Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."— Presentation transcript:

1 Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004

2 Overview SYN attack/floods Correlation between ”SYN” “FIN” ratio and “RST” How to detect deviations from these trends Solutions to detect and stop SYN attacks

3 Goals of authors To stop SYN attacks at leaf routers that connect users to internet Requires less overhead computation Stateless (simple) Make detection technique that is immune to flooding attacks

4 Syn Flood / Attack 90% of DoS attacks use TCP SYN floods Streaming spoofed TCP SYNs Takes advantage of three way handshake Server start “half-open” connections These build up… until queue is full and all additional requests are blocked

5 Problems with previous solutions Solutions such as: SYN cookies, SYNDefender, SYN proxying,SYNkil Knew nothing of source Relied on “costly IP traceback” These solutions are “statefull” so they can be overwhelmed by SYN attacks –14,000SYN/sec can overload

6 Flood Detection System (FDS) Stateless, simple, edge (leaf) routers Utilize SYN-FIN pair behavior Include (SYNACK - FIN) so client or server However, RST violates SYN-FIN behavior Placement: First/last mile leaf routers –First mile – detect large DoS attacker –Last mile – detect DDoS attacks that first mile would miss

7 SYN – FIN Behavior

8 Generally every SYN has a FIN

9 What to do about “RST” We can’t tell if RST is active or passive Consider 75% active Active represents a SYN passive does not Should balance out to be background noise RED – SYN BLUE- FIN BLACK – RST Make sense?

10 Statistical Attack Detection There are very many SYN’s necessary to accomplish a DoS attack At least 500 SYN/sec 1400 SYN/sec can overwhelm firewall 300,000 SYNs necessary to shut down server for 10 minutes So SYN-FIN ratio should be very skewed during an attack

11 False Positive Possibilities Many new online users with long sessions –More SYNs coming in than FINs A major server is down which would result in 3 SYNs to a FIN –Because clients would retransmit the SYN

12 CUSUM Algorithm Finding average number of FINs over a time period, and looking for a time period and testing for statistical homogeneity. If there are significant changes to this, then find when they changed.

13 Detection The algorithm will result in zero for all normal activity and cumulatively track (i.e. CUSUM = “cumulative sum”)

14 Detection The internet can be quite dynamic and too complicated for a parametric estimation, so we use sequential testing which requires much less computation Two aspects of detection: –1) False alarm time: the time without attacks between unique false alarms –2) Detection time: the detection delay after the attack starts. The goal is to minimize the second and maximize the first. However, the conflict and require trade offs

15 Performance Trends SYN-FIN

16 SYN attack vs Normal operation

17 Sensitivity of Detection 500 SYN/sec are required to shut down a server It takes a last mile FDS 20 seconds to detect 500 SYN/sec DDoS attack Once detected SYN defender could be used to protect victim

18 Detection is able to Distinguish between attacks and background noise Detect DDoS with last mile FDS Not effected by changes in overall traffic Detect attacks within seconds and implement protection. Do you think this would always work? Can you think of any exceptions??

19 Related Work SYN flood defense categories 1. Firewall based 2. Server based 3. Agent based 4. Router based

20 Firewall based Examples: SYN Defender, SYN proxying Filters packets and requests before router Maintains state for each connection Drawbacks: can be overloaded, extra delay for processing each packet

21 Server Based Examples: SYN Cache, SYN cookies SYN cache receives packets first and then uses a hash table, to partially store states, however much more streamlined than firewall. If the SYN-ACK is “acked” then the connection is established with the server.

22 SYN kill – this is kind of cool SYN kill monitors the network and if it detects SYNs that are not being acked, it automatically generates RST packets to free resources, also it classifies addresses as likely to be spoofed or legitimate… Performance???

23 MULTOPS Monitors the packets going to and from a victim and then blocks IPs from outside of network… limiting IP range of attack.

24 Route-based Distributed Packet filtering Uses packet information to determine if packet arriving at router has a spoofed Source / Destination addresses Results show many packets can be filtered and those that can’t can be traced back easily

25 Future Work Any ideas on how to break the SYN-FIN pair scheme?? Just send FINs along with the SYNs… Will result in more traffic… but what about DDoS that send FINs and SYNs

26 Alternatives to improve detection Monitoring SYN-ACK packets also SYN-ACKs wont go back through the same router that they originally passed through Backbone Router to Spoofed IP Router to Attacker Router to Victim

27 Can it work??? Spoofed address must be in different AS Also, if packet does not take same path back and forth from server it could possibly result in false positives Any other ways to beat it Large enough AS could spoof in AS Requires inter-FDS communication

28

Download ppt "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Similar presentations

Ads by Google