On the Effect of Router Buffer Sizes on Low-rate Denial of Service Attacks

1. On the Effect of Router Buffer Sizes on Low-rate Denial of Service Attacks Sandeep Sarat Andreas Terzis Johns Hopkins university

2. Router Buffers • Packets are buffered during congestion epochs. • Buffer sizing. • “Traditional” rule of thumb: • [AKM04] result: B,B’ – buffer size. – average round trip time. N - the number of flows sharing the link. C - the capacity of the link.

3. Consequences • Link utilization not affected by smaller buffer size [AKM04]. • Question: are denial of service attacks more effective in this setting? • Router dos attack categories: • Brute force: flood the link. • Low-rate: pulsing attack, with low average rate.

4. Shrew: Low Rate Denial of Service Attack • Idea: keep the buffer full for a sufficiently long time: O(RTT). • Result: multiple drops from the same flow. • Average attack rate = p*l/t. • T = min{RTO}of flows (= 1 second).

5. Shrew Attack (Continued) • Low-RTT flows penalized more heavily. • Overall link utilization is reduced. Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice vs. the elephant). A. Kuzmanovic, E. Knightly, SIGCOMM 03 .

6. Traffic Analysis • Minimum input traffic to keep the buffer full for seconds= • B0 is the instantaneous queue size. • Worst case scenario: link is fully utilized by TCP and other traffic. • Total shrew traffic • Is the fraction of the buffer full at the onset of the attack.

7. Traffic Analysis (Contd.) • With a unit increase in m, each shrew needs to increase its mean rate by • Fair queuing schemes can limit a flow’s average sending rate to O(C/N). • As m increases, shrews are forced to increase their sending rate above C/N threshold

8. Evaluation • Used ns-2 for verification. • Classic dumb-bell topology. • RTTs range uniformly between 20-460 ms [FK02]. • Buffer size is varied as • Use a fairness enforcing active queue Management (AQM) scheme. • Red-pd.

9. Red-pd • Use RED packet drop history to determine malicious flows. • Intuition: more drops  higher bandwidth. • Configurable target round trip time parameter – R • Calculate the average sending rate f of a flow • P is the ambient loss rate. • Protects flows with RTT > R. • We experiment with R=40ms and R=120ms.

10. Low-speed Link • 10 mbps, 20 TCP flows, 1 shrew. • P = 10 mbps, l = 200 ms, T = 1.2 sec. • Compare utilization with an equivalent CBR flow. • Utilization of link: • M = 2, R = 120 ms, within 91% of non-shrew scenario.

11. High Speed Link • OC-3 (155 mbps). • 250 flows, 10 shrews ( 4%). • P = 20 mbps, l= 200 ms, T = 1.2 s. • Utilization of link: • M = 5, R = 120 ms, within 99% of non-shrew scenario.

12. Shrew Rate Increase • From analysis. • Increase in buffer size size  increase in sending rate. • Almost linear increase, as analysis shows. • The shrew rate grows to a considerable proportion of the link capacity: no longer low-rate.

13. Summary • A moderate increase in buffer size over the Stanford model renders the shrew ineffective. • Shrews need to send faster to fill up the buffer, and are no longer low-rate. • Caveat: we need an AQM scheme to detect the malicious flow. • Question: can we detect without an AQM scheme?