Presentation is loading. Please wait.

Presentation is loading. Please wait.

Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010.

Published byArline Jenkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010."— Presentation transcript:

1 Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010

2 Outline  Introduction  Related Work  Formalizing Non-interference Analysis  Finding Idle Scan  Experimental confirmation of counterexamples 2Advanced Defense Lab

3 Introduction  Network reconnaissance is the important first step of virtually all network attacks. [Link]Link  Idle scans were introduced by Antirez in a 1998. [Link]Link Based on non-random, sequential IPIDs of older network stacks Advanced Defense Lab3

4 Introduction - Idle Scan Advanced Defense Lab4

5 Introduction - Idle Scan  IPID-based idle scans have been implemented in nmap [Link]Link  But modern network stacks randomize the IPID [Link]Link  FTP bounce scans are currently the only known way to port scan a victim host or network without routing forged packets to that host or network from the attacker [Link]Link This paper proposes another one Advanced Defense Lab5

6 Related Work  Staniford et al. use simulated annealing to detect stealthy scans. [Link]Link  Leckie and Kotagiri present a probabilistic approach  Gates and Kang et al. consider the problem of stealth port scans based on using many distributed hosts (e.g., a botnet) to perform the scan. Advanced Defense Lab6

7 Related Work(cont.)  Non-interference [Link] is a widely used concept of information flow securityLink  Non-interference proved to be a very useful property because it can be specified with Linear Temporal Logic (LTL [Link]).Link Advanced Defense Lab7

8 Formalizing Non-interference Analysis  A host is viewed to be at the end of the network, i.e., an end host. Advanced Defense Lab8

9 SYN Cache [Link]Link  The SYN cache is a cache for pending SYN packets for which a SYN/ACK has been sent and the host is waiting for an ACK.  In our model packets are only removed from the SYN cache when a TCP RST is received from the source IP address and port of the original SYN packet Advanced Defense Lab9

10 Idel Scan model Advanced Defense Lab10

11 Non-interference Analysis Model Advanced Defense Lab11

12 Formalizing Non-interference Analysis  Using SAL [Link] for modelingLink SAT-based [Link] bounded model checkerLink Advanced Defense Lab12

13 Advanced Defense Lab13

14 Advanced Defense Lab14

15 Formalizing Non-interference Analysis -- Assumptions  A major abstraction is that we consider the proper reply to SYN/ACK packets to be “drop” for open ports and RST for closed ports.  Another major abstraction is that each of the two buffers in our split SYN cache has only a single entry. Advanced Defense Lab15

16 Port Status Advanced Defense Lab16

17 Finding Idle Scan  RST rate limit Advanced Defense Lab17

18 Finding Idle Scan  SYN cache Advanced Defense Lab18

19 Experimental confirmation of counterexamples  Setup VirtualBox TUN/TAP [Link]Link Zombie ○ kernel 2.4 host (Fedora Core 1) ○ Windows XP host with no service packs ○ Linux kernel 2.6 host (CentOS 5.2) ○ FreeBSD 7.1.1 host Advanced Defense Lab19

20 Experimental confirmation of counterexamples - RST rate  For a real FreeBSD system, RSTs are limited to a default of 200 per second  Our implementation sends 2000 each of two different types of packets, each at a rate of 180 per second, to the victim and FreeBSD zombie, respectively Advanced Defense Lab20

21 Experimental confirmation of counterexamples - RST rate Advanced Defense Lab21

22 Experimental confirmation of counterexamples – SYN cache  Linux kernel 2.4 uses a simple buffer for the SYN cache, with between 128 and 1024 entries depending on the memory available on the system.  our implementation 50 forged SYNs, then 50 each of forged SYNs and SYNs where the attacker uses their own return IP (1000 per second) 200 more forged SYNs (1000 per second) sends 200 each of forged SYNs and SYNs where the attacker uses their own return IP address (400 per second) Advanced Defense Lab22

23 Experimental confirmation of counterexamples – SYN cache  Result between different OSes Advanced Defense Lab23

24 Experimental confirmation of counterexamples – SYN cache  Idle port scan 20,000 forged SYN packets (with random return ports that are closed on the zombie) At half the rate, alternating forged SYNs with the target port on the victim as the source port and valid SYNs with the return address of the attacker Advanced Defense Lab24

25 Experimental confirmation of counterexamples – SYN cache  Result for idle port scan Advanced Defense Lab25

Download ppt "Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google