Analysis of a denial of service attack on tcp
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Analysis of a Denial of Service Attack on TCP PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on
  • Presentation posted in: General

Analysis of a Denial of Service Attack on TCP. Proceedings of IEEE Symposium on Security and Privacy (1997). Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni. July. 11, 2003 Presented by Yang, Sookhyun. Contents. Introduction

Download Presentation

Analysis of a Denial of Service Attack on TCP

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Analysis of a denial of service attack on tcp

Analysis of a Denial of Service Attack on TCP

Proceedings of IEEE Symposium on Security and Privacy (1997)

Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni

July. 11, 2003

Presented by Yang, Sookhyun


Contents

Contents

  • Introduction

  • Background

  • SYN Flooding Attack

  • Solutions

  • Synkill

  • Performance of Synkill

  • Conclusion


Introduction

Introduction

  • SYN flooding attack

    • Network-based denial of service attack for IP (Internet protocol)

    • Exploit weakness in TCP/IP(Transmission Control Protocol / Internet Protocol)

  • Active monitoring tool

    • Classify IP source address being falsified or genuine

    • Find connection establishment protocol messages coming from forged IP address

    • Reset illegitimate half-open connections


Background

Li

S

D

SYNx

LISTEN

Resource allocation

SYNy, ACKx+1

ACKy+1, data

Fig 1. Three-way handshake

Background

  • Connection establishment process of TCP

    • Three-way handshake

      • SYNx(Synchronize sequence number)

      • SYNy, ACKx+1(Acknowledgement)

      • ACKy+1, data

    • Sequence number initialization

  • Backlog queue of TCP

    • Require allocation of memory

      resources during TCP connection

      establishment

    • Allocated by both endpoints for

      information related with connection

& Connection timer start

Half-open connection

SYN_RECVD

CONNECTED


Syn flooding attack

Unreachable & spoofed SYN

SYN+ACK

Port flooding

Unreachable

SYN Flooding Attack

  • Exploited TCP/IP vulnerabilities

    • Do not exploit weak authentication

    • Require for allocation of resources out of limited pool

  • System under attack

Li

Attacker

Backlog queue

Victim

LISTEN

SYN_RECVD

Fig 2. System under SYN flooding attack


Solutions 1 5

packet with internal address

packet with external address

router

Solutions (1/5)

  • Configuration optimization

    • System configuration improvements

      • Defend against exhaustion of resource

        • Reduce timeout period

        • Increase the length of backlog queue

        • Disable non-essential services

      • Drawback

        • Deny legitimate packet

        • Increase resource usage

    • Router configuration improvements

      • Limit range of address spoofed by attacker

      • Drawback

        • Effective only if taken in large scale

External network

Internal network


Solutions 2 5

Solutions (2/5)

  • Infrastructure improvements

    • Router configuration can be improved

      • Address spaces reachable over their various interfaces are disjoint and well-defined

      • Address prefixes separate inside and outside

    • Practical problems

      • Cannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topology


Solution 3 5

Message

Message

Source IP address

Destination IP address

Port

Source’s ISS

Destination’s secret key

Source IP address

Destination IP address

Port

Source’s ISS

Destination’s secret key

H

H

Solution (3/5)

  • Connection establishment improvements

    • Remove requirement of resource allocation

    • Calculate ISS (initial send sequence) of destination as hash value

    • Hash value (y : ISS of destination)

    • Drawback

      • Require the modification of TCP standard and consequently every TCP implementation

Third message : ACKy+1

y

Second message : SYNy, ACKx+1

y’

compare


Solution 4 5

Li

Firewall

D

A

SYN

Li

Firewall

D

A

SYN

SYN+ACK

SYN+ACK

ACK

SYN

SYN+ACK

ACK

Data

Data

Data

Data

Solution (4/5)

  • Firewall approach

    • Firewall as a relay

      • Receive packets for internal host on its behalf

      • Drawback

        • Delay

Sequence

Number

conversion

Fig 3. Attacker scenario

Fig 4. Legitimate connection


Solution 5 5

Li

Li

Firewall

Firewall

D

D

A

A

SYN

SYN

SYN+ACK

SYN+ACK

ACK

ACK

ACK

Timeout

Data

RST

Data

Solution (5/5)

  • Firewall approach (cont’d)

    • Firewall as a semi-transparent gateway

      • Drawback

        • Waste a large number of illegitimate open connections at the destination if it is under attack

Fig 6. Legitimate connection

Fig 5. Attacker scenario


Synkill 1 2

Synkill (1/2)

  • Active monitor

    • Active : generate TCP packets and inject them into the network

    • Monitor : read and examine all TCP packets on the LAN

  • Algorithm

    • TCP packet processing

      • Source IP address prefiltering

      • Decision process based on events

        • Observed TCP packets

        • Timer events

        • Administrative commands

    • Classification of source IP address

      • Based on observed network traffic and administratively supplied input

        • null, good, new, bad

        • perfect, evil


Synkill 2 2

LISTEN

SYN

Synkill

Synkill

Synkill

Synkill

D

D

D

D

A

A

A

A

SYN+ACK

SYN

SYN

SYN

SYN_RECVD

LISTEN

LISTEN

LISTEN

ACK

CONNETED

Expiry

SYN+ACK

SYN_RECVD

RST

CLOSED

RST

SYN_RECVD

SYN+ACK

ACK

SYN_RECVD

ACK

ACK

Too late

SYN+ACK

CONNETED

RST

Expiry

CONNETED

ACK

RST

CLOSED

Fig 7. Attack scenario

Fig 8. Normal access scenario

Synkill (2/2)

  • Algorithm (cont’d)

    • Actions

      • Send RST packet for bad or evil state

      • Generate ACK packet

CLOSED

Resource release


Establishment of experiments

Attacker

Synkill

A

Destination

Gateway

Monitor

Source

G

M

D

S2

25

S1

1 per 2s => 750

Source

Performance of Synkill (1)

Establishment of Experiments

  • Experimental configuration

  • Two metrics of experiments

    • Evaluate how many connection establishments can succeed under attack during time interval using S2

      • Environment of S2

        • SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1

      • Success rate = ( # of successful connections ) / ( # of tried connections )

      • Average delay for successful connections

        • Delay : time required for establishing a successful connection

Fig 9. Experimental configuration


Test case

Table 1. Summary of test cases

Performance of Synkill (2)

Test Case

  • Test case for Attacker

Fig 10. Process growth for the attack in case 6


Evaluation result

Performance of Synkill (3)

Evaluation Result

  • Test case 1 & Test case 2

  • Test case 3 & Test case 4 : single address


Evaluation result cont d

Performance of Synkill (4)

Evaluation Result (cont’d)

  • Test case 5 : 20 addresses

  • Test case 6 : random addresses


Conclusion

Conclusion

  • Contribute a detailed analysis of the SYN flooding attack

  • Discuss existing and proposed counterexamples

  • Introduce Active Monitor “Synkill”

    • Do not require any special hardware, operating systems, network stacks

    • Do not need modification in the protected end systems

    • Highly portable, extensible and easily configurable


  • Login