Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta.

Slides:

Advertisements

Similar presentations

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Advertisements

NETWORK COMPONENTS WEEK 9 SESSION 1 READING 1. A network consists of many components. We need to understand the purpose of these components.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

1 Agenda TMA2 Feedback TMA3 T821 Bock 2. 2 Packet Switching.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Firewalls and Intrusion Detection Systems

Measuring Packet Reordering NETREAD UC Berkeley George Porter Oct 4, 2002.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Detecting SYN-Flooding Attacks ＡａｒｏｎＢｅａｃｈＣＳ３９５ＮｅｔｗｏｒｋＳｅｃｕｒｉｔｙＳｐｒｉｎｇ２００４.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.

On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

A Guide to major network components

Host Intrusion Prevention Systems & Beyond

Networking Components Christopher Biles LTEC Assignment 3.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Chapter 6: Packet Filtering

What is FORENSICS? Why do we need Network Forensics?

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

Detecting Forged RSTs Weaver, Sommer, Paxson Detecting Forged TCP Reset Packets Nicholas Weaver Robin Sommer Vern Paxson.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 2. Network Monitoring Metrics.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

University of the Western Cape Chapter 12: The Transport Layer.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.

Data and Computer Communications Chapter 10 – Circuit Switching and Packet Switching (Wide Area Networks)

SProbe: Another Tool for Measuring Bottleneck Link Bandwidth Stefan Saroiu P. Krishna Gummadi Steven Gribble University of Washington.

COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

CS551: End-to-End Packet Dynamics Paxon’99 Christos Papadopoulos (

2000 년 11 월 20 일 전북대학교 분산처리실험실 TCP Flow Control (nagle’s algorithm) 오 남 호 분산 처리 실험실

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

Chapter 24 Transport Control Protocol (TCP) Layer 4 protocol Responsible for reliable end-to-end transmission Provides illusion of reliable network to.

TCP Security Vulnerabilities Phil Cayton CSE

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Connection Establishment and Termination. Tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept.

FUNDAMENTALS OF NETWORKING

© Jörg Liebeherr (modified by Malathi Veeraraghavan) 1 Overview Formats, Data Transfer, etc. Connection Management.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

Networking Components William Isakson LTEC 4550 October 7, 2012 Module 3.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Assignment 3 Jacob Seiz. Hub A hub provides a central access point for a network. Through multiple I/O ports a hub can connect multiple Ethernet devices.

Could SP-NAT Save the Internet?

The Great Firewall of China What is it and how does it work?

Port Scanning James Tate II

COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Monitoring Persistently Congested Internet Links

CS590B/690B Detecting network interference (Fall 2016)

Computer Data Security & Privacy

Muhammad Murtaza Yousaf, Michael Welzl

TCP-LP Distributed Algorithm for Low-Priority Data Transfer

Lecture 2: Overview of TCP/IP protocol

Lecture 3: Secure Network Architecture

Presentation transcript:

Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta

Abstract Network administrators enforce usage restrictions by terminating connections when deemed undesirable. This is usually achieved by injecting artificial TCP Reset packets into the network. By exploiting the out-of-band nature of injected packets, we can detect interference, and fingerprint the injection device.

Motivation To what degree can we detect when a network actively disrupts communication? Deployment of RST injectors: Great Firewall of China: terminates Internet connections deemed undesirable by the Chinese government. Restricting P2P traffic: practiced by multiple ISPs (Comcast), particularly to block bulk transfers such as those of BitTorrent.

Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Difference compared to a traditional firewall: All flows are initially allowed through. ◦ Potential blocking decisions are taken later.

Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Devices to terminate flows: Inline devices: the device ceases to forward packets associated with the flow: a performance bottleneck. Out of path devices are hence preferred.

Techniques used to block communication Out of path blocking methods 1. Instruct an in-path device, such as a router, to block the flow. 2. Inject forged TCP FIN packets, one in either direction. 3. Inject forged TCP RST packets, in one direction. The techniques discussed should work with all out-of- band flow termination because passive monitoring faces race conditions.

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : a)The injector sees a data packet that triggers its decision to terminate the connection. After some time it sends out a fake RST packet. b)During this interval, more packets from the sender may pass the injector’s observation point. c)Receiver gets an RST packet with sequence number less than expected.

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : seq no =42

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : seq no=50

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : RST, Seq no=42

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST: a)At the time RST is injected, further packets are already in flight, or will be sent soon: the sender is not yet shut down! b)The receiver will see data packets from the sender after it has received the RST.

Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST 42 50

Detection Toolbox 3. RST_SEQ_CHANGE: a)By sending multiple RSTs with increasing sequence numbers, an injector increases the likelihood of getting one through. b)It faces the dilemma of having to pick a higher sequence number without knowing what the source will send. c)Look for a back to back pair of RST packets, where the 2 nd has a higher sequence number than the 1 st, and exceeds the current sequence number.

Experiments The detector was run by capturing traffic traces at: 1. ICSI (International Computer Science Institute) 2. UC Berkeley 3. Columbia University 4. George Mason University By correlating the characteristics of injected RST packets across datasets, a number of injectors were identified.

Results Sandvine RST injector: Comcast uses RST injection to manage P2P traffic, and their devices have been purchased from Sandvine. Fingerprint: Back to back pair of RST packets, for which the 2 nd one has a sequence number higher than the 1 st, and IPID increased by 1. Comcast injection alerts came in bursts: 10 on Feb 9 th, 23 on Feb 18 th etc. These burst correspond to excessive usage of P2P software by students.

Results BezeqInt injector: ◦ Always uses IPID ◦ Differing TTL ◦ Increments ACK number (?) IPID 256 injector Chinese Firewall injectors ◦ IPID 64 injector ◦ IPID -26 injector ◦ SEQ 1460 injector

QUESTIONS?