Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing
Ying Zhang University of Michigan wingying@umich.edu
Z.Morley Mao
University of Michigan
zmao@umich.edu
Jia Wang
AT&T Labs–Research
jiawang@research.att
Abstract
Compared to attacks against end hosts,Denial of Ser-
vice(DoS)attacks against the Internet infrastructure such
as those targeted at routers can be more devastating due to their global impact on many networks.We discover that the
recently identified low-rate TCP-targeted DoS attacks can have severe impact on the Border Gateway Protocol(BGP). As the interdomain routing protocol on today’s Internet, BGP is the critical infrastructure for exchanging reacha-bility information across the global Internet.We demon-strate empirically that BGP routing sessions on the current commercial routers are susceptible to such low-rate attacks launched remotely,leading to session resets and delayed routing convergence,seriously impacting routing stability and network reachability.This is a result of a fundamen-tal weakness with today’s deployed routing protocols:there is often no protection in the form of guaranteed bandwidth for routing traffic.Using testbed and Internet experiments, we thoroughly study the effect of such attacks on BGP.We demonstrate the feasibility of launching the attack in a coor-dinated fashion from wide-area hosts with arbitrarily low-rate individual attackflows,further raising the difficulty of detection.We explore defense solutions by protecting rout-ing traffic using existing router support.Ourfindings high-light the importance of protecting the Internet infrastruc-ture,in particular control plane packets.
1Introduction
There is evidence of increasing occurrences of Denial of Service(DoS)and Distributed Denial of Service(DDoS)at-tacks on the Internet today[40].Most of the widely known attacks target a single host or multiple hosts within a par-ticular edge network,rather than the Internet infrastructure such as routers inside transit ISP networks.The latter type of attack can be quite devastating.For example,attacks against routers can impact significant amount of traffic,as many networks rely on them to reach other destinations. Moreover,attacks on the routing infrastructure can create partition between lower tier ISPs to the rest of the Internet by bringing down several links simultaneously.Thus,it is important to understand attacks against the Internet infras-tructure given its critical importance to the well-being of the Internet.In this paper,we focus on examining a particular type of attack against the interdomain routing protocol–the Border Gateway Protocol[39].
The Border Gateway Protocol(BGP),the de facto stan-dard Internet interdomain routing protocol,uses TCP as its transport protocol.A fundamentalflaw with routing pro-tocols deployed today is that there is usually no protection in the form of priorities in using router resources for con-trol plane packets.Thus,congestion of other data traffic can adversely affect BGP packets,as shown in the previous study by Shaikh et al.[43].Recent studies[50,21,7]have indicated that data congestion can severely impact routing sessions.Thus,any attack that exploits this lack of isolation with an impact on TCP can negatively affect the functioning of BGP.
In this work,we study how the recently identified low-rate TCP-targeted DoS attacks[27]disrupt interdomain routing on today’s Internet.This is thefirst study that sys-tematically examines the impact of this type of attack on interdomain routing,and we discovered the impact can be quite severe.It has been shown that low-rate TCP attacks can severely degrade TCP throughput by sending pulses of traffic leading to repeated TCP retransmission timeout. Given the fundamental susceptibility of TCP to such low-rate attacks due to its deterministic retransmission time-out mechanism,any application using TCP is vulnerable. In particular,the effect on protocols using TCP within the Internet infrastructure is arguably more severe due to the global scope of the impact.Aside from the potential impact on the throughput of BGP packets,a more critical question is whether such attacks are powerful enough to reset BGP’s routing session as a result of a sufficiently large number of consecutive packet drops.If the session is reset,it can have serious impact on the Internet in the form of routing in-stability,unreachable destinations,and traffic performance degradation[29,28].Note that attackers can launch such attacks remotely from end hosts without access to routers
nor the ability to send traffic directly to them.Its low-rate
nature makes detection inherently difficult.More impor-tantly,the existing best common practice for protecting the Internet routing infrastructure by disallowing access and re-search proposals such as S
BGP[26]are not sufficient to prevent this type of low-rate attack since this attack is ex-ploring a transport layer vulnerability of BGP.
We show empirically using testbed experiments that to-day’s routers with default configurations are susceptible to BGP session resets as a result of low-rate TCP-targeted DoS attacks.We observe that attackers can bring down the targeted BGP session in less than216seconds.Session reset probability can be as high as30%with only42%utilization of the bottleneck link capacity.And when the session is not reset,BGP table transfer can be increased from85seconds up to an hour with only27%of the link capacity used.Us-ing wide-area experiments,we show the ease with which coordinated low-rate attacks can be launched,resulting in arbitrarily low-rate individual attackflows.This raises the difficulty of attack detection.Fortunately,major peering links with significant available bandwidth are difficult to at-tack due to required resources.We subsequently explore defense strategies through prevention and demonstrate that it is possible to significantly lower the risk of such attacks by prioritizing routing traffic using existing router support. We provide recommendations for better default BGP con-figurations.
The rest of the paper is organized as follows.We pro-vide the background of low-rate TCP-targeted DoS attacks and BGP in Section2.Section3discusses impact of such attacks on BGP and key factors in determining vulnerabil-ity of BGP.We show using testbed experiments that BGP can be disrupted by
low-rate TCP attacks in Section4.Sec-tion5shows using wide-area experiments how multiple at-tack hosts coordinate to launch low-rate attacks against a given BGP session.We discuss defense mechanisms in Sec-tion6and conclude in Section7.
2Background
In this section we describe low-rate TCP-targeted DoS attacks and the Border Gateway Protocol susceptible to it.
2.1Low-rate TCP-targeted DoS Attacks
In their seminal work[27],Kuzmanovic and Knightly showed that TCP’s retransmission timeout mechanism can be exploited by using maliciously chosen low-rate DoS traf-fic to throttle TCPflows to a small fraction of their ideal rate.As shown in Figure1,the low-rate attack consists of periodic,on-off square-wave of traffic bursts with magni-tude of the peak,burst length,and inter-burst
period
Figure1.Notation for low-rate TCP-targeted DoS attacks
.There are several requirements for the low-rate TCP-targeted attack to be successful:(i)An integer multiple of the inter-burst period coincides with the minimum retrans-mission timeout value(minRTO)of TCP.(ii)The magni-tude of the attack peak traffic is large enough to cause packet loss.(iii)The burst length is sufficiently long to induce loss:It needs to be longer than roundtrip time(RTT)of TCPflows.When these conditions are satisfied,the aggre-gate TCPflows sharing the bottleneck link will have close to zero throughput.Even if the inter-burst period takes on other values outside the minRTO range,the throughput can still be severely degraded.The reason is that the TCP re-transmission timer repeatedly times out due to loss induced by the attack traffic burst,as the timer value exponentially increases for any givenflow sharing the bottleneck link with the attack traffic.
One way to defend against such attacks is to random-ize the minimum retransmission timeout value(minRTO) value;however,this does not fully mitigate the attack due to the inherently limited range for minRTO as shown by Kuzmanovic and Knightly[27].They also found that even router-assisted mechanisms do not eliminate the attack impact without incurring excessively high false positives. Ther
e has also been follow-up work on detecting low-rate attacks[47,44,30,14].Most of the existing detection algo-rithms rely on signal analysis.None of the proposed detec-tion algorithms has been shown to be sufficiently accurate and scalable for deployment in real networks.Furthermore, no known solution exists to effectively mitigate such low-rate attacks.Thus,all applications using TCP are inherently susceptible to degraded performance due to such attacks.In this work,we focus on the Border Gateway Protocol as an important“application”using TCP given its critical role as the interdomain routing protocol on the Internet.
2.2Border Gateway Protocol
The Border Gateway Protocol(BGP)is used as the in-terdomain routing protocol on today’s Internet.In BGP,a routing session is established over a TCP connection be-
tween neighboring border routers to exchange reachability information.There are two types of BGP sessions:eBGP and iBGP sessions.The former are between routers within different autonomous systems(ASes)or networks,and usu-ally consist of a single ,the two routers are directly connected with a physical link.The latter are within the same AS and can go through multiple router hops. Because BGP is a stateful protocol,routing information previously received is assumed to be vali
d until withdrawn. To ensure connection liveness,KeepAlive messages are ex-changed periodically.According to BGP’s protocol specifi-cation[39],each BGP router maintains a Hold Timer which limits the maximum amount of time that may elapse be-tween receipt of successive KeepAlive and/or update mes-sages from its neighbor in the BGP session.If the Hold Timer expires,a notification error message is sent and the BGP connection is closed.Upon session reset,all routes previously exchanged in the session are implicitly with-drawn,potentially propagating routing instability to other networks.
Note that one may argue that BGP session reset due to data congestion is actually desirable,given the associated routes are not preferable due to the bad quality of the link. We strongly dispute this claim.Session reset creates signifi-cant disruption and can cause global routing instability.Per-formance based route selection can be used instead.More-over,ISPs today already perform traffic engineering to load balance traffic.
There are other BGP security problems,such as lack of deployed mechanisms to verify the correctness,au-thenticity,integrity of the routing information exchanged. Proposed protocols such as SBGP[26],SoBGP[34]ad-dress some of these issues.Other attacks against rout-ing protocols such as the link cutting attack described by Bellovin[12]are related.It uses topology information to select specifi
c links to cut so that traffic is rerouted through routers controlled by attackers.The attack described in this paper also uses topology information to identify target links. Router vendors have provided protection against known at-tacks such as TCP RST and SYNflood attacks[18,23].Us-ing testbed experiments we verified none of the routers we tested is vulnerable to TCP RST attacks.Note that unlike RST or SYNflood attacks,it is possible to remotely launch resource-based attacks,such as the attack described in this paper,using packets passing through the routers without the ability to send packets destined to them.
3Low-rate DoS Attacks on BGP
Because BGP runs over TCP for reliability,BGP is also vulnerable to the recently discovered low-rate TCP-targeted DoS attacks.Due to its low-bandwidth property,such attack is much more difficult to detect,and thus it is important to understand it thoroughly.In this paper,we focus on inves-tigating the effect of low-rate attacks on a single-hop BGP session.However,the results can be generalized to mul-tihop BGP sessions.Arguably multihop BGP sessions are more susceptible as they traverse multiple links,thus more likely to experience congestion.
3.1Impact of Attacks on BGP Sessions
session下载
The impact on BGP sessions caused by low-rate TCP-targeted DoS attacks are two fold:throughput degradation and session reset.First,the throughput of the BGP update messages can be significantly reduced.However,the av-erage BGP update rate is quite low,except during signifi-cant routing changes or table transfer upon session estab-lishment.The impact in the form of rate reduction of BGP traffic is less critical,but can further exacerbate the already slow BGP convergence process.The second type of attack impact due to BGP session reset is much more severe.To reset a BGP session,the induced congestion by attack traf-fic needs to last sufficiently long to cause the BGP Hold Timer to expire.To monitor the attack success,one can an-alyze traffic traversing the impacted link or routing updates related to the session.Furthermore,it is easier to keep the session down as SYN packets are sent less frequently com-pared to retransmitted data packets.
BGP session reset can lead to severe churn on the Inter-net’s control plane.This not only impacts both routers in-volved in the BGP session,as each withdraws all the routes previously advertised by its neighbor,but also many other networks on the Internet due to the propagation of routing changes.For example,the number of routes in a default-free router in the core Internet is around170,000based on routing data from RouteViews[5].A significant fraction of the table can be affected upon a BGP session reset.With-drawing a large number of routes can cause many destina-tion networks to become tempor
arily unreachable due to in-consistent routing state[48]and a large amount of traffic to become rerouted,which may further lead to congestion due to insufficient capacity.
A recent proposal to mitigate the potential negative impact of short-lived session resets is termed graceful restart[42].Routers supporting this mechanism attempt to continue to forward packets using the stale routes.There is,however,an upper bound(by default two or three min-utes)on the amount of time a router retains the stale routes to avoid lengthy routing inconsistency.Thus,a session re-set that lasts sufficiently long time,possibly due to an in-tense low-rate attack,can still have severe impact on the data plane.
In general,the impact of an eBGP session reset is larger than that of an iBGP session reset because routing changes received from eBGP sessions are more likely to propagate
across multiple networks and the routing table is usually
default-free,thus carrying all the destinations to the Inter-net.The routes exchanged between two routers in an eBGP session consist of all the routes of their respective cus-tomers.Thus,for eBGP sessions between two large ISPs, this number can be quite large.We analyzed routing tables from a tier-1ISP and found that up to13%of the routing table can come from a single eBGP session versus onl
y4% from an iBGP session.
3.2Key Factors in Attacking a BGP Session
We study the key factors that determine the vulnerability of BGP to such attacks to illuminate possible solutions. 1.Priority of routing traffic.The fundamental prob-lem that makes BGP vulnerable to low-rate attacks is that router traffic may not be sufficiently protected from conges-tion caused by other data traffic.Many of the commercial routers today by default use First-In-First-Out(FIFO)or Drop Tail queueing discipline,giving no priority to routing packets.Even in the case where routing data are protected (e.g.,through the RED queue management scheme[22]), there are no default policing mechanisms to prevent attack packets from spoofing packets of higher priority.For ex-ample,we observed that many routers will mark the routing packets with an IP precedence value of6[8].However,at-tack packets can also use the same or even higher IP prece-dence values given the lack of authentication for such values by default.Packet remarking or TTL value checking[23] can help ensure only routing packets receive higher prior-ity.In this work,we illuminate these issues by experiment-ing with real commercial routers with various configuration settings.Instead of using simulations,we focus on using experiments to obtain results closer to the reality.
2.Proprietary router implementation.Commercial router behavior is much less understood compared to that of end hosts due to its proprietary nature and lack of source code access.For example,it is unclear how the TCP stack on commercial routers really behaves.Unlike for end-hosts, critical parameters to the attack such as minRTO are un-known,making successful attacks much more difficult.If minRTO is randomized,it would further reduce the prob-ability of a session reset.Even with known router behav-ior,depending on its configuration,its dynamic behavior may be quite different compared to the default settings.We mainly focus on default settings as most deployed routers probably use default configurations.When we know that the router supports certain features that would help protect against the low-rate attacks,we also examine these features in great details.
3.Capacity of peering links.In order for low-rate TCP attacks to be successful against BGP routing sessions, the traffic burst needs to be sufficiently powerful to cause
Sender A Receiver B
OC3 155Mbps
Gigabit Gigabit
Figure2.Lab experiment testbed
enough packet loss,so that the TCPflow of the BGP session enters into retransmission timeout state.This may appear to be difficult to achieve,especially for BGP sessions in-volving Internet core backbone links given the heavily over-provisioned core.However,eBGP sessions involve peering links which may not be as well-provisioned compared to links within an ISP backbone.There has been anecdotal ev-idence that congestion often occurs on peering links.Pre-vious measurement studies such as[6,24]have shown that some of the bottleneck links of today’s Internet paths occur at the boundary between two networks.Links between stub networks and their providers often have much lower speed, and these networks often use eBGP to obtain routes.Using data from RouteViews[5],we found23%of100,482eBGP peering sessions belong to stub networks.Furthermore,it is not necessary that a single attack host overwhelms the target link.As we show later in Section5,multiple hosts possibly from a botnet can be used to launch a coordinated attack,as long as they traverse the link involved in the BGP session under attack.In this work,we investigate the nec-essary conditions and show experimentally how this can be achieved.
4Testbed Experiments
In this section,we describe experiments conducted on a router testbed and empirically show that commercial routers can be severely impacted by low-rate TCP-targeted DoS at-tacks in the form of session resets and degraded table trans-fer throughput.Wefirst present our experiment setup,and then inferred TCP characteristics and observed BGP param-eters of different commercial routers,followed by detailed analysis of attack impact.
4.1Testbed Setup
Our experiment testbed consists of two commercial routers and two PCs shown in Figure2.The two links con-necting the routers and the PCs are full-duplex Gigabit Eth-ernet.The target link between the routers is Packet Over SONET(POS)with155Mbps link capacity.Note that our experiment testbed closely models the real operational sce-nario of an eBGP session with two key differences.First, we do not model background traffic and select the link types to allow traffic from Sender to Receiver to easily over-load the link between the two routers.Second,attack hosts
TCP properties
Router type minRTO KeepAlive Queue
version pattern(sec)(sec)timer(sec),range Cisco360030060FIFO
Cisco720060060FIFO
Cisco730030060FIFO
Cisco1200060060FIFO
Juniper M10100030FIFO
1UDP is used as opposed to TCP to precisely control the sending rate. TCP packets,without conforming to congestion control can also be used to hanism.
In this paper,we use Cisco GSRs with IOS version12.0 to illustrate our results because they are are commonly used in Internet backbone networks and are the most powerful routers we examined on our testbed.In particular,the Cisco GSRs used are equipped with Cisco12410/GRP(R5000 CPU at200Mhz)processor,512KB L2cache,and512MB memory.The line card on the router has a4port POS OC-3c/STM-1Multi Mode with Engine type0,a buffer size of 12560packets for packet sizes matching that of BGP pack-ets.
4.2Router Implementation Diversity
To understand why commercial routers are vulnerable to low-rate attacks,we analyze the TCP behavior and default router configuration settings.
In our work,TCP related parameters are obtained us-ing software we developed based on TBIT(TCP Behav-ior Inference Tool)[36],which infers TCP properties on Web servers.We enhanced it by integrating BGP-related functionality to establish a BGP session with a commercial router.After the session establishment,the tool constructs packets in special ways to infer router’s TCP behavior.The most important TCP property inferred is minRTO which can be accurately determined.
Table1also shows the default router BGP configurations for several features relevant to the low-rate attack.Cisco routers use a60seconds KeepAlive Timer and a180sec-onds Hold Timer by default,while Junipers have smaller default timer values:30seconds for KeepAlive and90sec-onds for Hold Timer.We derive that to reset the BGP ses-sion,attackers need to cause at least8consecutive packets to be dropped for Cisco GSR and only6for Juniper M10 due to the timer values.Thus,Juniper M10is more vulnera-ble to low-rate attacks compared to Cisco GSR.The default queuing algorithm for all routers studied is FIFO instead of RED.Weighted RED described later can help protect rout-ing packets.Graceful restart support provided by Cisco[17] is not enabled by default(Graceful restart is not supported in Cisco3600).It can help routers tolerate short-lived ses-sion down time;however,there is a t
imer limit on the down time,with a default of2or3minutes,before the stale routes are withdrawn.

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。