JP4481780B2 - Method and apparatus for protecting against SYN packet bandwidth attack on TCP server - Google Patents

Description

  The present invention relates generally to the field of Internet security, and more particularly to the problem of defending against some form of denial of service (DDoS) attack known as SYN bandwidth attack.

  A denial of service (DDoS) attack disrupts service when limited server resources are allocated to an attack on behalf of a legitimate user. A distributed denial of service (DDoS) attack initiates a consolidated DoS attack from a geographically different Internet node to a victim. The attacking machine is usually a compromised zombie machine controlled by a remote master. Resources under normal attacks include link bandwidth, server memory and CPU time. Distributed DoS attacks are more powerful due to the centralized effect of translating traffic, especially when the attacker has internal information on the network topology. “TCP SYP flood”, “smurf IP going”, and bandwidth attacks on the root name server are all examples of such attacks that were previously deployed (each of these attacks Well-known to vendors). In practice, however, it has been reported that there are many more such attacks than previously known.

There are many approaches to improve server operating systems to resist resource depletion. Some approaches have considered better network protocol design principles to protect the server from attacks on stateful handshake protocols (well known to those skilled in the art). IP trace back is another well-known approach, a network-wide integrated effort that follows the attacking packet and returns to its source. However, such an approach clearly requires network-wide collaboration and harmonization.

  In addition, DDoS attack tools may tend to mutate and evolve over time. For example, with wider deployment of egress filtering, attackers utilize doors (eg, TCP, DNS) that remain unquestionably almost open. The sign of the attack can be changed or disappeared to avoid detection. Therefore, it is likely that advanced future attacks will hardly be distinguished from legitimate ones. Thus, an approach based solely on filtering for the problem is not only ineffective but also inadequate. A lot of false certainty will bring the investigation back to the drawing board for new heuristic studies.

  A certain type of DDoS attack on a TCP server can be initiated by continuously creating new TCP connections to the target server until its limited resources are exhausted, thus Prevent service requests from legitimate users. (As is well known to those skilled in the art, TCP is a well-known standard transmission control protocol defense unit. For example, the “Transmission Control Protocol” prepared for the Defense Advanced Research Projects Agency by the Information Sciences Institute. "J. Postel, editor, Request for Comments (RFC) 793, September 1981, see" www.faqs.org/rfcs/rfc793.html ", which is fully presented herein. As such, it is incorporated herein by reference.) In particular, such attacks are known as “SYN attacks”. This is because they consist of a mere full of initial SYN packets that are sent to initiate a new TCP connection. (SYN packets are connection request packets that are well known to those skilled in the art. They are defined and described, for example, in the RFC 793 TCP standard referenced above.)

More specifically, each TCP connection begins with a SYN packet, as is well known to those skilled in the art. The TCP server must respond to each valid SYN request with SYN, ACK, and retransmit if necessary. (ACK packets are acknowledge packets that are fully known to those skilled in the art and are also defined and described in RFC 793.) SYN packets penetrate a temporary firewall without any previous state in the packet. The SYN packet also causes the server and firewall to allocate resources in preparation for a new connection. As a result, they are the first potential vehicles to initiate a denial of service attack.
Patent Provisional Application No. 60 / 497,886 “Transmission Control Protocol”, J., prepared for the Defense Advanced Research Projects Agency by Information Sciences Institute. Postel, editor, Request for Comments (RFC) 793, September 1981, “www.fars.org/rfcs/erc793.html”

  In fact, there are two different forms of SYN attacks. SYN state attack and SYN bandwidth attack. A SYN state attack attempts to overwhelm the TCP server by sending a connection request SYN packet without completing the rest of the handshake, eventually causing the "backlog queue" on the server to overflow, thereby denying service Is a legitimate request. (As is well known to those skilled in the art, TCP connections are established via a three-way handshake, and incomplete connections are generally held in the par listener queue. However, there are at least two solutions that allow a TCP server to defend against a SYN state attack by itself, and one solution is used for incomplete connections. The other solution is to completely eliminate any memory usage.

  However, another form of SYN attack is a SYN bandwidth attack. SYN bandwidth attacks are more difficult to handle “downstream” (ie, at the TCP server under attack). Note that a typical SYN packet is only 64 bytes long. Such a burst of minimum size packets therefore causes live locks on the server. (As is well known to those skilled in the art, “live rock” refers to two or more processes that respond to changes in one or more other processes without performing any useful operation. (Ie, a situation that occurs when the state of the server is continuously changed.) That is, a deadly attack may consist of simply blasting the server's ingress link with many such small packets. Many optimizations exist to avoid receiver livelock, but in general, bandwidth attacks have been dealt with up to now and only "upstream", i.e., before damage has been done to the server.

  The inventors have found that SYN bandwidth attacks intercept SYN packets in a “DDoS gateway” that is advantageously located at the edge of the network to be protected (eg, upstream a distance from the protected link). And recognize and then be able to be effectively handled "downstream" by queuing these intercepted SYN packets separately from other TCP packets in accordance with the principles of the present invention. did. In particular, according to an exemplary embodiment of the present invention, edge-per-flow queuing is advantageous to provide separation between different protocols and between individual TCP connections sharing a link. Is used in the DDoS gateway. (Per-flow queuing techniques are well known to those skilled in the art.)

  Further, in accordance with the principles of the present invention, SYN packets are queued separately from other TCP packets. The egress scheduler of the DDoS gateway then advantageously provides fair sharing for each non-empty queue (advantageously including a separate queue for SYN packets), thereby allowing SYN packets (eg, SYN To ensure that egress links in the presence of other packets cannot overwhelm (such as those generated as part of a bandwidth attack). Furthermore, such a scheduling scheme advantageously reduces the likelihood of interleaving 64 byte packets with larger data packets, thereby causing live blocking at the downstream TCP server.

  FIG. 1 shows a functional block diagram of a DDoS gateway incorporating a SYN bandwidth attack defense mechanism, according to an illustrative embodiment of the invention. The exemplary DDoS gateway is advantageously located upstream at a distance from the network edge, ie the link to be protected. In an exemplary gateway operation, packets arriving from the core are first routed by the dispatch module 11 to separate TCP packets from others. (Non-TCP packets are handled by the non-TCP module 12.) Data packets having a previous state at the gateway are stored in various queues that receive certain buffer management polices as determined by the inspection module 13. Can be done. However, the SYN packet does not require a previous state to be transferred and is therefore advantageously handled separately by the connection module 14. Data packets, SYN packets, and packets from non-TCP protocols are then scheduled to appear on links protected by the FlowQ module 15. With respect to the reverse direction, packets from the TCP server are inspected by the monitoring module 16 to provide stateful information for further handling of packets coming from the core. A SYN bandwidth attack defense mechanism as described in detail below, according to an exemplary embodiment of the present invention, may advantageously be incorporated into the FlowQ module 15.

  According to an exemplary embodiment of the invention, instead of blindly storing and passing SYN packets, an exponential spacing between adjacent SYN packets from the same connection is advantageously implemented. As with other retransmissions, the TCP protocol specifies that retransmissions for SYN packets follow the same exponential back-off time interval for data packets. Subsequent SYN packets that arrive before the current interval time, for example with an initial interval of 500 milliseconds, are advantageously dropped. Incomplete connections that last for an extended period of time are removed if they are not subsequently removed by a new connection request. The exemplary system further ensures that each incomplete connection has no more than one SYN packet in the queue. This removes the possibility that the egress link will be flooded with only a few incomplete connections.

In order to prevent randomly generated SYN packets from generating multiple states at the gateway and flooding the egress link, the total number of incomplete connections allowed in the exemplary system is advantageously: Set in proportion to the number of currently established connections, such as
P = M + c * N (1)
Where M and c are constants and N is the number of established connections in the system. A legitimate TCP connection request is almost certainly established. Therefore, the number of legitimate requests and the number of established connections are generally corrected close. The constant c can be set to a value 2, for example. M is the number of allowed requests that do not have an active connection in the system for head start. Illustratively, M = 100.

  According to an exemplary embodiment of the present invention, when a new SYN packet arrives without a previous state, a new state is assigned if the condition specified in equation (1) is maintained. Instead, the randomly selected state is removed. (Note that according to other exemplary embodiments of the present invention, aging can be used instead of random selection. However, random selection is preferred over aging because the system It is because it is more friendly to connections with long round trip times when it is actually under attack.) The connection is established from an incomplete state when a valid return ACK packet passes through Move to the specified state. Note that the time taken for the transition mainly depends on the round trip time between the server and the client. If a retransmitted SYN packet arrives, the exponential interval is examined. The received packet is queued in the FIFO buffer. If the packet buffer is not available, the packet buffer manager removes the packet from the system. See below for more details on buffer management.

  According to another exemplary embodiment of the present invention, a TCP handshake proxy is used that forwards the initial SYN packet and all server responses. The proxy performs a SYN retransmission on behalf of the client if necessary until the client returns a valid ACK or a connection timeout occurs. This proxy approach works well, but requires more connection state to be stored at the gateway for SYN retransmission and is more expensive to implement.

  Note that at the network edge, ingress links from the network core are usually faster than egress links towards the end customer network. Thus, an egress link may overflow if the ingress packet arrival rate is higher than the link capacity. However, as is well known to those skilled in the art, TCP is a congestion-aware transmission protocol that suppresses and returns the packet rate upon detection of congestion. As a result, malicious users can reduce their use of other legitimate TCP connections on the egress link without flooding the link significantly. This phenomenon occurs in the presence of connections driven by a concentrated TCP implementation, whether malicious or not.

  Therefore, fair scheduling and fair buffer management mechanisms are advantageously used according to exemplary embodiments of the present invention to protect legitimate TCP flows. In particular, the exemplary FlowQ module of FIG. 1 advantageously implements a fair scheduling and a fair dropping buffer management schema.

  In particular, according to this exemplary embodiment of the present invention, TCP data packets arriving from the core network and destined for the same output interface are first stored in the flow queue. According to this exemplary embodiment, a flow is defined as a single TCP connection identified by its source destination address and port number. (According to other exemplary embodiments of the present invention, a flow can be defined and a flow queue can be defined for each packet set and destination host pair belonging to a single source, for example, or simply. Implemented for each set of packets or source network from one source host.) The egress packet scheduler then advantageously manipulates these flow queues for instructed packet departures. The packet arrives at the input port and leaves the output port. The DDoS gateway of the exemplary embodiment of the present invention uses an output port buffering architecture. (Note that the term “port” is used herein to denote any physical network interface.)

The exemplary output port per flow queuing and buffer sharing architecture has two interfaces on each output port, namely the arrival side and the departure side. The arrival side can receive packets from the input port at a rate faster than the output port line speed, buffering and delaying the packet. The departure side provides multiple flows with queued packets. As a result, the buffer management policy adapted according to the exemplary embodiment of the present invention advantageously exhibits two distinct characteristics. That is,
(1) Fair scheduling at departure ensures that all competing flows are referred to by the same bandwidth resource.
(2) Fair dropping on arrival ensures that the flow does not use more buffers at the expense of others.

  It should be noted that some flows, along with an incorrect scheduling scheme, can get higher bandwidth even if they do not use more buffers than others. Also with incorrect buffer allocation, the flow may not have packets to send, even if the scheduling scheme is perfectly fair.

  Considering per-flow queuing, round robin scheduling is known to those skilled in the art as being “max mini” fair. Note also that bit-by-bit round robin scheduling can effectively approach the effect of variable packet length. A typical packet discard algorithm for per-flow queuing is simple. As long as there is a free buffer, all incoming packets are received. Without any free buffer, when the packet arrives, it buffers the most significant byte and drops the packet from the flow.

  In order to avoid unnecessary parsing (received packets are immediately replaced by the next arrival) and to prevent TCP flows from timing out due to small windows, When a long queue has only two packets, it is not advantageously dropped. Obviously, this limits the maximum number of flows to 1/2 of the total buffer size accommodated in the system.

  FIG. 2 shows an exemplary (conceptual) structural block diagram of the exemplary DDoS gateway of FIG. 1 for defense against SYN bandwidth attacks, according to an exemplary embodiment of the present invention. The exemplary gateway comprises a plurality of input (or ingress) ports 21-1 to 21-4 and a plurality of output ("egress") ports 22-1 to 22-3. In addition, the gateway comprises (multiple) N per-flow queues 23-1 to 23-N, as well as a SYN sequence 23-0 for exclusive use in queuing SYN packets. Each flow queue 23-1 to 23-N is used to queue TCP associated with a different TCP connection (ie, flow), while the SYN queue 23-0 holds only SYN packets. In operation, a round robin fair scheduling approach is advantageously used, and packets from each (N + 1) queue are then processed. Thus, a SYN bandwidth attack that may fill SYN queue 23-0 does not significantly interfere with scheduling and transmission of packets from other (N) queues.

  FIG. 3 shows a flowchart of the operation of the example gateway of FIG. 1 for use in defense against SYN bandwidth attacks, according to an example embodiment of the invention. The exemplary gateway operation begins by receiving a TCP packet from one input port (block 31) and determines whether it is a SYN packet (decision block 32). If it is a SYN packet, it is advantageously inserted into the SYN queue (block 33). If it is not a SYN packet, it is inserted into the appropriate flow queue (block 34). The packet is then scheduled for transmission based on a fair scheduling algorithm such as, for example, round robin scheduling (block 35). If there are other incoming packets to be queued (decision block 36), flow returns to block 31. Otherwise, the queued packet continues to be forwarded.

  As pointed out above, implementation of round robin scheduling is well known to those skilled in the art. It is also well known to drop packets from the longest flow (eg, the largest queued packet or the flow with the largest queued byte) (when necessary). However, according to a preferred exemplary embodiment of the present invention, the flow is advantageously measured exemplarily with respect to the number of packets or with respect to the number of bytes, using a certain amount of operation per packet. They are classified based on their possible queue lengths.

  In particular, according to an exemplary embodiment of the present invention, it is assumed that all packets are the same size. In other words, assume that the queue length is measured in units of packets (rather than bytes). The exemplary system advantageously maintains a chain of lists. Each sublist includes all flows having the same queue length. These sublists are then stored according to queue length in descending order. Note that initially all lists are empty because all flows have an empty queue.

When a packet for flow _i arrives with an available free buffer, it is accepted and put into a flow _i queue with length Q _i . Thus, the queue length increases to Q _i +1. The system removes the flow _i from the current sub-list SL _{(Q i),} attached to the sub-list SL _(Q i +1). This sub-list should be any one item away from SL (Q _i ) because they vary by exactly one packet, or the flow has a queue length of Q _i +1 before arrival It doesn't exist if it doesn't exist. In the latter case, the system simply creates a list and inserts it before SL (Q _i ). Note that in both cases, it is not necessary to scan the entire list to maintain the ordered master list.

FIG. 4 shows an illustrative example of such a queuing operation, according to an illustrative embodiment of the invention. FIG. 4A shows the queue structure before arrival of a new packet for flow ₂ , and FIG. 4B shows the queue structure modified after arrival of a given packet. As a result of the added packet, flow ₂ is advantageously removed from SL (Q = 4) and inserted into SL (Q = 5).

When a packet for flow _i is scheduled and departed, it is removed from the flow _i queue with length Q _i . Thereby, the queue length is reduced to Q _i −1. The exemplary system removes flow _i from its current sublist SL (Q _i ) and then attacks it at the beginning of sublist SL (Q _i −1) if Q _i > 1. Note that SL (Q _i -1) is advantageously formed if necessary. The old sublist SL (Q _i ) is advantageously removed and deleted if it is empty. Again, a linear scan is not necessary.

FIG. 5 shows an illustrative example of such a queue entry removal operation, according to an illustrative embodiment of the invention. FIG. 5A shows the queue structure before departure of packets scheduled from flow ₂ , and FIG. 5B shows the queue structure modified after departure of a given packet. Note that the removal of the packet, flow ₂ , is advantageously removed from SL (Q = 5) and inserted into SL (Q = 4).

When a packet for flow _i arrives at the filled buffer, flow _j with the longest queue length can be found from the first sublist in the stored master list. The exemplary system purges packets from flow _j if i ≠ j and receives incoming packets. Instead, arriving packets are advantageously dropped. Note that the operations associated with purging packets are the same as those used for scheduling packets for departure.

According to another exemplary embodiment of the present invention, where the packet may be variable length, the sequence length has units of bytes, and each sublist has the same value of [Q _i / MTU] Where MTU is the maximum packet size and [] represents the mathematical upper bound function. Similar operations are performed on arrival and departure. When flow _i with Q _i is added to SL [Q _i / MTU], if (Q _i modulo MTU) <MTU / 2, it is advantageously attached and instead attached to the start. . This ensures that the classification of errors in the sublist is less than MTU / 2. The arrival or departure of a small packet does not move the flow to an adjacent sublist, but is instead attached at the start depending on whether the updated key length crosses the MTU / 2 boundary or Note that they can be attached to the same sublist.

Addition to Detailed Description It should be noted that all of the above discussion is merely illustrative of the general principles of the present invention. While not explicitly described and shown herein, it is understood that various other configurations may be devised that embody the principles of the invention and are within the spirit and scope of the invention. The Furthermore, all examples and conditions expressed in this specification are intended for educational purposes to help understand the concepts provided by the inventor to further advance the principles and techniques of the invention. It is intended to be expressed solely as such and is not to be construed as limiting the examples and conditions specifically identified as such. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to include structural and functional equivalents thereof. Such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any element developed that performs a similar function regardless of structure.

  Thus, for example, any flowcharts, flow diagrams, state transition diagrams, pseudocode, etc. represent various processes, which may or may not substantially represent such a computer or processor explicitly. Those skilled in the art will recognize that they can be represented on a computer-readable medium and can be so performed by a computer or processor. Thus, for example, blocks shown in such flowcharts can be understood as representing possible physical elements, which identify special functions, such as described in flowchart blocks, for example. Can be expressed in the present claims as a means to do this. Further, such flowchart blocks can also be understood as representing physical signals or stored physical data that can be included in the aforementioned computer-readable media, such as, for example, disks or semiconductor storage devices.

FIG. 3 shows a functional block diagram of a DDoS gateway incorporating a defense mechanism against SYN bandwidth attacks according to an exemplary embodiment of the present invention. 2 shows an exemplary (conceptual) structural block diagram of the exemplary DDoS gateway of FIG. 1 for defense against SYN bandwidth attacks, in accordance with an exemplary embodiment of the present invention. FIG. 2 shows a flowchart of the operation of the exemplary DDoS gateway of FIG. 1 for use in defense against SYN bandwidth attacks, according to an exemplary embodiment of the present invention. 4 illustrates an exemplary example of a queuing operation according to an exemplary embodiment of the present invention. FIG. 4A shows a queue structure before arrival of a new packet, and FIG. 4B shows a queue structure modified after arrival of a predetermined packet. 6 illustrates an exemplary example of a queue entry removal operation according to an exemplary embodiment of the present invention. FIG. 5A shows the queue structure before departure of a scheduled packet, and FIG. 5B shows the queue structure modified after departure of a given packet.

Claims (10)

A method of distributing TCP packets in a network with use of a gateway, the gateway comprising one or more input ports, one or more output ports, and a plurality of queues, wherein at least one of the plurality of queues is: Designated as a SYN queue, the method comprising:
Receiving a TCP packet from one of the input ports;
Determining whether the TCP packet is a SYN packet;
If it is a SYN packet, inserting the TCP packet into one of the SYN queues;
If it is not a SYN packet, inserting the TCP packet into one of the plurality of queues that is not one of the SYN queues;
Scheduling the TCP packet for transmission via one of the output ports based on a fair scheduling algorithm.   The method of claim 1, wherein the fair scheduling algorithm comprises a round robin scheduling algorithm.   The method of claim 1, wherein the plurality of queues that are not one of the SYN queues include a per flow queue, and each per flow queue storing TCP packets is associated with a separate TCP connection flow. .   Each of the plurality of queues that are not one of the SYN queues has a queue length associated therewith, and the step of inserting the TCP packet into one of the plurality of queues that is not one of the SYN queues The method of claim 1, comprising maintaining the plurality of queues that are not one of the SYN queues as a chain of queue sub-lists stored according to the queue lengths associated with them. The SYN queue one is each of the plurality of queues is not the method of claim 1 which have a queue length associated therewith.   The method of claim 1, further comprising removing a previously inserted SYN packet from one of the SYN queues if the TCP packet is a SYN packet and the SYN queue is full.   If the TCP packet is not a SYN packet and the plurality of queues that are not SYN queues are full, the TCP inserted before being not a SYN packet from one of the plurality of queues that is not one of the SYN queues The method of claim 1, further comprising removing the packet.   The method of claim 7, wherein the previously inserted TCP packet is removed from a maximum queue of the plurality of queues that is not one of the SYN queues.   The SYN queue has a capacity associated with it, the capacity provides the maximum number of incomplete connections allowed, and multiple queues that are not SYN queues have an established number of connections associated with them. The method of claim 1, wherein the maximum number of incomplete connections allowed and is mathematically proportional to the number of established connections. A network gateway for distributing TCP packets in a network, the gateway comprising one or more input ports, one or more output ports, and a plurality of queues, wherein at least one of the plurality of queues is a SYN queue The gateway further comprises a processor, the processor comprising:
Receiving a TCP packet from one of the input ports;
Determining whether the TCP packet is a SYN packet;
If it is a SYN packet, insert the TCP packet into one of the SYN queues;
If it is not a SYN packet, the TCP packet is inserted into one of the plurality of queues that is not one of the SYN queues and transmitted through one of the output ports based on a fair scheduling algorithm A network gateway configured to schedule the TCP packet for the purpose.

Images