TY - GEN
T1 - aBBRate
T2 - 23rd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2020
AU - Peterson, Anthony
AU - Jero, Samuel
AU - Hoque, Endadul
AU - Choffnes, David
AU - Nita-Rotaru, Cristina
N1 - Publisher Copyright:
© 2020 by The USENIX Association. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - BBR is a new congestion control algorithm proposed by Google that builds a model of the network path consisting of its bottleneck bandwidth and RTT to govern its sending rate rather than packet loss (like CUBIC and many other popular congestion control algorithms). Loss-based congestion control has been shown to be vulnerable to acknowledgment manipulation attacks. However, no prior work has investigated how to design such attacks for BBR, nor how effective they are in practice. In this paper we systematically analyze the vulnerability of BBR to acknowledgement manipulation attacks. We create the first detailed BBR finite state machine and a novel algorithm for inferring its current BBR state at runtime by passively observing network traffic. We then adapt and apply a TCP fuzzer to the Linux TCP BBR v1.0 implementation. Our approach generated 30,297 attack strategies, of which 8,859 misled BBR about actual network conditions. From these, we identify 5 classes of attacks causing BBR to send faster, slower or stall. We also found that BBR is immune to acknowledgment burst, division and duplication attacks that were previously shown to be effective against loss-based congestion control such as TCP New Reno.
AB - BBR is a new congestion control algorithm proposed by Google that builds a model of the network path consisting of its bottleneck bandwidth and RTT to govern its sending rate rather than packet loss (like CUBIC and many other popular congestion control algorithms). Loss-based congestion control has been shown to be vulnerable to acknowledgment manipulation attacks. However, no prior work has investigated how to design such attacks for BBR, nor how effective they are in practice. In this paper we systematically analyze the vulnerability of BBR to acknowledgement manipulation attacks. We create the first detailed BBR finite state machine and a novel algorithm for inferring its current BBR state at runtime by passively observing network traffic. We then adapt and apply a TCP fuzzer to the Linux TCP BBR v1.0 implementation. Our approach generated 30,297 attack strategies, of which 8,859 misled BBR about actual network conditions. From these, we identify 5 classes of attacks causing BBR to send faster, slower or stall. We also found that BBR is immune to acknowledgment burst, division and duplication attacks that were previously shown to be effective against loss-based congestion control such as TCP New Reno.
UR - http://www.scopus.com/inward/record.url?scp=85100072209&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85100072209&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85100072209
T3 - RAID 2020 Proceedings - 23rd International Symposium on Research in Attacks, Intrusions and Defenses
SP - 225
EP - 240
BT - RAID 2020 Proceedings - 23rd International Symposium on Research in Attacks, Intrusions and Defenses
PB - USENIX Association
Y2 - 14 October 2020 through 16 October 2020
ER -