Outline l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Outline PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on
  • Presentation posted in: General

Outline. Definition Point-to-point network denial of service Smurf Distributed denial of service attacks Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding and Detection. Denial of Service Attack Definition.

Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Outline l.jpg

Outline

  • Definition

  • Point-to-point network denial of service

    • Smurf

  • Distributed denial of service attacks

    • Trin00, TFN, Stacheldraht, TFN2K

  • TCP SYN Flooding and Detection


Denial of service attack definition l.jpg

Denial of Service Attack Definition

  • An explicit attempt by attackers to prevent legitimate users of a service from using that service

  • Threat model – taxonomy from CERT

    • Consumption of network connectivity and/or bandwidth

    • Consumption of other resources, e.g. queue, CPU

    • Destruction or alternation of configuration information

      • Malformed packets confusing an application, cause it to freeze

    • Physical destruction or alternation of network components


Status l.jpg

Status

  • DoS attacks increasing in frequency, severity and sophistication

    • 32% respondents detected DoS attacks (1999 CSI/FBI survey)

    • Yahoo, Amazon, eBay and MicroSoft DDoS attacked

    • About 4,000 attacks per week in 2000

    • Internet's root DNS servers (9 out of 13) attacked on Oct 2002


Two general classes of attacks l.jpg

Two General Classes of Attacks

  • Flooding Attacks

    • Point-to-point attacks: TCP/UDP/ICMP flooding,

      Smurf attacks

    • Distributed attacks: hierarchical structures

  • Corruption Attacks

    • Application/service specific


Smurf dos attack l.jpg

Smurf DoS Attack

1 ICMP Echo ReqSrc: Dos Target

Dest: brdct addr

3 ICMP Echo ReplyDest: Dos Target

  • Send ping request to brdcst addr (ICMP Echo Req)

  • Lots of responses:

    • Every host on target network generates a ping reply (ICMP Echo Reply) to victim

    • Ping reply stream can overload victim

gateway

DoSTarget

DoSSource

Prevention: reject external packets to brdcst address.


Slide6 l.jpg

DDOS

BadGuy

Unidirectional commands

Handler

Handler

Handler

Coordinating communication

Agent

Agent

Agent

Agent

Agent

Agent

Agent

Agent

Agent

Agent

Attack traffic

Victim


Attack using trin00 l.jpg

Attack using Trin00

  • In August 1999, network of > 2,200 systems took University of Minnesota offline for 3 days

    • scan for known vulnerabilities, then attack with UDP traffic

    • once host compromised, script the installation of the DDoS master agents

  • According to the incident report

    • Took about 3 seconds to get root access

    • In 4 hours, set up > 2,200 agents


Can you find source of attack l.jpg

Can you find source of attack?

  • Hard to find BadGuy

    • Originator of attack compromised the handlers

    • Originator not active when DDOS attack occurs

  • Can try to find agents

    • Source IP address in packets is not reliable

    • Need to examine traffic at many points, modify traffic, or modify routers


Source address validity l.jpg

Source Address Validity

  • Spoofed Source Address

    • random source addresses in attack packets

    • Subnet Spoofed Source Address- random address from address space assigned to the agent machine’s subnet

    • En Route Spoofed Source Address- address spoofed en route from agent machine to victim

  • Valid Source Address- used when attack strategy requires several request/reply exchanges between an agent and the victim machine- target specific applications or protocol features


Attack rate dynamics l.jpg

Attack Rate Dynamics

Agent machine sends a stream of packets to the victim

  • Constant Rate- Attack packets generated at constant rate, usually as many as resources allow

  • Variable Rate

    • Delay or avoid detection and response

    • Increasing Rate- gradually increasing rate causes a slow exhaustion of the victim’s resources

    • Fluctuating Rate- occasionally relieving the effect- victim can experience periodic service disruptions


Outline11 l.jpg

Outline

  • Definition

  • Point-to-point network denial of service

    • Smurf

  • Distributed denial of service attacks

    • Trin00, TFN, Stacheldraht, TFN2K

  • TCP SYN Flooding and Detection


Slide12 l.jpg

SYN Flooding Attack

  • 90% of DoS attacks use TCP SYN floods

  • Streaming spoofed TCP SYNs

  • Takes advantage of three way handshake

  • Server start “half-open” connections

  • These build up… until queue is full and all additional requests are blocked


Tcp overview rfcs 793 1122 1323 2018 2581 l.jpg

full duplex data:

bi-directional data flow in same connection

MSS: maximum segment size

connection-oriented:

handshaking (exchange of control msgs) init’s sender, receiver state before data exchange

flow controlled:

sender will not overwhelm receiver

point-to-point:

one sender, one receiver

reliable, in-order byte steam:

no “message boundaries”

pipelined:

TCP congestion and flow control set window size

send & receive buffers

TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581


Tcp segment structure l.jpg

32 bits

source port #

dest port #

sequence number

acknowledgement number

head

len

not

used

Receive window

U

A

P

R

S

F

checksum

Urg data pnter

Options (variable length)

application

data

(variable length)

TCP segment structure

URG: urgent data

(generally not used)

counting

by bytes

of data

(not segments!)

ACK: ACK #

valid

PSH: push data now

(generally not used)

# bytes

rcvr willing

to accept

RST, SYN, FIN:

connection estab

(setup, teardown

commands)

Internet

checksum

(as in UDP)


Tcp connection management l.jpg

Recall:TCP sender, receiver establish “connection” before exchanging data segments

initialize TCP variables:

seq. #s

buffers, flow control info (e.g. RcvWindow)

client: connection initiator

server: contacted by client

Three way handshake:

Step 1:client host sends TCP SYN segment to server

specifies initial seq #

no data

Step 2:server host receives SYN, replies with SYNACK segment

server allocates buffers

specifies server initial seq. #

Step 3: client receives SYNACK, replies with ACK segment, which may contain data

TCP Connection Management


Tcp handshake l.jpg

TCP Handshake

C

S

SYNC

Listening

Store data

SYNS, ACKC

Wait

ACKS

Connected


Syn flooding l.jpg

SYN Flooding

C

S

SYNC1

Listening

SYNC2

Store data

SYNC3

SYNC4

SYNC5


Tcp connection management closing l.jpg

Step 1:client end system sends TCP FIN control segment to server

Step 2:server receives FIN, replies with ACK. Closes connection, sends FIN.

Step 3:client receives FIN, replies with ACK.

Enters “timed wait” - will respond with ACK to received FINs

Step 4:server, receives ACK. Connection closed.

TCP Connection Management: Closing

client

server

closing

FIN

ACK

closing

FIN

ACK

timed wait

closed

closed


Flood detection system on router gateway l.jpg

Flood Detection System on Router/Gateway

  • Can we maintain states for each connection flow?

  • Stateless, simple detection system on edge (leaf) routers desired

  • Placement: First/last mile leaf routers

    • First mile – detect large DoS attacker

    • Last mile – detect DDoS attacks that first mile would miss


Detection methods i l.jpg

Detection Methods (I)

  • Utilize SYN-FIN pair behavior

  • OR SYNACK – FIN

  • Can be both on client or server side

  • However, RST violates SYN-FIN behavior

    • Passive RST: transmitted upon arrival of a packet at a closed port (usually by servers)

    • Active RST: initiated by the client to abort a TCP connection

    • So SYN-RSTactive pair is also normal


Syn fin behavior l.jpg

SYN – FIN Behavior


Syn fin behavior22 l.jpg

SYN – FIN Behavior

  • Generally every SYN has a FIN

  • We can’t tell if RST is active or passive

  • Consider 75% active


Vulnerability of syn fin detection l.jpg

Vulnerability of SYN-FIN Detection

  • Send out extra FIN or RST with different IP/port as SYN

  • Waste half of its bandwidth


Detection method ii l.jpg

Detection Method II

  • SYN – SYN/ACK pair behavior

  • Hard to evade for the attacking source

  • Problems

    • Need to sniff both incoming and outgoing traffic

    • Only becomes obvious when really swamped


False positive possibilities l.jpg

False Positive Possibilities

  • Many new online users with long-lived TCP sessions

    • More SYNs coming in than FINs

  • A major server is down which would result in 3 SYNs to a FIN or SYN-ACK

    • Because clients would retransmit the SYN


  • Login