Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

CCNA – Network Fundamentals

Transmission Control Protocol (TCP)

Intermediate TCP/IP TCP Operation.

TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.

Inner Space Bob Briscoe Nov 2014 draft-briscoe-tcpm-inner-space-01 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

1 Reading Log Files. 2 Segment Format

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewalls and Intrusion Detection Systems

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

Inner Space Bob Briscoe Oct 2014 draft-briscoe-tcpm-inner-space-01.

FIREWALL Mạng máy tính nâng cao-V1.

Sales Kickoff - ARCserve

Tunnelling Through Inner Space Bob Briscoe Jan 2015 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through.

TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.

Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.

CS332, Ch. 26: TCP Victor Norman Calvin College 1.

Transmission Control Protocol TCP. Transport layer function.

ConEx Concepts and Abstract Mechanism draft-mathis-conex-abstract-mech-00.txt draft-mathis-conex-abstract-mech-00.txt Matt Mathis, Google Bob Briscoe,

Inner Space for tcpinc Bob Briscoe Nov 2014 draft-briscoe-tcpm-inner-space-01 Bob Briscoe's work is part-funded by the European Community under its Seventh.

More on TCP Acknowledgements Sequence Number Field Initial Sequence Number Acknowledgement Number Field.

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

TCP/IP Vulnerabilities

CSE 461 Section. Let’s learn things first! Joke Later!

1 15. Transport Protocols. Prof. Sang-Jo Yoo 2 Contents  Transport protocol  Transport Service  Protocol for reliable network service  Protocol for.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

Slide #1 CIT 380: Securing Computer Systems TCP/IP.

Breno de MedeirosFlorida State University Fall 2005 The IP, TCP, UDP protocols A quick refresher.

MPTCP Protocol draft-ietf-mptcp-multiaddressed-02 Update and Open Issues Alan Ford IETF79 – Beijing 1.

Richard Scheffenegger (Editor) David Borman Bob Braden Van Jacobson RFC1323bis – TCP Extensions for High Performance 1 84 th IETF, Vancouver, Canada.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:

Final Examination of Internet Communication Protocol.

Multi-addressed Multipath TCP draft-ford-mptcp-multiaddressed-02 Alan Ford Costin Raiciu, Mark Handley.

Using Rhythmic Nonces for Puzzle-Based DoS Resistance Ellick M. Chan, Carl A. Gunter, Sonia Jahid, Evgeni Peryshkin, and Daniel Rebolledo University of.

1 Transmission Control Protocol (TCP) RFC: Introduction The TCP is intended to provide a reliable process-to-process communication service in a.

Advanced Computer Networks

Establishing Host Identity Protocol Opportunistic Mode with TCP Option

Internet Networking recitation #9

The Transport Layer (TCP)

Extending Option Space Discussion Overview and its requirements

CS 5565 Network Architecture and Protocols

TCP Extended Option Space in the Payload of a Supplementary Segment

TCP - Part I Karim El Defrawy

Multi-addressed Multipath TCP

The IP, TCP, UDP protocols

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

0x1A Great Papers in Computer Security

CS 5565 Network Architecture and Protocols

Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)

Internet Networking recitation #10

TRANSMISSION CONTROL PROTOCOL

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Session 20 INST 346 Technologies, Infrastructure and Architecture

Transport Layer 9/22/2019.

TCP Connection Management

Presentation transcript:

Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the Trilogy 2 project (ICT )

© British Telecommunications plc 2 status draft-briscoe-tcpm-echo-cookie-00 initial individual draft arose from SYN-option-space extension work, but orthogonal separated out as focused draft all SYN-option-space-extensions need something like this replaces tcpcrypt SYNCOOKIE/ACKCOOKIE suboptions

© British Telecommunications plc 3 Problem SYN flood exhausts TCP server’s pending connection state while SYN/ACK checks validity of source address SYN cookie,.. and friends store server connection state in flight not in memory still needed (despite some thinking server config is sufficient) but... further problem 15 bits of cookie space embedded in 16b initial seq no (ISN) and 9 lowest significant bits of timestamp (if supported) only enough for degraded max seg size, wnd scale & SACK-ok plus some scope for server to infer other options it negotiated with more, larger options on SYN: not enough space with SYN-extension: really not enough space SYN flood becomes either connection state or option denial attack S C S S

© British Telecommunications plc 4 Echo Cookie TCP Option underlying the space problem: SYN cookie limited to fields that all TCP clients echo (ISN, TS) solution: a larger cookie jar mandatory to implement with any new TCP option and mandatory with extra SYN option space ie. other options implicitly signal client support for EchoCookie the EchoCookie option if host receives a cookie, it MUST reflect it back sender can choose size and contents client MAY include 2-octet EchoCookie flag option on SYN e.g. when using options that do not signal implicit support EchoCookieLen=X (X>1)Cookie 1B (X-2)B

© British Telecommunications plc 5 security considerations (discuss on list pls) if client negotiated state using a secured protocol cookie MUST be echoed with at least as strong security could be used as a reflection attack? SYN/ACK MUST NOT exceed size of SYN no need to include data in SYN within cookie server not ACKing the data causes a retransmit anyway TFO cookie serves as proof the source address is valid server can/SHOULD rate-limit to repeated and/or unresponsive source IPs? server SHOULD only use when under stress? mechanism server uses to verify returned cookie? no need to standardise? any other new attack vectors?

© British Telecommunications plc 6 next steps security discussion pls applicability: solely SYN/ACK – ACK? solely server-client-server? any segment? intended status: proposed std? adoption?