• Home

  • Documents

  • Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake...
14
Hell of a Handshake – Abusing TCP for Amplification DDoS Marc Kührer 1 Thomas Hupperich 1 Christian Rossow 2 Thorsten Holz 1 1 Ruhr-University Bochum 2 Saarland University USENIX WOOT, August 2014

Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

Hell of a Handshake –

Abusing TCP for Amplification DDoS

Marc Kührer1

Thomas Hupperich1

Christian Rossow2

Thorsten Holz1

1 Ruhr-University Bochum2 Saarland University

USENIX WOOT, August 2014

Page 2: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

2

Amplification DDoS Attacks

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

VictimAttacker Amplifiers

Page 3: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

3

TCP and Reflection

TCP 3-Way Handshake

• Reflection

• No amplification

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 4: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

4

TCP and Reflection

SYN/ACK Amplifiers

• Keep repeatingSYN/ACK until ACK

• Default, e.g., in *nix

• Against packet loss

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 5: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

5

TCP and Reflection

PSH Amplifiers

• Send data beforehandshake finishes

• e.g., FTP serverbanner info

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 6: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

6

TCP and Reflection

TCP Closed Port

• Reflection

• No amplification

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 7: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

7

TCP and Reflection

RST Amplification

• Hosts persistsending RST

• No rationale?

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 8: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

8

Methodology

• IPv4 Address Range

• TCP SYN PacketsScan

• Amplification >20

• Prevalent ProtocolsFilter

• Amplifier Classification

• Evaluate CountermeasuresStats

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 9: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

9

Amplification Statistics

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 10: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

10

Attack Frequency

Response packets per X seconds

Page 11: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

11

Amplifier Classification

Networking Equipment

Misc embedded

Unknown

DEVICE TYPE

Linux

ZyNOS

Unknown

OS

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 12: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

12

Active Defense

SYN/ACK storms: send RST segments Stops about 99.9% of the SYN/ACK streams

RST storm: send ICMP port unreachable messages Stops about 80% of the RST streams

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

Page 13: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

13

Conclusion

Also TCP suffers from amplification vulnerabilities RST, PSH and SYN/ACK storms

We notified vendors, but fixes will take time

Use active countermeasures to mitigate attacks

Page 14: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification

Hell of a Handshake –

Abusing TCP for Amplification DDoS

Marc Kührer1

Thomas Hupperich1

Christian Rossow2

Thorsten Holz1

1 Ruhr-University Bochum2 Saarland University

USENIX WOOT, August 2014


Handshake Protocols

Handshake Protocols

Documents
tcp - courses.physics.illinois.edu · TCP Usage Model n Connection setup ... Client Server s t-1stConnection closed - Another purpose of the handshake n No handshake == security hole

tcp - courses.physics.illinois.edu · TCP Usage Model n Connection setup ... Client Server s t-1stConnection closed - Another purpose of the handshake n No handshake == security hole

Documents
AGGIE Handshake On-Campus Employer Guide Handshake... · AGGIE Handshake On-Campus Employer Guide 1 . This guide is a basic introduction to AGGIE Handshake. For more detailed information

AGGIE Handshake On-Campus Employer Guide Handshake... · AGGIE Handshake On-Campus Employer Guide 1 . This guide is a basic introduction to AGGIE Handshake. For more detailed information

Documents
Handshake - cpp.edu

Handshake - cpp.edu

Documents
tcp¡ 3-way handshake n Data transport ¡ Sender writes data ¡ TCP n Breaks data into segments n Sends each segment over IP n Retransmits, reorders and removes duplicates as necessary

tcp¡ 3-way handshake n Data transport ¡ Sender writes data ¡ TCP n Breaks data into segments n Sends each segment over IP n Retransmits, reorders and removes duplicates as necessary

Documents
Handshake Issues

Handshake Issues

Documents
cup.edu.incup.edu.in/Syllabi/CST/syllabi_2017_18/CST (CBS) 2017-18... · Web viewTCP header, TCP Three way handshake, TCP for Wired networks, TCP extensions for wireless networks,

cup.edu.incup.edu.in/Syllabi/CST/syllabi_2017_18/CST (CBS) 2017-18... · Web viewTCP header, TCP Three way handshake, TCP for Wired networks, TCP extensions for wireless networks,

Documents
Handshake info

Handshake info

Documents
L ing Wireshark to Observe the TCP 3-Way Handshake

L ing Wireshark to Observe the TCP 3-Way Handshake

Documents
The TCP Split Handshake: Practical Effects on Modern ... · The TCP Split Handshake: Practical Effects on ... The authors audit a number of intrusion detection devices, ... completing

The TCP Split Handshake: Practical Effects on Modern ... · The TCP Split Handshake: Practical Effects on ... The authors audit a number of intrusion detection devices, ... completing

Documents
Information Network 1 Transport layer: TCP a TCP connection n3-way handshake nSYN, SYN-ACK, ACK nEnsure full-duplex communication 16bit source port 16bit destination port 32bit sequence

Information Network 1 Transport layer: TCP a TCP connection n3-way handshake nSYN, SYN-ACK, ACK nEnsure full-duplex communication 16bit source port 16bit destination port 32bit sequence

Documents
7.2.1.8 Lab - Using 77777to Observe the TCP 3-Way Handshake -REALIZADO

7.2.1.8 Lab - Using 77777to Observe the TCP 3-Way Handshake -REALIZADO

Documents
Protocol Basics. Outline Objective OSI Model TCP/IP Model Encapsulation TCP Header 3-way Handshake IP Addressing SMTP FTP HTTP DNS Summary List of References

Protocol Basics. Outline Objective OSI Model TCP/IP Model Encapsulation TCP Header 3-way Handshake IP Addressing SMTP FTP HTTP DNS Summary List of References

Documents
Information Network 1 Transport layer: TCP a TCP connection 3-way handshake SYN, SYN-ACK, ACK Ensure full-duplex communication 16bit source port 16bit destination port

Information Network 1 Transport layer: TCP a TCP connection 3-way handshake SYN, SYN-ACK, ACK Ensure full-duplex communication 16bit source port 16bit destination port

Documents
Golden Handshake

Golden Handshake

Documents
Handshake - UNCW

Handshake - UNCW

Documents
guitar and bass amplification · guitar amplification bass amplification acoustic amplification keyboard amplification accessories the family carlsbroamps @carlsbromusic Founded in

guitar and bass amplification · guitar amplification bass amplification acoustic amplification keyboard amplification accessories the family carlsbroamps @carlsbromusic Founded in

Documents
index [homes.di.unimi.it]homes.di.unimi.it/anisetti/Teaching/FirewallStateless-Lezione1-2-3-old.pdfSPF: connessioni TCP Una connessione TCP passa attraverso il 3-way Handshake (scambio

index [homes.di.unimi.it]homes.di.unimi.it/anisetti/Teaching/FirewallStateless-Lezione1-2-3-old.pdfSPF: connessioni TCP Una connessione TCP passa attraverso il 3-way Handshake (scambio

Documents
Good handshake

Good handshake

Education
DDoS Survey Paper – Outline - Home | Princeton Universityrblee/DDoS Survey Paper_v7final.doc · Web viewThe Transfer Control Protocol (TCP) includes a full handshake between sender

DDoS Survey Paper – Outline - Home | Princeton Universityrblee/DDoS Survey Paper_v7final.doc · Web viewThe Transfer Control Protocol (TCP) includes a full handshake between sender

Documents
Taming the Shark - SHARE Filters TCP Session Setup and Termination 6 TCP sessions are started with the 3-way-Handshake • Client sends SYN packet • Server sends SYN_ACK packet •

Taming the Shark - SHARE Filters TCP Session Setup and Termination 6 TCP sessions are started with the 3-way-Handshake • Client sends SYN packet • Server sends SYN_ACK packet •

Documents
Digital handshake

Digital handshake

Marketing
AGGIE Handshake Student/Alumni Guide Handshake... · 2020-04-24 · AGGIE Handshake Student/Alumni Guide 1 . This guide is a basic introduction to AGGIE Handshake. For more detailed

AGGIE Handshake Student/Alumni Guide Handshake... · 2020-04-24 · AGGIE Handshake Student/Alumni Guide 1 . This guide is a basic introduction to AGGIE Handshake. For more detailed

Documents
Handshake managment

Handshake managment

Health & Medicine
Alexey Ragozin alexey.ragozin@gmail.com Dec 2013 · 2020. 7. 1. · TCMP vs TCP Having TCP and TCMP in one network Normally TCMP is limited by proxy speaking TCP Traffic amplification

Alexey Ragozin [email protected] Dec 2013 · 2020. 7. 1. · TCMP vs TCP Having TCP and TCMP in one network Normally TCMP is limited by proxy speaking TCP Traffic amplification

Documents
Handshake Pitchdeck

Handshake Pitchdeck

Business
情報ネットワーク論I TCP 1/2 · Establishing a TCP connection 3-way handshake SYN, SYN-ACK, ACK Ensure full-duplex communication 16bit source port 16bit destination port 32bit

情報ネットワーク論I TCP 1/2 · Establishing a TCP connection 3-way handshake SYN, SYN-ACK, ACK Ensure full-duplex communication 16bit source port 16bit destination port 32bit

Documents
Beowulf Clusters6. Presentation Data Representation : ASCII 5. Session Starts and Stops the Session (Logon / Logoff) 4. Transport TCP – reliable / Handshake Transmission Control

Beowulf Clusters6. Presentation Data Representation : ASCII 5. Session Starts and Stops the Session (Logon / Logoff) 4. Transport TCP – reliable / Handshake Transmission Control

Documents
Workshop System Exploitationitsecx.fhstp.ac.at/downloads_2012/01_metasploit.pdf · TCP 3-Way Handshake zum Verbindungsaufbau, TCP-Flags TCP Port offen TCP Port geschlossen S E R H

Workshop System Exploitationitsecx.fhstp.ac.at/downloads_2012/01_metasploit.pdf · TCP 3-Way Handshake zum Verbindungsaufbau, TCP-Flags TCP Port offen TCP Port geschlossen S E R H

Documents
7.2.1.8 Lab - Using Wireshark to Observe the TCP 3-Way Handshake (Solved)

7.2.1.8 Lab - Using Wireshark to Observe the TCP 3-Way Handshake (Solved)

Documents