Download presentation
Presentation is loading. Please wait.
Published byEvangeline Kelly Nelson Modified over 9 years ago
1
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July. 11, 2003 Presented by Yang, Sookhyun Proceedings of IEEE Symposium on Security and Privacy (1997)
2
2/17 Contents Introduction Background SYN Flooding Attack Solutions Synkill Performance of Synkill Conclusion
3
3/17 Introduction SYN flooding attack Network-based denial of service attack for IP (Internet protocol) Network-based denial of service attack for IP (Internet protocol) Exploit weakness in TCP/IP (Transmission Control Protocol / Internet Protocol) Exploit weakness in TCP/IP (Transmission Control Protocol / Internet Protocol) Active monitoring tool Classify IP source address being falsified or genuine Classify IP source address being falsified or genuine Find connection establishment protocol messages coming from forged IP address Find connection establishment protocol messages coming from forged IP address Reset illegitimate half-open connections Reset illegitimate half-open connections
4
4/17 Li S D LISTEN Fig 1. Three-way handshake Background Connection establishment process of TCP Three-way handshake Three-way handshake SYN x (Synchronize sequence number)SYN x (Synchronize sequence number) SYN y, ACK x+ 1 (Acknowledgement)SYN y, ACK x+ 1 (Acknowledgement) ACK y+ 1, dataACK y+ 1, data Sequence number initialization Sequence number initialization Backlog queue of TCP Require allocation of memory Require allocation of memory resources during TCP connection resources during TCP connection establishment establishment Allocated by both endpoints for Allocated by both endpoints for information related with connection information related with connection SYN y, ACK x+ 1 ACK y+ 1, data SYN_RECVD CONNECTED SYN x Resource allocation Half-open connection & Connection timer start
5
5/17 SYN Flooding Attack Exploited TCP/IP vulnerabilities Do not exploit weak authentication Do not exploit weak authentication Require for allocation of resources out of limited pool Require for allocation of resources out of limited pool System under attack Li Attacker Victim LISTEN Fig 2. System under SYN flooding attack SYN_RECVD Port flooding SYN+ACK Unreachable Backlog queue Unreachable & spoofed SYN … …
6
6/17 Solutions (1/5) Configuration optimization System configuration improvements System configuration improvements Defend against exhaustion of resourceDefend against exhaustion of resource Reduce timeout period Reduce timeout period Increase the length of backlog queue Increase the length of backlog queue Disable non-essential services Disable non-essential services DrawbackDrawback Deny legitimate packet Deny legitimate packet Increase resource usage Increase resource usage Router configuration improvements Router configuration improvements Limit range of address spoofed by attackerLimit range of address spoofed by attacker DrawbackDrawback Effective only if taken in large scale Effective only if taken in large scale router … Internal network packet with internal address packet with external address External network
7
7/17 Solutions (2/5) Infrastructure improvements Router configuration can be improved Router configuration can be improved Address spaces reachable over their various interfaces are disjoint and well-definedAddress spaces reachable over their various interfaces are disjoint and well-defined Address prefixes separate inside and outsideAddress prefixes separate inside and outside Practical problems Practical problems Cannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topologyCannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topology
8
8/17 Solution (3/5) Connection establishment improvements Remove requirement of resource allocation Remove requirement of resource allocation Calculate ISS (initial send sequence) of destination as hash value Calculate ISS (initial send sequence) of destination as hash value Hash value (y : ISS of destination) Hash value (y : ISS of destination) Drawback Drawback Require the modification of TCP standard and consequently every TCP implementationRequire the modification of TCP standard and consequently every TCP implementation Source IP address Destination IP address Port Source’s ISS Destination’s secret key Message H y Second message : SYNy, ACKx+ 1 Source IP address Destination IP address Port Source’s ISS Destination’s secret key Message H Third message : ACKy+ 1 y’ compare
9
9/17 Solution (4/5) Firewall approach Firewall as a relay Firewall as a relay Receive packets for internal host on its behalfReceive packets for internal host on its behalf DrawbackDrawback Delay Delay Li A D Firewall SYN SYN+ACK ACK SYN SYN+ACK ACK Data Li A D Firewall SYN SYN+ACK Fig 3. Attacker scenarioFig 4. Legitimate connection Sequence Number conversion
10
10/17 Solution (5/5) Firewall approach (cont’d) Firewall as a semi-transparent gateway Firewall as a semi-transparent gateway DrawbackDrawback Waste a large number of illegitimate open connections at the destination if it is under attack Waste a large number of illegitimate open connections at the destination if it is under attack Li A D Firewall SYN SYN+ACK ACK RST Timeout Li A D Firewall SYN SYN+ACK ACK Data Fig 5. Attacker scenario Fig 6. Legitimate connection
11
11/17 Synkill (1/2) Active monitor Active : generate TCP packets and inject them into the network Active : generate TCP packets and inject them into the network Monitor : read and examine all TCP packets on the LAN Monitor : read and examine all TCP packets on the LAN Algorithm TCP packet processing TCP packet processing Source IP address prefilteringSource IP address prefiltering Decision process based on eventsDecision process based on events Observed TCP packets Observed TCP packets Timer events Timer events Administrative commands Administrative commands Classification of source IP address Classification of source IP address Based on observed network traffic and administratively supplied inputBased on observed network traffic and administratively supplied input null, good, new, bad null, good, new, bad perfect, evil perfect, evil
12
12/17 Synkill (2/2) Algorithm (cont’d) Actions Actions Send RST packet for bad or evil stateSend RST packet for bad or evil state Generate ACK packetGenerate ACK packet Fig 7. Attack scenario SYN A Synkill D LISTEN SYN+ACK RST SYN_RECVD CLOSED Resource release A Synkill D LISTEN SYN SYN+ACKSYN_RECVD ACK CONNETED ACK Fig 8. Normal access scenario A Synkill D LISTEN SYN SYN+ACK SYN_RECVD ACK RST Expiry CONNETED CLOSED A Synkill D LISTEN SYN SYN+ACK SYN_RECVD ACK CONNETED ACK RST CLOSED Too late RST Expiry
13
13/17 Establishment of Experiments Experimental configuration Two metrics of experiments Evaluate how many connection establishments can succeed under attack during time interval using S2 Evaluate how many connection establishments can succeed under attack during time interval using S2 Environment of S2Environment of S2 SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1 SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1 Success rate = ( # of successful connections ) / ( # of tried connections )Success rate = ( # of successful connections ) / ( # of tried connections ) Average delay for successful connectionsAverage delay for successful connections Delay : time required for establishing a successful connection Delay : time required for establishing a successful connection A S1S1 G MDS2S2 Attacker Source GatewayMonitor Destination Source Synkill 1 per 2s => 750 25 Performance of Synkill (1) Fig 9. Experimental configuration
14
14/17 Test Case Test case for Attacker Performance of Synkill (2) Table 1. Summary of test cases Fig 10. Process growth for the attack in case 6
15
15/17 Evaluation Result Test case 1 & Test case 2 Test case 3 & Test case 4 : single address Performance of Synkill (3)
16
16/17 Evaluation Result (cont’d) Test case 5 : 20 addresses Test case 6 : random addresses Performance of Synkill (4)
17
17/17 Conclusion Contribute a detailed analysis of the SYN flooding attack Discuss existing and proposed counterexamples Introduce Active Monitor “Synkill” Do not require any special hardware, operating systems, network stacks Do not require any special hardware, operating systems, network stacks Do not need modification in the protected end systems Do not need modification in the protected end systems Highly portable, extensible and easily configurable Highly portable, extensible and easily configurable
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.