Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60 th IETF Meeting, San Diego 1
Problem Statement � Requirements RFC 3654 – “Protection against Denial of Service Attacks (based on CPU overload or queue overflow) - Systems utilizing the ForCES protocol can be attacked using denial of service attacks based on CPU overload or queue overflow. The ForCES protocol could be exploited by such attacks to cause the CE to become unable to control the FE or appropriately communicate with other routers and systems. The ForCES protocol MUST therefore provide mechanisms for controlling FE capabilities that can be used to protect against such attacks. FE capabilities that MUST be manipulated via ForCES include the ability to install classifiers and filters to detect and drop attack packets, as well as to be able to install rate limiters that limit the rate of packets which appear to be valid but may be part of an attack (e.g., bogus BGP packets).” 2
Possible Solutions � Basic Idea – Separation of data and control messages – Data messages are control protocol packets such as RIP, OSPF, BGP packets. All other messages considered control messages � Solution 1 – Different Transport connections – Use different congestion aware transport protocol connections for data and control messages � Solution 2 – Different Prioritization – Assign higher priority to control messages and use scheduling mechanisms in protocol to differentiate 3
Experimental Setup � Used IXIA box as packet generator and Linux PCs as CE, FE connected using 100 Mbps Ethernet links � Basic implementation consisting of multi-threaded client/server on Linux using pthreads (RR scheduling for threads) � Increased data connection rate to simulate DoS Attack 4
Experimental Results � Using TCP for control and UDP for data messages (with and without prioritization for control) � Results show UDP (data) overwhelms TCP (control) traffic during DoS attack, prioritization of No help 1.2 1.2 R e c e i v e d / S e n t D a ta (lo s s ) Received /S en t Data (lo ss) 1 1 Control 0.8 0.8 Control Data 0.6 0.6 Data 0.4 0.4 Data w/o Control 0.2 0.2 0 0 0 50 100 150 0 50 100 150 Redirection Data Rate (Mbps) Redirection Data Rate (Mbps) With Prioritization � 5
Experimental Results (contd..) � Using TCP for control and TCP for data messages (with and without prioritization for control � Results show control traffic is not overwhelmed by data traffic during DoS attack, prioritization helps improve the performance (by 5%) 1.2 1.2 Received/Sent Data (loss) 1 Received/S ent Data (loss) 1 0.8 0.8 Control 0.6 Control Data 0.6 Data 0.4 0.4 0.2 0.2 0 0 50 100 150 0 Redirection Data Rate 0 50 100 150 (Mbps) Redirection Data Rate (Mbps) With Prioritization � 6
Summary � Protection against DoS attacks is a key requirement for the ForCES protocol � Separation of Control and Data messages in the ForCES protocol is key to meet this requirement � Separation scheme consisting of – separate congestion aware, control and data transport connections such as TCP connections – combined with higher priority for control gives best results � References – http://www.sstanamera.com/~forces/ , http://www.sstanamera.com/~forces/Ietf59/testbed_dong.pdf 7
Recommend
More recommend
![Transporting Voice by Using IP The RTP Control Protocol [1/3] RTCP A companion control](https://c.sambuz.com/886603/transporting-voice-by-using-ip-the-rtp-control-protocol-1-s.jpg)
