Continuing on with the deeper analysis of each attack method, this post will review the Low-rate DoS attack. The key paper I will be using as a reference for this review will be:
RRED: Robust RED Algorithm to Counter Low-Rate Denial-of-Service Attacks, 2010, Zhang, C., Yin, J., Cai, Z., and Chen, W., IEEE COMMUNICATIONS LETTERS, VOL. 14, NO. 5, MAY 2010.
Another key resource is this site, tracking recent Low-rate DoS attacks: http://sites.google.com/site/cwzhangres/home/posts/recentpublicationsinlow-ratedosattacks
A presentation by A. Kuzmanovic and E. W. Knightly, 2003 (http://www.cs.northwestern.edu/~akuzma/rice/doc/shrew.ppt) is heavily borrow from.
Starting with a simple definition, Low-rate DoS attacks differ from flood type attacks in that packet transmission is limited. The TCP timeout mechanism is instead exploited to increase the ratio of attacker resources to target resources consumed. This reduced packet transmission also serves to make the attack method much more difficult to identify. Low-rate DoS attacks are also known as:
- Shrew attacks – see: http://www.cs.northwestern.edu/~akuzma/rice/shrew/
- Pulsing DoS [PDoS]
- Reduction of Quality [RoQ]
Two important variables in the TCP congestion avoidance mechanism are:
- Retransmission time-out [RTO]
- Round Trip Time Estimate [RTT]
Logically the RTO must be less than the RTT to avoid unnecessary retransmission. In fact RTO=S(smoothed)RTT+4*RTTVAR.
At this point it is important look more closely at how the TCP congestion avoidance algorithm works:
- A ‘congestion window’ is maintained, limiting the number of packet that have not been acknowledge by the receiver, packets in transit.
- When TCP connections are initialized or after dropped packet TCP enforces a ‘slow start’. The slow start mechanism starts the ‘congestion window’ small and then increases it exponentially with each acknowledged packet. This makes sense, as the TCP connection demonstrates its stability we can increase throughput.
The testing run by A. Kuzmanovic and E. W. Knightly demonstrated that shrew attacks can reduce a targets TCP throughput to a fraction of normal operation. Achieved with a relatively low number of malicious throughput… ” 87.8% throughput loss without detection“.
The Low-rate DoS attack exploits the standardization of the TCP protocol. Many protocols used on the internet are standardize (ie: HTTP, IP, etc) , they need to be standardized for communications to work. This does however present attackers with a target they know will be present on systems everywhere.
Detection and Mitigation
A. Kuzmanovic and E. W. Knightly analyze minRTO randomization and find this to be effective at the cost of general TCP performance. They also highlight that the different TCP congestion avoidance algorithm versions result in significantly different PDoS effectiveness.
Zhang et. al., propose a Robust Random Early Detection [RRED] algorithm, identifying malicious TCP packets by the time frame in which they are resent after a timeout.
I will aim to do some testing using snort or even dynamic iptables rules to allow for effective detection and mitigation of shrew attacks.