REVIEW: TCP Congestion Control with a Misbehaving Receiver

REVIEW: TCP Congestion Control with a Misbehaving Receiver

SUMMARY
The paper explores vulnerabilities in the congestion control mechanisms of
TCP which arise when the receiver misbehaves leading the sender to
transmit arbitrarily fast. It identifies three vulnerabilities in the
protocol:
 - ACK division - TCP assumes ACKs received are for segments sent, thus
multiple ACKS for bytes within a segment lead sender to increase its
congestion window (cwnd)
 -DupACK Spoofing - which allows cwnd to be incremented by SMSS whenever
the receiver receives duplicate ACKs (sender enters fast recovery),
artificially inlfating cwnd. Sender cannot distinguish valid from spoofed
ACKs.
-Optimistic ACKing - because TCP congestion window growth is a function of
RTT, receiver can fake shorter RTTs by ACKing packets it has not received,
forcing sender to increase cwind. If sender gets ACKs for packets not sent
it ignores, allowing receiver to be arbitrarily aggressive, concealing
losses and leading the sender to overwhelm network.

The paper also proposes simple yet effective solutions whereby small
modifications to TCP can eliminate these waknesses.

It is a remarkable paper in that it points out the less obvious source of
TCP vulnerability, at a time when literature had addressed vulnerabilities
arising from sender misbehaviour.

KEY STRENGTHS
The paper shows how easy it is to implement such exploits in the receiver,
and that the receiver has an incentive to do so as it increases transfer
rate it receives, at the cost of others. The implementation of ACK
division, DupACK spoofing and Optimistic ACKing required an addition of
only 24, 11 and 45 lines of code into the Linux kernel. Furthermore, it
argues, because of the open source nature of such systems anyone has
access to the implementation of its TCP stack and can apply these
modifications.

In the paper, such modifications were implemented as TCP Daytona. Using
TCP Daytona, it was shown convincingly that ACK division, DupACK really
work by convincing a real world server (cnn.com) to send all data in
single burst. Optimistic ACK attack also works as the server sends packets
early.
The authors further tested the effectiveness of such attacks is and found
that all of 9 popular operating systems were vulnerable to most attacks,
with very few exceptions.

The paper also proposes very simple, yet effective solutions:
Either increasing cwnd with byte granularity or only increasing after
whole segment is ACKed prevents ACK division.
By adding random nonces generated by the sender to TCP packets which
uniquely identify their segment Duplicate ACKs spoof can be prevented. By
maintaining a nonce sum at the sender and receiver, Optimistic ACKs can be
prevented. These require changes to both clients and servers.

To mitigate the vulnerabilities without modifying clients, the the paper
also provides alternatives: the sender can limit number of duplicate ACKS
to cwnd - SMSS, the sender can vary segment size preventing optimistic
ACKs.

WEAKNESSES
Although it was identified that clients have an incentive to misbehave in
all cases, the paper only provides measure to discourage Optimistic ACKing
by sending RSTs. Secondly, the fact that the proposed solutions require
modifications to the TCP stack at both the client and server constitutes a
detriment to its widespread deployment.

ADDITIONAL COMMENTS
Although simple solutions are provided, for the reasons above, its
deployment has not been visible. These policies will only be enforced when
clients start exploting these weaknesses widely.
Received on Mon Oct 31 2005 - 09:38:50 EST