Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Published byEvangeline Kelly Nelson Modified over 10 years ago

Similar presentations

Presentation on theme: "Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July."— Presentation transcript:

1 Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July. 11, 2003 Presented by Yang, Sookhyun Proceedings of IEEE Symposium on Security and Privacy (1997)

2 2/17 Contents  Introduction  Background  SYN Flooding Attack  Solutions  Synkill  Performance of Synkill  Conclusion

3 3/17 Introduction  SYN flooding attack Network-based denial of service attack for IP (Internet protocol) Network-based denial of service attack for IP (Internet protocol) Exploit weakness in TCP/IP (Transmission Control Protocol / Internet Protocol) Exploit weakness in TCP/IP (Transmission Control Protocol / Internet Protocol)  Active monitoring tool Classify IP source address being falsified or genuine Classify IP source address being falsified or genuine Find connection establishment protocol messages coming from forged IP address Find connection establishment protocol messages coming from forged IP address Reset illegitimate half-open connections Reset illegitimate half-open connections

4 4/17 Li S D LISTEN Fig 1. Three-way handshake Background  Connection establishment process of TCP Three-way handshake Three-way handshake SYN x (Synchronize sequence number)SYN x (Synchronize sequence number) SYN y, ACK x+ 1 (Acknowledgement)SYN y, ACK x+ 1 (Acknowledgement) ACK y+ 1, dataACK y+ 1, data Sequence number initialization Sequence number initialization  Backlog queue of TCP Require allocation of memory Require allocation of memory resources during TCP connection resources during TCP connection establishment establishment Allocated by both endpoints for Allocated by both endpoints for information related with connection information related with connection SYN y, ACK x+ 1 ACK y+ 1, data SYN_RECVD CONNECTED SYN x Resource allocation Half-open connection & Connection timer start

5 5/17 SYN Flooding Attack  Exploited TCP/IP vulnerabilities Do not exploit weak authentication Do not exploit weak authentication Require for allocation of resources out of limited pool Require for allocation of resources out of limited pool  System under attack Li Attacker Victim LISTEN Fig 2. System under SYN flooding attack SYN_RECVD Port flooding SYN+ACK Unreachable Backlog queue Unreachable & spoofed SYN … …

6 6/17 Solutions (1/5)  Configuration optimization System configuration improvements System configuration improvements Defend against exhaustion of resourceDefend against exhaustion of resource Reduce timeout period Reduce timeout period Increase the length of backlog queue Increase the length of backlog queue Disable non-essential services Disable non-essential services DrawbackDrawback Deny legitimate packet Deny legitimate packet Increase resource usage Increase resource usage Router configuration improvements Router configuration improvements Limit range of address spoofed by attackerLimit range of address spoofed by attacker DrawbackDrawback Effective only if taken in large scale Effective only if taken in large scale router … Internal network packet with internal address packet with external address External network

7 7/17 Solutions (2/5)  Infrastructure improvements Router configuration can be improved Router configuration can be improved Address spaces reachable over their various interfaces are disjoint and well-definedAddress spaces reachable over their various interfaces are disjoint and well-defined Address prefixes separate inside and outsideAddress prefixes separate inside and outside Practical problems Practical problems Cannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topologyCannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topology

8 8/17 Solution (3/5)  Connection establishment improvements Remove requirement of resource allocation Remove requirement of resource allocation Calculate ISS (initial send sequence) of destination as hash value Calculate ISS (initial send sequence) of destination as hash value Hash value (y : ISS of destination) Hash value (y : ISS of destination) Drawback Drawback Require the modification of TCP standard and consequently every TCP implementationRequire the modification of TCP standard and consequently every TCP implementation Source IP address Destination IP address Port Source’s ISS Destination’s secret key Message H y Second message : SYNy, ACKx+ 1 Source IP address Destination IP address Port Source’s ISS Destination’s secret key Message H Third message : ACKy+ 1 y’ compare

9 9/17 Solution (4/5)  Firewall approach Firewall as a relay Firewall as a relay Receive packets for internal host on its behalfReceive packets for internal host on its behalf DrawbackDrawback Delay Delay Li A D Firewall SYN SYN+ACK ACK SYN SYN+ACK ACK Data Li A D Firewall SYN SYN+ACK Fig 3. Attacker scenarioFig 4. Legitimate connection Sequence Number conversion

10 10/17 Solution (5/5)  Firewall approach (cont’d) Firewall as a semi-transparent gateway Firewall as a semi-transparent gateway DrawbackDrawback Waste a large number of illegitimate open connections at the destination if it is under attack Waste a large number of illegitimate open connections at the destination if it is under attack Li A D Firewall SYN SYN+ACK ACK RST Timeout Li A D Firewall SYN SYN+ACK ACK Data Fig 5. Attacker scenario Fig 6. Legitimate connection

11 11/17 Synkill (1/2)  Active monitor Active : generate TCP packets and inject them into the network Active : generate TCP packets and inject them into the network Monitor : read and examine all TCP packets on the LAN Monitor : read and examine all TCP packets on the LAN  Algorithm TCP packet processing TCP packet processing Source IP address prefilteringSource IP address prefiltering Decision process based on eventsDecision process based on events Observed TCP packets Observed TCP packets Timer events Timer events Administrative commands Administrative commands Classification of source IP address Classification of source IP address Based on observed network traffic and administratively supplied inputBased on observed network traffic and administratively supplied input null, good, new, bad null, good, new, bad perfect, evil perfect, evil

12 12/17 Synkill (2/2)  Algorithm (cont’d) Actions Actions Send RST packet for bad or evil stateSend RST packet for bad or evil state Generate ACK packetGenerate ACK packet Fig 7. Attack scenario SYN A Synkill D LISTEN SYN+ACK RST SYN_RECVD CLOSED Resource release A Synkill D LISTEN SYN SYN+ACKSYN_RECVD ACK CONNETED ACK Fig 8. Normal access scenario A Synkill D LISTEN SYN SYN+ACK SYN_RECVD ACK RST Expiry CONNETED CLOSED A Synkill D LISTEN SYN SYN+ACK SYN_RECVD ACK CONNETED ACK RST CLOSED Too late RST Expiry

13 13/17 Establishment of Experiments  Experimental configuration  Two metrics of experiments Evaluate how many connection establishments can succeed under attack during time interval using S2 Evaluate how many connection establishments can succeed under attack during time interval using S2 Environment of S2Environment of S2 SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1 SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1 Success rate = ( # of successful connections ) / ( # of tried connections )Success rate = ( # of successful connections ) / ( # of tried connections ) Average delay for successful connectionsAverage delay for successful connections Delay : time required for establishing a successful connection Delay : time required for establishing a successful connection A S1S1 G MDS2S2 Attacker Source GatewayMonitor Destination Source Synkill 1 per 2s => 750 25 Performance of Synkill (1) Fig 9. Experimental configuration

14 14/17 Test Case  Test case for Attacker Performance of Synkill (2) Table 1. Summary of test cases Fig 10. Process growth for the attack in case 6

15 15/17 Evaluation Result  Test case 1 & Test case 2  Test case 3 & Test case 4 : single address Performance of Synkill (3)

16 16/17 Evaluation Result (cont’d)  Test case 5 : 20 addresses  Test case 6 : random addresses Performance of Synkill (4)

17 17/17 Conclusion  Contribute a detailed analysis of the SYN flooding attack  Discuss existing and proposed counterexamples  Introduce Active Monitor “Synkill” Do not require any special hardware, operating systems, network stacks Do not require any special hardware, operating systems, network stacks Do not need modification in the protected end systems Do not need modification in the protected end systems Highly portable, extensible and easily configurable Highly portable, extensible and easily configurable

Download ppt "Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Analysis of a DOS attack on TCP

Analysis of a DOS attack on TCP
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.

Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google