View
217
Download
0
Category
Tags:
Preview:
Citation preview
1
A Study on SYN Flooding
Student: Tao-Wei HuangAdvisor: Prof. Wen-Nung Tasi
2001/06/13
2
Outline Motivation Introduction Denial of Service Attacks Related Works Design and Implementation Experimental Results Conclusions and Future Works
3
Motivation SYN Flooding attack affects network
seriously Attackers need only few resources to
launch the attack, it is difficult to trace the source of attacker
TCP provides many important protocols, such as HTTP, FTP, POP3, etc, frequently for information exchanging
No mechanism seems to provide an optimal solution [1999, L. Ricciulli]
4
TCP/IP Model
Application Layer
Transport Layer
Network Layer
Data Link Layer
Network Layer
Data Link Layer
S R
Application Layer
Transport Layer
Network Layer
Data Link Layer
D
5
UDP -- connectionless Provide an unreliable connectionless
delivery service No flow control and retransmission
Client ServerData
Data
Data
6
Client ServerSYNx , ACK0
SYNy , ACKx+1
SYNx+1 , ACKy+1
LISTEN
SYN_RCVD
ESTABLISHED
backlog
TCP -- connection-oriented
7
Denial of Service Attacks Ping of Death
Smurf Teardrop Land SYN Flooding
ServerAttacker
Ping of Death IP packetlarger than 65536 byte
8
Smurf
Internet
Victim
MultipleNetworkSubnets
Attacker
1. Broadcast Ping fromsooofed IP address
1. Broadcast Ping fromsooofed IP address
1. Broadcast Ping fromsooofed IP address
2. Ping response
2. Ping response
2. Ping response
9
Teardrop (1/2)
R2 R3R1 DS R4
ETH IP 1500 ETH IP 1500 ETH IP 512
ETH IP 512
ETH IP 476
ETH IP 512
ETH IP 512
ETH IP 476
ETH IP 1500
ETH IP 512
ETH IP 512
ETH IP 476
10
Teardrop (2/2)
Ident = x Offset = 0
Start of header
0
Rest of header
1500 data bytes
Ident = x Offset = 0
Start of header
1Rest of header
512 data bytes
Ident = x Offset = 512
Start of header
1Rest of header
512 data bytes
Ident = x Offset = 1024
Start of header
0Rest of header
476 data bytes
Ident = x Offset = 0
Start of header
1Rest of header
512 data bytes
Ident = x Offset = 500
Start of header
1Rest of header
512 data bytes
Ident = x Offset = 1000
Start of header
0Rest of header
476 data bytes
Normal IP Packet
Teardrop IP Packet
11
Land Attack TCP SYN packet with the same
source and destination IP address, port Ex: (140.113.215.125,
140.113.215.125, 80, 80) Land attacks affect some OSs over
the Internet
12
Attacker
ServerAttacker
Attacker
? ?
backlog
SYN + ACK
SYN Flooding
SYN Flooding
13
Why SYN Flooding Some DoS attacks are OS
dependent and CERT® proposes some suggestions
SYN Flooding attack is the weakness in protocol
No optimal solution to defense SYN Flooding attack
14
Related Works Firewall/Router Approach
Firewall Relay [1997, E. H. Spafford] Cisco TCP Intercept [7xxx Router &
PIX 5.2 Firewall] Cookie Approach
RST Cookie [1996, E. Shenk] SYN Cookie [1996, Rex Di
Bona] Random Drop [1999, L. Ricciulli]
15
Firewall RelayClient Firewall Server
SYNx1
SYNy1, ACKx1+1
ACKy1+1
Data
Data
SYNx2
SYNy2, ACKx2+1
ACKy2+1
Data
Data Sequence NumberConversion
16
Cisco TCP InterceptClient Cisco Firewall Server
SYNx1
SYNy1, ACKx1+1
ACKy1+1
Data
Data
SYNx1
SYNy2, ACKx1+1
ACKy2+1
Data
Data Sequence NumberConversion
17
RST CookieClient Server
Check Security Association
SYNx, ACK0
RSTz+1, ACKy+1
Allocate Security Association
SYN
SYN+ACK
ACK
Check Security Association
Connection Established
(y+1)-(z+1) =?= hash
SYNy=hash+z, ACKz+1
18
SYN CookieClient Server
SYNy=hash+x, ACKx+1
SYNx+1, ACKy+1
(y+1)-(x+1) =?= hash
SYNx, ACK0
Connection Established
19
Random Drop
backlog
timeSpoofed SYN Legitimate SYN
20
System Architecture Overview
InternetClient
Attacker
ServerFilterSYN Flooding
LegitimateRequest
the same IP
21
Design (1/2) Filter and Server have the same IP
address and Server does not respond ARP Request
Filter respond Server’s ARP with its MAC address
Hide the Server to protect the Server
22
Design (2/2) SYN Cache
Solve the packet lost problem in SYN Cookie (client_ip, client_port, sequence_num,
ack_num, retransmit_info) 16 bytes 16 * 10000 = 160 Kbytes
Hash Function Eliminate the overhead of sequence number
conversion Hash(client_ip, client_port, server_ip,
server_port, key) xor operation key will be changed periodically
23
Connection EstablishmentClient Filter
Allocate SYN cacheif cache is not full
x, 0
y, x+1
x+1, y+1
Deallocate SYN cacheif needed
Server
x, keyy, x+1
x+1, y+1
ARP Request
ARP Reply
data transmissionwithout sequence number conversion
Connection Established
24
Modification on Filter
Application
tcp_input() tcp_output()
ip_input() ip_output()
ether_input() ether_output()in_arpinput()
ether_filter()
25
Modification on Server
Application
tcp_input() tcp_output()
ip_input() ip_output()
ether_input() ether_output()
in_arpinput()
26
Experimental EnvironmentScenario (1) and Scenario (2)
HTTP ServerRouterAttacker
Client
Attacker
FirewallProxy
HTTP ServerRouterAttacker
Client
Attacker
Filter
the same IP
27
Experimental Equipment Hardware
P-III 500 with 100Mbps Ethernet Card 100Mbps Hub, Router
Software Server (apache 1.3.12) FreeBSD 4.1.1 Client (httpref 0.6) FreeBSD 4.1.1 Attacker (synk4.c) FreeBSD 4.1.1
Attacker Speed FreeBSD default warning threshold : 200pps Attack rate from 1000pps to 10000pps Test file size from 1k to 200k Bytes
28
Experimental ResultsThroughput (1/3)
29
Experimental ResultsThroughput (2/3)
30
Experimental ResultsThroughput (3/3)
31
Experimental ResultsRequest per Second (1/3)
32
Experimental ResultsRequest per Second (2/3)
33
Experimental ResultsRequest per Second (3/3)
34
Experimental ResultsExecution Time (1/3)
35
Experimental ResultsExecution Time (2/3)
36
Experimental ResultsExecution Time (3/3)
37
Conclusions (1/2) Strength of Proposed Approach
filter packet, authenticate client, and forward packet
no other services provided Comparisons with Existing
ApproachesOur ApproachCisco TCP Intercept
Firewall/Proxy
Connection Establishme
ntNO YES YES
Sequence Number
ConversionNO YES YES
38
Conclusions (2/2)
Our Approach SYN Cookie RST CookieRandom
Drop
Guarantee Service
YES YES YES NO
Memory Immunity
YES YES YES YES
Computing Immunity
NO NO NO YES
Packet Retransmissio
nYES NO NO YES
Good Performance
YES YES NO YES
39
Future Works Fault Tolerance Mechanism Multiple Services Protecting Intelligent Configuration
Recommended