Drafting Behind AkamaiTravelocityBased Detouring起草在AkamaiTravelocity基于绕行.pptVIP

Drafting Behind Akamai Towards Robust Protocol Design: 4 Ways to Kill TCP without Much Trouble Aleksandar Kuzmanovic Northwestern University The Internet Denial of Service Problem Assumption Trust and cooperation among endpoints Denial of Service Attacks A malicious way to consume resources in a network, a server cluster or in an end host, thereby denying service to other legitimate users FBI Computer Crime Security Survey: Overall financial losses: $201,000,000 Denial of Service: $65,000,000 Approach Should we find ways to defend the Internet from DoS attacks? Of course! Anticipating novel types of DoS attacks is essential More relevant and more challenging My focus: TCP More than 90% of traffic today is TCP Outline Brief background on TCP Four ways to kill TCP Shrew attacks Padding misbehavior TCP poisoning attacks Receiver-driven TCP stacks TCP Congestion Control TCP Congestion Control Shrew Attacks Shrew TCP: a Dual Time-Scale Perspective Two time-scales fundamentally required RTT time-scales (~10-100 ms) AIMD control RTO time-scales (RTO=SRTT+4*RTTVAR) Avoid congestion collapse Lower-bounding the RTO parameter: [AllPax99]: minRTO = 1 sec to avoid spurious retransmissions RFC2988 recommends minRTO = 1 sec The Shrew Attack The Shrew Attack A short burst (~RTT) sufficient to create outage Outage – event of correlated packet losses that forces TCP to enter RTO mechanism The Shrew Attack The outage synchronizes all TCP flows All flows react simultaneously and identically backoff for minRTO The Shrew Attack Once the TCP flows try to recover – hit them again Exploit protocol determinism The Shrew Attack And keep repeating… RTT-time-scale outages inter-spaced on minRTO periods can deny service to TCP traffic Shrews are Hard to Detect l/T 1 Low-rate flow is hard to detect Most counter-DOS mechanisms tuned for high-rate attacks Detecting Shrews may have unacceptably many false alarms (due to legitimate bursty flows) Outline Brief background on