Security Analysis of the Micro Transport Protocol with a Misbehaving - - PowerPoint PPT Presentation
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Florian Adamsky, Syed Ali Khayam, Rudolf Jger and Muukrishnan Rajarajan The 4th
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
Florian Adamsky, Syed Ali Khayam, Rudolf Jäger and Muukrishnan Rajarajan
florian@adamsky.it http://florian.adamsky.it
The 4th International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery 2012
1 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
1 Introduction
Background
2 Aack Details and Results
Aack 1: Lying about the Delay Aack 2: Lazy Opt-Ack Aack 3: Opt-Ack
3 Countermeasures
Randomly Skipped Packets
4 Conclusions
2 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction
1 Introduction
Background
2 Aack Details and Results
Aack 1: Lying about the Delay Aack 2: Lazy Opt-Ack Aack 3: Opt-Ack
3 Countermeasures
Randomly Skipped Packets
4 Conclusions
3 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction
BitTorrent is the most widely used Peer-to-Peer (P2P) application Before December 2008, TCP was its default transfer protocol Since this date, uTorrent switched from TCP to the Micro Transport Protocol (uTP) which is based on UDP
4 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction | Background
BitTorrent is in most cases background traffic BitTorrent uses multiple connection at once
TCP distributes the available bandwidth evenly across connections The more connections one application uses, the larger the share of bandwidth
Old Solution: Configure bandwidth limit
Requires knowledge about the own Internet connection Oen lets big head room which is unused Bad configured BitTorrent client can harm other people in the network
⇒ Novel transport protocol based on UDP: Micro Transport Protocol (uTP)
5 / 26
http://www.theregister.co.uk/2008/12/01/richard_bennett_utorrent_udp/print.html
http: //arstechnica.com/old/content/2008/12/utorrents-switch-to-udp-and-why-the-sky-isnt-falling.ars
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction | Background
uTP is a reliable transport protocol which makes use of UDP
Introduces a new congestion control: Low Extra Delay Background Transport (LEDBAT)
Similarities to TCP
Window based flow control Sequence numbers and ACK numbers
Differences to TCP
Sequence numbers and ACKs refer to packets, not bytes SACK uses a 32 bitmask where each bit represents a packet No congestion control (Slow-start, congestion avoidance, …) → LEDBAT
Advantages:
Detects foreground traffic and automatically slows down Scales beer when sending over many connections at once
. . ..
Traffic
. . . Time . Bandwidth . . . uTP traffic . . All Traffic (except uTP)
8 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction | Background
uTP is a reliable transport protocol which makes use of UDP
Introduces a new congestion control: Low Extra Delay Background Transport (LEDBAT)
Similarities to TCP
Window based flow control Sequence numbers and ACK numbers
Differences to TCP
Sequence numbers and ACKs refer to packets, not bytes SACK uses a 32 bitmask where each bit represents a packet No congestion control (Slow-start, congestion avoidance, …) → LEDBAT
Advantages:
Detects foreground traffic and automatically slows down Scales beer when sending over many connections at once
. . ..
Traffic
. . . Time . Bandwidth . . . uTP traffic . . All Traffic (except uTP)
8 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Introduction | Background
LEDBAT uses one way delay as the main congestion measurement
Will be compared with previous values (not absolute values)
. . Sender . Receiver . t
s n d
[ D a t a ] . ∆t = trcv − tsnd . ∆ t [ A C K ] And also:
Packet loss (max_window = max_window × 0.78) ACKs during one window
IETF just tries to standardize LEDBAT (Dra 09³)
³http://tools.ietf.org/id/draft-ietf-ledbat-congestion-09.txt
9 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results
1 Introduction
Background
2 Aack Details and Results
Aack 1: Lying about the Delay Aack 2: Lazy Opt-Ack Aack 3: Opt-Ack
3 Countermeasures
Randomly Skipped Packets
4 Conclusions
10 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 1: Lying about the Delay
..
Idea
. Lying about the one way delay to induce the sender to send more and more packets into the network How to do that? . . Sender . Aacker A . t
s n d
[ D a t a ] . ∆t = 1 ms . ∆ t [ A C K ]
11 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 1: Lying about the Delay
Code Snippet
1
scaled_gain = MAX_CWND_INCREASE_PACKETS_PER_RTT
2
* delay_factor * window_factor;
4
max_window += scaled_gain; Delay Calucation delay_factor = 100 ms − min( ⃗
100 ms delay_factor = 100 ms − 0 100 ms delay_factor = 1
12 / 26
. . . 20 . 40 . 60 . 80 . 100 . 120 . 140 . 160 . 180 . 0 . 1,000 . 2,000 . 3,000 . 4,000 . 5,000 . 6,000 . Time in Seconds . Packets per Second . . . Without Aack . . Delay Aack
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 2: Lazy Opt-Ack
..
Idea
. We do not inform the sender about packet loss How to do that? As an aacker we’re not interested in data integrity Save all packets we got sequentially and not according to there sequence number
14 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 2: Lazy Opt-Ack
Normal packet sorting . . . . 1 . 1 . 2 . Packet Loss . 3 . 3 . 4 . 5 . 6 . 4 Aack: Packet sorting sequentially . . . . 1 . 1 . 3 . 2 . 3 . 4 . 5 . 6 . 4
15 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 2: Lazy Opt-Ack
Normal packet sorting . . . . 1 . 1 . 2 . Packet Loss . 3 . 3 . 4 . 5 . 6 . 4 Aack: Packet sorting sequentially . . . . 1 . 1 . 3 . 2 . 3 . 4 . 5 . 6 . 4
15 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 2: Lazy Opt-Ack
. . . . 20 . 40 . 60 . 80 . 100 . 120 . 140 . 160 . 180 . 0 . 2,000 . 4,000 . 6,000 . Time in Seconds . Packets per Second . . . Without Aack . . Delay Aack . . Lazy Opt-Ack Aack
16 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
..
Idea
. Pretend that we got all packets always via SACK How to do that? Again: As an aacker we’re not interested in data interested Set all bits of the SACK bitmask to the value 1 Replace that code:
1
uint m = 0; // SACK bitmask with this code
1
uint m = UINT_MAX; // SACK bitmask
17 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
. . . . 20 . 40 . 60 . 80 . 100 . 120 . 140 . 160 . 180 . 0 . 2,000 . 4,000 . 6,000 . Time in Seconds . Packets per Second . . . Without Aack . . Delay Aack . . Lazy Opt-Ack Aack . . Opt-Ack Aack
18 / 26
. . . 5 . 10 . 15 . 20 . 25 . 5.43 . 6.2 . 15.39 . 23.84 . Average Bandwidth Usage in Mbit/s
. . . w/o Aack . . Delay Aack . . . Lazy Opt-ACK . . . Opt-ACK
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
Congestion Experiment
Constant 50 Mbit/s UDP stream with iPerf Parallel to this file transfer via uTP
Results Client Packet loss Without Aack 0 % Delay Aack 0 % Lazy Opt-Ack Aack 7 % Opt-Ack Aack 42 %
20 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
Congestion Experiment
Constant 50 Mbit/s UDP stream with iPerf Parallel to this file transfer via uTP
Results Client Packet loss Without Aack 0 % Delay Aack 0 % Lazy Opt-Ack Aack 7 % Opt-Ack Aack 42 %
20 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
Congestion Experiment
Constant 50 Mbit/s UDP stream with iPerf Parallel to this file transfer via uTP
Results Client Packet loss Without Aack 0 % Delay Aack 0 % Lazy Opt-Ack Aack 7 % Opt-Ack Aack 42 %
20 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Aack Details and Results | Aack 3: Opt-Ack
Congestion Experiment
Constant 50 Mbit/s UDP stream with iPerf Parallel to this file transfer via uTP
Results Client Packet loss Without Aack 0 % Delay Aack 0 % Lazy Opt-Ack Aack 7 % Opt-Ack Aack 42 %
20 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Countermeasures
1 Introduction
Background
2 Aack Details and Results
Aack 1: Lying about the Delay Aack 2: Lazy Opt-Ack Aack 3: Opt-Ack
3 Countermeasures
Randomly Skipped Packets
4 Conclusions
21 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Countermeasures | Randomly Skipped Packets
..
Idea
. A sender randomly skips packets and checks if the receivers acknowledge those packets. Countermeasure only against the lazy opt-ack and opt-ack aack This countermeasure will reduce the performance a lile bit
22 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Countermeasures | Randomly Skipped Packets
. . . 5 . 10 . 15 . 20 . 25 . 10 . 20 . 30 . 40 . Time (s) . Bandwidth in Mbps . . .
uTP without Countermeasure
. .
uTP with Countermeasure
23 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Conclusions
1 Introduction
Background
2 Aack Details and Results
Aack 1: Lying about the Delay Aack 2: Lazy Opt-Ack Aack 3: Opt-Ack
3 Countermeasures
Randomly Skipped Packets
4 Conclusions
24 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Conclusions
e main contributions of our paper are: Proposed the following three aacks against the novel uTP:
delay aack lazy optimistic aack
Shown a detail evaluation and shown the severity of those aacks Presented a countermeasure against those aacks
25 / 26
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver | Conclusions
florian@adamsky.it http://florian.adamsky.it
Institutions:
26 / 26
. . . 20 . 40 . 60 . 80 . 100 . 120 . 140 . 160 . 180 . 200 . 0.85 . 0.9 . 0.95 . 1 . 1.05 . Packets . delay_factor . . . Without Aack . . With Aack
. . . 5 . 10 . 15 . 20 . 25 . 30 . 35 . 40 . 45 . . 10 . 20 . 30 . 40 . 50 . 60 . Delay in ms with 5ms Variance . Bandwidth in Mbit/s . . . uTP without aack . . uTP with aack
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
1
uint m = 0; // SACK bitmask
3
for (size_t i = 0; i < window; i++) {
4
if (inbuf.get(ack_nr + i + 2) != NULL) {
5
m |= 1 << i;
6
}
7
}
3 / 7
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
1
uint m = UINT_MAX; // SACK bitmask
3
for (size_t i = 0; i < window; i++) {
4
if (inbuf.get(ack_nr + i + 2) != NULL) {
5
m |= 1 << i;
6
}
7
}
4 / 7
. . . 10 . 20 . 30 . 40 . 50 . 60 . 70 . 0 . 2,000 . 4,000 . 6,000 . Time (s) . Packets per Second . . .
Constant UDP Stream
. .
Normal uTP Transfer
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
. . . 10 . 20 . 30 . 40 . 50 . 60 . 0 . 2,000 . 4,000 . 6,000 . Time (s) . Packets per Second . . .
Constant UDP Stream
. .
Lazy Opt-ACK Aack
6 / 7
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver
. . . 10 . 20 . 30 . 40 . 50 . 60 . 0 . 2,000 . 4,000 . 6,000 . Time (s) . Packets per Second . . .
Constant UDP Stream
. .
Opt-ACK Aack
7 / 7