1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13

1

A Study on SYN Flooding

Student: Tao-Wei HuangAdvisor: Prof. Wen-Nung Tasi

2001/06/13

2

Outline Motivation Introduction Denial of Service Attacks Related Works Design and Implementation Experimental Results Conclusions and Future Works

3

Motivation SYN Flooding attack affects network

seriously Attackers need only few resources to

launch the attack, it is difficult to trace the source of attacker

TCP provides many important protocols, such as HTTP, FTP, POP3, etc, frequently for information exchanging

No mechanism seems to provide an optimal solution [1999, L. Ricciulli]

4

TCP/IP Model

Application Layer

Transport Layer

Network Layer

Data Link Layer

Network Layer

Data Link Layer

S R

Application Layer

Transport Layer

Network Layer

Data Link Layer

D

5

UDP -- connectionless Provide an unreliable connectionless

delivery service No flow control and retransmission

Client ServerData

Data

Data

6

Client ServerSYNx , ACK0

SYNy , ACKx+1

SYNx+1 , ACKy+1

LISTEN

SYN_RCVD

ESTABLISHED

backlog

TCP -- connection-oriented

7

Denial of Service Attacks Ping of Death

Smurf Teardrop Land SYN Flooding

ServerAttacker

Ping of Death IP packetlarger than 65536 byte

8

Smurf

Internet

Victim

MultipleNetworkSubnets

Attacker

1. Broadcast Ping fromsooofed IP address



2. Ping response

2. Ping response

2. Ping response

9

Teardrop (1/2)

R2 R3R1 DS R4

ETH IP 1500 ETH IP 1500 ETH IP 512

ETH IP 512

ETH IP 476

ETH IP 512

ETH IP 512

ETH IP 476

ETH IP 1500

ETH IP 512

ETH IP 512

ETH IP 476

10

Teardrop (2/2)

Ident = x Offset = 0

Start of header

0

Rest of header

1500 data bytes


Start of header

1Rest of header

512 data bytes


Start of header

1Rest of header

512 data bytes


Start of header

0Rest of header

476 data bytes


Start of header

1Rest of header

512 data bytes


Start of header

1Rest of header

512 data bytes


Start of header

0Rest of header

476 data bytes

Normal IP Packet

Teardrop IP Packet

11

Land Attack TCP SYN packet with the same

source and destination IP address, port Ex: (140.113.215.125,

140.113.215.125, 80, 80) Land attacks affect some OSs over

the Internet

12

Attacker

ServerAttacker

Attacker

? ?

backlog

SYN + ACK

SYN Flooding

SYN Flooding

13

Why SYN Flooding Some DoS attacks are OS

dependent and CERT® proposes some suggestions

SYN Flooding attack is the weakness in protocol

No optimal solution to defense SYN Flooding attack

14

Related Works Firewall/Router Approach

Firewall Relay [1997, E. H. Spafford] Cisco TCP Intercept [7xxx Router &

PIX 5.2 Firewall] Cookie Approach

RST Cookie [1996, E. Shenk] SYN Cookie [1996, Rex Di

Bona] Random Drop [1999, L. Ricciulli]

15

Firewall RelayClient Firewall Server

SYNx1

SYNy1, ACKx1+1

ACKy1+1

Data

Data

SYNx2

SYNy2, ACKx2+1

ACKy2+1

Data

Data Sequence NumberConversion

16

Cisco TCP InterceptClient Cisco Firewall Server

SYNx1

SYNy1, ACKx1+1

ACKy1+1

Data

Data

SYNx1

SYNy2, ACKx1+1

ACKy2+1

Data

Data Sequence NumberConversion

17

RST CookieClient Server

Check Security Association

SYNx, ACK0

RSTz+1, ACKy+1

Allocate Security Association

SYN

SYN+ACK

ACK

Check Security Association

Connection Established

(y+1)-(z+1) =?= hash

SYNy=hash+z, ACKz+1

18

SYN CookieClient Server

SYNy=hash+x, ACKx+1

SYNx+1, ACKy+1

(y+1)-(x+1) =?= hash

SYNx, ACK0


19

Random Drop

backlog

timeSpoofed SYN Legitimate SYN

20

System Architecture Overview

InternetClient

Attacker

ServerFilterSYN Flooding

LegitimateRequest

the same IP

21

Design (1/2) Filter and Server have the same IP

address and Server does not respond ARP Request

Filter respond Server’s ARP with its MAC address

Hide the Server to protect the Server

22

Design (2/2) SYN Cache

Solve the packet lost problem in SYN Cookie (client_ip, client_port, sequence_num,

ack_num, retransmit_info) 16 bytes 16 * 10000 = 160 Kbytes

Hash Function Eliminate the overhead of sequence number

conversion Hash(client_ip, client_port, server_ip,

server_port, key) xor operation key will be changed periodically

23

Connection EstablishmentClient Filter

Allocate SYN cacheif cache is not full

x, 0

y, x+1

x+1, y+1

Deallocate SYN cacheif needed

Server

x, keyy, x+1

x+1, y+1

ARP Request

ARP Reply

data transmissionwithout sequence number conversion


24

Modification on Filter

Application

tcp_input() tcp_output()

ip_input() ip_output()

ether_input() ether_output()in_arpinput()

ether_filter()

25

Modification on Server

Application

tcp_input() tcp_output()

ip_input() ip_output()

ether_input() ether_output()

in_arpinput()

26

Experimental EnvironmentScenario (1) and Scenario (2)

HTTP ServerRouterAttacker

Client

Attacker

FirewallProxy

HTTP ServerRouterAttacker

Client

Attacker

Filter

the same IP

27

Experimental Equipment Hardware

P-III 500 with 100Mbps Ethernet Card 100Mbps Hub, Router

Software Server (apache 1.3.12) FreeBSD 4.1.1 Client (httpref 0.6) FreeBSD 4.1.1 Attacker (synk4.c) FreeBSD 4.1.1

Attacker Speed FreeBSD default warning threshold : 200pps Attack rate from 1000pps to 10000pps Test file size from 1k to 200k Bytes

28

Experimental ResultsThroughput (1/3)

29


30


31

Experimental ResultsRequest per Second (1/3)

32


33


34

Experimental ResultsExecution Time (1/3)

35


36


37

Conclusions (1/2) Strength of Proposed Approach

filter packet, authenticate client, and forward packet

no other services provided Comparisons with Existing

ApproachesOur ApproachCisco TCP Intercept

Firewall/Proxy

Connection Establishme

ntNO YES YES

Sequence Number

ConversionNO YES YES

38

Conclusions (2/2)

Our Approach SYN Cookie RST CookieRandom

Drop

Guarantee Service

YES YES YES NO

Memory Immunity

YES YES YES YES

Computing Immunity

NO NO NO YES

Packet Retransmissio

nYES NO NO YES

Good Performance

YES YES NO YES

39

Future Works Fault Tolerance Mechanism Multiple Services Protecting Intelligent Configuration

Documents

1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13