Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Similar presentations


Presentation on theme: "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."— Presentation transcript:

1 Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004

2 Related Work SYN flood defense categories 1. Firewall based 2. Server based 3. Agent based 4. Router based

3 Firewall based Examples: SYN Defender, SYN proxying Filters packets and requests before router Maintains state for each connection Drawbacks: can be overloaded, extra delay for processing each packet

4 Server Based Examples: SYN Cache, SYN cookies SYN cache receives packets first and then uses a hash table, to partially store states, however much more streamlined than firewall. If the SYN-ACK is “acked” then the connection is established with the server. Removes the need to watch half open connections

5 SYN kill – this is kind of cool SYN kill monitors the network and if it detects SYNs that are not being acked, it automatically generates RST packets to free resources, also it classifies addresses as likely to be spoofed or legitimate… Performance???

6 MULTOPS Monitors the packets going to and from a victim and then blocks IPs from outside of network… limiting IP range of attack.

7 Ingress Filtering If a packet does not have an IP address from within the network, the router will not route the message. This would restrict attackers to the IPs within the network(s) from which they are attacking

8 Route-based Distributed Packet filtering Uses packet information to determine if packet arriving at router has a spoofed Source / Destination addresses Results show many packets can be filtered and those that can’t can be traced back easily

9 Future Work Any ideas on how to break the SYN-FIN pair scheme?? Just send FINs along with the SYNs… Will result in more traffic… but what about DDoS that send FINs and SYNs

10 Alternatives to improve detection Monitoring SYN-ACK packets also SYN-ACKs wont go back through the same router that they originally passed through Backbone Router to Spoofed IP Router to Attacker Router to Victim

11 Can it work??? Spoofed address must be in different AS Also, if packet does not take same path back and forth from server it could possibly result in false positives Any other ways to beat it Large enough AS could spoof in AS Requires inter-FDS communication


Download ppt "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."

Similar presentations


Ads by Google