Loss When to send Data is buffered How much to send ACKs increase cwnd Time Sender 1:1461 ack : :4381 ack 4381 Receiver Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

9 From ACKs, sender infers: Packet Loss When to send Data is buffered How much to send ACKs increase cwnd When to time out RTT estimation Time Sender 1:1461 ack : :4381 ack 4381 Receiver Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

10 From ACKs, sender infers: Packet Loss When to send Data is buffered How much to send ACKs increase cwnd When to time out RTT estimation Time Sender 1:1461 ack : :4381 ack 4381 Receiver Assumes honest feedback Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

11 From ACKs, sender infers: Packet Loss When to send Data is buffered How much to send ACKs increase cwnd When to time out RTT estimation Time Sender 1:1461 ack : :4381 ack 4381 Receiver What if receiver is malicious? Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.3

12 Sender Receiver Misbehaving receiver can send optimistic ACKs for packets before they are received Faster performance [Savage99] Time 1:1461 ack 1461 OptAck Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.4

13 Sender (Victim) Attacker 1:1461 Malicious receiver can ACK data that is never received Force sender to congest the network (DoS) Time ack 1461 ack 4381 ack 8761 ack ack ack ack Dropped Packets Saturated Link Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.4

14 Measure of DoS severity traffic generated Amplification = traffic sent Flooding : x1 Spoofed DNS: x4-x10 Smurf (broadcast ping): x255 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.5

15 Measure of DoS severity traffic generated Amplification = traffic sent Flooding : x1 Spoofed DNS: x4-x10 Smurf (broadcast ping): x255 OptAck: x1683 With window scaling: x Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.5

16 Contributions Discuss attack and amplification Implementation techniques Simulated and real world experiments Solution: randomly skipped segments Validate efficiency of implementation Conclusions Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.6

17 Servers Attacker "Get" Requests Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.7

18 OptAcks Incoming Data Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.7

19 Victim B Victim A DoS on Congested Link Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.7

20 Network Wide DoS Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.7

21 traffic generated traffic sent Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

22 # packets packet size 1 ACK OptAck: Send 1 ACK Get entire window of packets Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

23 cwnd mss (40 + mss) 40 cwnd: Size of window mss: Packet payload size 40 bytes: TCP header size Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

24 cwnd [ 1 mss + 1 ] 40 Typical: cwnd=2 16, mss=1460 x1683 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

25 cwnd [ 1 mss + 1 ] 40 Typical: cwnd=2 16, mss=1460 x1683 [RFC1323] cwnd= wscale wscale=14 cwnd=2 30 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

26 cwnd [ 1 mss + 1 ] 40 Typical: cwnd=2 16, mss=1460 x1683 [RFC1323] cwnd= wscale wscale=14 cwnd=2 30 Smaller mss more amplification Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

27 cwnd [ 1 mss + 1 ] 40 Typical: cwnd=2 16, mss=1460 x1683 [RFC1323] cwnd= wscale wscale=14 cwnd=2 30 Smaller mss more amplification wscale=14, mss=88 x Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.8

28 Target CDN s and P2P File transfer nodes Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

29 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

30 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Botnets of 100k+ nodes exist [HONEYNET04] Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

31 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Botnets of 100k+ nodes exist [HONEYNET04] How much traffic before collapse? Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

32 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Botnets of 100k+ nodes exist [HONEYNET04] How much traffic before collapse? Open problem Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

33 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Botnets of 100k+ nodes exist [HONEYNET04] How much traffic before collapse? Open problem Data point: Slammer worm generated 31GB/s at peak [CAIDA03] Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

34 Target CDN s and P2P File transfer nodes Use zombies to attack the Internet s core Botnets of 100k+ nodes exist [HONEYNET04] How much traffic before collapse? Open problem Data point: Slammer worm generated 31GB/s at peak [CAIDA03] Equal to traffic generated by 5 OptAck attackers on T3s, wscale=0, mss=1460 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.9

35 Is attack practical? How vulnerable are deployed TCP Stacks? Discovered effective solution We implement the attack approx lines of code Main challenge: ACK overruns Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.10

36 Attacker becomes unsynchronized Sender (Victim) Attacker ack Time 14601: : : :20441 OS Delay Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

37 Attacker becomes unsynchronized Sender (Victim) Attacker ack Time 14601: : : :20441 OS Delay ack ACK Arrives Early 20441:21901 Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

38 Attacker becomes unsynchronized Sender (Victim) Attacker ack Time 14601: : : :20441 OS Delay ack ACK Arrives Early 20441: :16061 Retransmit after RTO Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

39 Attacker becomes unsynchronized Sender (Victim) Attacker ack Time 14601: : : :20441 OS Delay ack ACK Arrives Early 20441: :16061 ack Retransmit after RTO Attacker Continues Blindly Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

40 Attacker becomes unsynchronized Causes of Overrun Server delay ACK compression Dropped ACKs Time OS Delay Sender (Victim) ack : : : :20441 ack :21901 Attacker ACK Arrives Early 14601:16061 Retransmit after RTO ack Attacker Continues Blindly Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

41 Attacker becomes unsynchronized Causes of Overrun Server delay ACK compression Dropped ACKs [RFC793] says ignore overrun ACKs DoS otherwise Time OS Delay Retransmit after RTO Sender (Victim) ack : : : :20441 ack : :16061 ack Attacker Continues Blindly Attacker ACK Arrives Early Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

42 Attacker becomes unsynchronized Causes of Overrun Server delay ACK compression Dropped ACKs [RFC793] says ignore overrun ACKs DoS otherwise Overrun avoidance and recovery Time OS Delay Retransmit after RTO Sender (Victim) ack : : : :20441 ack : :16061 ack Attacker Continues Blindly Attacker ACK Arrives Early Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.11

43 Server delays are short (typically <50ms) Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.12

44 Server delays are short (typically <50ms) Attacker should target more servers Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.12

45 Server delays are short (typically <50ms) Attacker should target more servers Don t ACK whole window ACK 1 2 cwnd, twice as often Thwarts ACK compression, dropped ACKs Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.12

46 Server delays are short (typically <50ms) Attacker should target more servers Don t ACK whole window ACK 1 2 cwnd, twice as often Thwarts ACK compression, dropped ACKs Don t exceed local attack bandwidth Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.12

47 Server delays are short (typically <50ms) Attacker should target more servers Don t ACK whole window ACK 1 2 cwnd, twice as often Thwarts ACK compression, dropped ACKs Don t exceed local attack bandwidth Recovery details in paper Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.12

48 OptAcks Experiment: How much traffic does OptAck generate? Incoming Data Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.13

49 Connections: 1 Attacker: 1.5Mbps Victims: 100Mbps Parameters: wscale=4 mss=1460 GigaBytes/s (log scale) Victims 128 Victims 64 Victims 32 Victims 16 Victims 8 Victims 4 Victims 2 Victims 1 Victim 512 Victims Seconds Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.14

50 Connections: 10 1 Attacker: 1.5Mbps Victims: 100Mbps Max traffic: 99.9% of predicted Conclusion: Model is accurate GigaBytes/second (log scale) mss=1460,wscale=4 mss=88,wscale=0 mss=1460,wscale= Number of 100Mbps Victims Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.14

51 1 Attacker on LAN w/ 1 victim wscale=0, mss=1460 No multi-victim overrun avoidance Amplification Factor Linux OS X Solaris 5.8 WinXP Victim OS - Single Victim Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.15

52 1 Attacker on LAN w/ 1 victim wscale=0, mss=1460 Conclusion: Works on deployed TCP stacks Amplification Factor Linux OS X Solaris 5.8 Victim OS - Single Victim WinXP Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.15

53 How to defend against OptAck? Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

54 How to defend against OptAck? Nonce Receiver modification; not deployable Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

55 How to defend against OptAck? Nonce Receiver modification; not deployable Rate limiting Target more servers; use more attackers Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

56 How to defend against OptAck? Nonce Receiver modification; not deployable Rate limiting Target more servers; use more attackers RST on overrun ACK Trivial DoS Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

57 How to defend against OptAck? Nonce Receiver modification; not deployable Rate limiting Target more servers; use more attackers RST on overrun ACK Trivial DoS Network Policing Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

58 How to defend against OptAck? Nonce Receiver modification; not deployable Rate limiting Target more servers; use more attackers RST on overrun ACK Trivial DoS Network Policing Insight: attacker cannot tell where in the network a packet is dropped Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.16

59 Sender should randomly, periodically, skip sending a data segment Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.17

60 Sender should randomly, periodically, skip sending a data segment Good receiver sends duplicate ACKs; fast retransmit skipped segment Malicious receiver ACKs the hole; RST connection Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.17

61 Sender should randomly, periodically, skip sending a data segment Good receiver sends duplicate ACKs; fast retransmit skipped segment Malicious receiver ACKs the hole; RST connection Cost: Transmission rate unchanged Application receives data 1 RTT later Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.17

62 Sender should randomly, periodically, skip sending a data segment Good receiver sends duplicate ACKs; fast retransmit skipped segment Malicious receiver ACKs the hole; RST connection Cost: Transmission rate unchanged Application receives data 1 RTT later Sender only modification: deployable Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.17

63 Sender should not back off Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.18

64 Sender should not back off Cost of RNG too high per packet Init counter randomly from [low,high] Decrement counter with each segment counter==0 skip segment re init counter randomly Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.18

65 Sender should not back off Cost of RNG too high per packet Init counter randomly from [low,high] Decrement counter with each segment counter==0 skip segment re init counter randomly TCP optimized to recover from packet loss Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.18

66 Sender should not back off Cost of RNG too high per packet Init counter randomly from [low,high] Decrement counter with each segment counter==0 skip segment re init counter randomly TCP optimized to recover from packet loss Linux implementation: 30 lines of code 5 bytes per connection Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.18

67 Download 100MB file No attack % Confidence Interval Vary skip rate Percent Overhead Average None Skip Skip Skip Segments Skipped Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.19

68 Download 100MB file % Confidence Interval No attack Vary skip rate Conclusion: Overhead is trivial < 0.1% Percent Overhead None Skip Average Skip Segments Skipped Skip Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.19

69 [Savage99] TCP Congestion Control with a Misbehaving Receiver. Stefan Savage, Neal Cardwell, David Wetherall, and Tom Anderson. CCR Original optimistic acknowledgment Defense requires receiver side modifications - inhibits deployment Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.20

70 [Azcorra04] (Expired) Draft RFC: DoS vulnerability of TCP by acknowledging not received segments. A. Azcorra, C. Bernardos, and I. Soto. draft-azcorra-tcpm-tcp-blind-ack-dos-01 Proposed solutions already discussed in paper Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.21

71 [CAIDA03]: Inside the Slammer Worm: David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver. [HONEYNET04]: Know your Enemy: Tracking Botnets. The Honeynet Project Research Alliance. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.22

72 OptAck attack is dangerous: x1683 x w/ wscaling Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.23

73 OptAck attack is dangerous: x1683 x w/ wscaling Deployed TCP Stacks are vulnerable Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.23

74 OptAck attack is dangerous: x1683 x w/ wscaling Deployed TCP Stacks are vulnerable Skipped segments solution: performs efficiently requires sender only deployment Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.23

75 OptAck attack is dangerous: x1683 x w/ wscaling Deployed TCP Stacks are vulnerable Skipped segments solution: performs efficiently requires sender only deployment Future work: DETER? Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.23

76 OptAck attack is dangerous: x1683 x w/ wscaling Deployed TCP Stacks are vulnerable Skipped segments solution: performs efficiently requires sender only deployment Future work: DETER? Questions? This talk was written in L A T E X with Prosper: Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.23

77 bandwidth caps just use more victims or more attackers nonces non-cumulative nonces are not robust cumulative nonces require client deployment ACK alignment/timestamps requires CPU for strong random numbers timestamps are optional not robust to lazy attack Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.24

78 In network support not currently deployed Random Pauses inefficient segment reordering allows false positives from network reordering, dropped ACKs no performance penalty Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.25