LCCNLCCN TCP SYN attack TCP SYN attack protection protection

Submitting: Lena Lempert Submitting: Lena Lempert Ola ShorOla Shor

Eugenia NimratzEugenia NimratzInstructor: Reuven CohenInstructor: Reuven CohenSupervisor: Itai Dabran Supervisor: Itai Dabran

AgendaAgenda

• IntroductionIntroduction Basic conceptsBasic concepts Project goalsProject goals

• Description of Implementation (general layout, Description of Implementation (general layout, description of operation, main data structures, description of operation, main data structures, modules, algorithms)modules, algorithms)

11stst solution solution 22ndnd solution solution

• Performance AnalysisPerformance Analysis General notesGeneral notes Comparison of 2 implementations in normal conditionsComparison of 2 implementations in normal conditions Comparison in case of SYN attackComparison in case of SYN attack

• Simulation ResultsSimulation Results• ConclusionsConclusions• AcknowledgementsAcknowledgements

IntroductionIntroduction Basic ConceptsBasic Concepts

• When TCP was designed, some of the attacks When TCP was designed, some of the attacks known today were not taken into consideration: known today were not taken into consideration:

Big timeoutsBig timeouts Small buffersSmall buffers Lack of security rulesLack of security rules

• In TCP SYN attack, big quantity of SYN packets In TCP SYN attack, big quantity of SYN packets requesting to open connection, fill up a buffer of requesting to open connection, fill up a buffer of

pending connections, thus bringing down the pending connections, thus bringing down the server. server.

• Naive approach: throw SYN requests with same IP. Naive approach: throw SYN requests with same IP.

BUT: packets arrive with random IP addresses and BUT: packets arrive with random IP addresses and port numbers. How to distinguish? port numbers. How to distinguish?

Introduction (cont.)Introduction (cont.) Basic ConceptsBasic Concepts

• Another approach: change the implementation Another approach: change the implementation of TCP, so that to handle the attack (for ex. of TCP, so that to handle the attack (for ex. change buffer size dynamically depending on change buffer size dynamically depending on SYN arrival rate; limit number of accepted SYNs SYN arrival rate; limit number of accepted SYNs per sec). BUT: per sec). BUT:

Complicated!Complicated! Change TCP for every attack?Change TCP for every attack?

• Our solution: let Firewall operate between the Our solution: let Firewall operate between the client and the server, protecting the server client and the server, protecting the server from from crashes. crashes.

• Implementation of 2 differently Implementation of 2 differently designed designed Firewalls: Firewalls:

11stst solution – server is located in a separate solution – server is located in a separate network. All its communication is forwarded by network. All its communication is forwarded by Firewall, which traces and sifts SYN attacks.Firewall, which traces and sifts SYN attacks.

22ndnd solution – Firewall and server are located in solution – Firewall and server are located in some local network. Firewall cannot prevent some local network. Firewall cannot prevent arriving of packets to server, but operates as a arriving of packets to server, but operates as a watchdog. When conclusion is made about SYN watchdog. When conclusion is made about SYN attack, it simulates the client in order to defend attack, it simulates the client in order to defend the server.the server.

Introduction (cont.)Introduction (cont.) Project GoalsProject Goals

• Comparison of FirewallsComparison of Firewalls In normal conditionsIn normal conditions Under SYN attackUnder SYN attack

In normal conditions, number of clients In normal conditions, number of clients connecting to the server per second was connecting to the server per second was the only parameter for comparison.the only parameter for comparison.

Under SYN attack, both rate of SYN attacks Under SYN attack, both rate of SYN attacks and rate of regular clients were taken into and rate of regular clients were taken into consideration.consideration.

• SO… Which one is better?!!!SO… Which one is better?!!!

Introduction (cont.)Introduction (cont.) Project GoalsProject Goals

Description of Description of ImplementationImplementation

11stst solution solution

• General Layout: General Layout:

server

router

InternetInternet

client

firewall

LAN/WAN 1

LAN/WAN 2

clientclient firewallfirewall internal serverinternal server

SYN

SYN

SYN + ACK

ACK

SYN + ACK

ACK

datadata

clientclient firewallfirewall internal serverinternal server

SYN

SYN + ACK

RSTtimeout

Description of Description of ImplementationImplementation

22ndnd solution solution

• General Layout: General Layout:

Internet

Server Firewall router

Client

LAN/WAN

clientclient firewallfirewall internal serverinternal server

SYN

SYN + ACK

ACK

data

ACK

clientclient firewallfirewall internal serverinternal server

SYN

SYN + ACK

RST FIN

timeout

ACK

Description of Implementation Description of Implementation (cont.)(cont.)

11stst and 2 and 2ndnd solutions solutions

• The communication is accomplished via RAW The communication is accomplished via RAW

sockets. sockets.

• 2 kinds of data structures:2 kinds of data structures: FIFO queues of PacketsFIFO queues of Packets Tables of entries defined by connection parametersTables of entries defined by connection parameters

• 3 modules: 3 modules: Receive & Send module, responsible for communication Receive & Send module, responsible for communication

accomplishment accomplishment Process module, the main logic of the firewallProcess module, the main logic of the firewall Timeout module, responsible for performing actions in Timeout module, responsible for performing actions in

case some time has expired for some condition. case some time has expired for some condition.

Receive & Send

Module

Process Module

Timeout Module

Process BufferSend

Buffer

Receive

Thread

Send

Thread

Timeout server

Thread

Opened Connections

Buffer

SynAckWait Buffer

Pending BufferListsWait

Buffer

Timeout Client

Thread

Process

Thread

Close Connections

Thread

TCP packet?

From/to server?

discard

yes

no

no

yes

Insert to Process buffer and

inform Process thread

RST packet?

yes

Add Ethernet

trailer

Send

no

Packet to server?

yes

SYN?•Insert to Pending

Buffer

•Send SYN+ACK to client

yes

ACK?

no

yesAck is for …

Ack for 3-way handshake

•Delete entry from Pending Buffer

•Send SYN to server

•Insert data to SYN_ACK_WAIT buffer

•Adapt packet

•Send to server

•Insert to ListsWait Buffer

Ack for open connection

Ack for half opened connection (not yet opened with server)

discard

else

Packet is for…

no

no (from server)

Shown in other diagram

Packet for open connections

Packet for half opened connection (not yet opened with server)

else

Packet from server?

yes no (from server)

Shown in other diagram

SYN + ACK?

yes

no

Data is in SynAckWaitBuffer

?

yes

•Delete entry from SynAckWaitBuffer

•Send Ack to Server

•Insert data to OpenedConnectionsBuffer

•Send all packets waiting in ListsWaitBuffer

Packet is for opened

connections?

yes

•Adapt packet

•Send to client

discard

no

no

yesSyn attack!!!

Check all entries in Pending Buffer

Found entry with timer

expired

•Delete from Pending Buffer

•Send RST to client

Check all entries in SynAckWait Buffer

Found entry with timer

expired

Send another SYN to server

yes

Check all entries in Opened Connections Buffer

Found entry with timer

expired

Delete entry

yes

Process

Thread

Process BufferSend

Buffer

Receive

Thread

Send

Thread

Pending

Buffer

Timeout

Thread

no yes

Packet is…Packet is…

•Send ACK to server

•Delete from PendingBuffer

•Start timer

•Send ACK to server

Insert to PendingBuffer

Delete from Pending

discard

SYN from client

ACK from client SYN+ACK from server

FIN+ACK from serverelse else

From

Server?

yes

Syn attack!!!

Check all entries in Pending Buffer

Found entry with timer

expired

•Delete from Pending Buffer

•Send RST to client

•Send FIN to Server

Performance analysisPerformance analysis General Notes, description of simulation General Notes, description of simulation toolstools

• The conditions available in the lab although gave The conditions available in the lab although gave us results sufficient for comparison of 2 solutions, us results sufficient for comparison of 2 solutions, were still limited and didn’t allow testing on were still limited and didn’t allow testing on numbers close to reality. For purpose of numbers close to reality. For purpose of simulation, we built a server that accepts single simulation, we built a server that accepts single connection, sends a small amount of data and connection, sends a small amount of data and after closing this connection accepts another one after closing this connection accepts another one (not multithreaded server). Clients too, connect (not multithreaded server). Clients too, connect one after another (a certain number per sec). one after another (a certain number per sec). That’s why without attacks or firewalls these That’s why without attacks or firewalls these conditions let us serve no more than ~2000 such conditions let us serve no more than ~2000 such client per sec. So, bigger numbers were not tested client per sec. So, bigger numbers were not tested with attacks (irrelevant results).with attacks (irrelevant results).

Performance analysisPerformance analysis General Notes, Explanation of thresholdGeneral Notes, Explanation of threshold

• With such simulation, a moment when With such simulation, a moment when number of regular clients don’t manage to number of regular clients don’t manage to connect to server under attack when they connect to server under attack when they managed without attack was considered managed without attack was considered as a threshold when firewall/server would as a threshold when firewall/server would crash in reality. In our results, it didn’t crash in reality. In our results, it didn’t happen since clients connect in a loop and happen since clients connect in a loop and they simply start to connect slower. In they simply start to connect slower. In reality, rate of clients wouldn’t slow down reality, rate of clients wouldn’t slow down and their requests would bring down the and their requests would bring down the resources in Firewall/serverresources in Firewall/server

Performance analysis Performance analysis (cont.)(cont.) General Notes, limit of the 1General Notes, limit of the 1stst solution solution• Due to reasons described later in Due to reasons described later in

this section, even without attacks this section, even without attacks firewall of the 1firewall of the 1stst solutions can handle solutions can handle less clients than that in the 2less clients than that in the 2ndnd solution. See Chart 1 in Simulations solution. See Chart 1 in Simulations Results. That’s why no more than this Results. That’s why no more than this number of clients (max ~500 clients number of clients (max ~500 clients per sec) was tested for condition per sec) was tested for condition when attack was present.when attack was present.

Performance analysis Performance analysis (cont.)(cont.) General Notes, Why stop testing after General Notes, Why stop testing after thresholdthreshold• We stopped increasing parameters (clients or We stopped increasing parameters (clients or attacks) if it took server more time to handle a attacks) if it took server more time to handle a connection then it took it in normal conditions. connection then it took it in normal conditions. The reason is that no matter with what speed, The reason is that no matter with what speed, but such situation will bring down Firewall, but such situation will bring down Firewall, server or clients (depends on solution), since at server or clients (depends on solution), since at this moment arrival rate is higher than service this moment arrival rate is higher than service rate at some node. In the 1rate at some node. In the 1stst solution, Firewall’ll solution, Firewall’ll refuse to function and clients’ll exit with refuse to function and clients’ll exit with connection timeout. In the 2connection timeout. In the 2ndnd solution, server’ll solution, server’ll be brought down (cannot serve so many be brought down (cannot serve so many clients) and clients’ll exit with the same clients) and clients’ll exit with the same connection timeout error. The biggest connection timeout error. The biggest “working” parameter was considered as limit, “working” parameter was considered as limit, although it could be not very exact.although it could be not very exact.

Performance analysisPerformance analysis Comparison of 2 solutions in normal Comparison of 2 solutions in normal conditionsconditions

11stst solution: solution: In the 1In the 1stst solution, Firewall performs forwarding solution, Firewall performs forwarding

of all the packets passing to/from the server. of all the packets passing to/from the server. Each connection is settled by simulation of both Each connection is settled by simulation of both

sides to each other (simulating server for client sides to each other (simulating server for client and client for server). and client for server).

Then data about the opened connection is Then data about the opened connection is inserted to the table and all the following inserted to the table and all the following packets will be forwarded after making changes packets will be forwarded after making changes on fields according to the saved data in the on fields according to the saved data in the table. table.

Performance analysis Performance analysis (cont.)(cont.)

In the conditions of the lab, CPU capability of In the conditions of the lab, CPU capability of Firewall could not manage to settle Firewall could not manage to settle connection with the server before connection with the server before retransmitted packets of the client arrived. retransmitted packets of the client arrived. (Speed of network was higher).(Speed of network was higher).

As result, even when single (regular) client As result, even when single (regular) client tried to connect, a certain quantity of tried to connect, a certain quantity of redundant retransmitted packets was redundant retransmitted packets was present.present.

When number of clients grew, connection When number of clients grew, connection with the server was opened even with bigger with the server was opened even with bigger delay -> more retransmitted packets, wasted delay -> more retransmitted packets, wasted time on their forwarding.time on their forwarding.

Performance analysis Performance analysis (cont.)(cont.)

The result is that under normal conditions The result is that under normal conditions firewall can serve only limited number of firewall can serve only limited number of clients, which is much smaller than number clients, which is much smaller than number of clients without any forwarding. of clients without any forwarding.

22ndnd solution: solution: Here, Firewall doesn’t interfere with Here, Firewall doesn’t interfere with

communication except sending a duplicated communication except sending a duplicated acknowledgement for each SYN it “notices”. acknowledgement for each SYN it “notices”. This doesn’t disturb the server and network This doesn’t disturb the server and network works as if there was no firewall at all.works as if there was no firewall at all.

Performance analysis Performance analysis (cont.)(cont.)

Conclusion: the 1Conclusion: the 1stst solution solution works worse in normal conditions, works worse in normal conditions, than the 2than the 2ndnd one. (see Simulation one. (see Simulation Results)Results)

11stst solutionsolution

22ndnd solution solution

Performance analysis Performance analysis (cont.) (cont.) Comparison of 2 solutions under Comparison of 2 solutions under SYN attackSYN attack

11stst solution: solution: Under SYN attack, Firewall in the 1Under SYN attack, Firewall in the 1stst solution solution

sifts attacking SYNs, thus protecting the server. sifts attacking SYNs, thus protecting the server. Therefore, a Therefore, a bottleneckbottleneck in this solution is in this solution is

Firewall. Firewall. We tested different rates of attacks for We tested different rates of attacks for

several numbers of regular clients. With exactly several numbers of regular clients. With exactly the same parameters, 2the same parameters, 2ndnd solutions works solutions works worse. worse.

The bigger rate of clients was, the faster we The bigger rate of clients was, the faster we arrived at the threshold. For numbers, see arrived at the threshold. For numbers, see Simulation Section.Simulation Section.

Performance analysis Performance analysis (cont.) (cont.) Comparison of 2 solutions under Comparison of 2 solutions under SYN attackSYN attack

22ndnd solution: solution: Our firewall was designed to protect the Our firewall was designed to protect the

server from TCP SYN attack. That’s why we server from TCP SYN attack. That’s why we made reasonable timeout (several sec) to made reasonable timeout (several sec) to decide that the SYN packet was false. Then decide that the SYN packet was false. Then we close the connection with the server.we close the connection with the server.

We DO protect from the SYN attack, since We DO protect from the SYN attack, since server doesn’t crash because of pending server doesn’t crash because of pending connections.connections.

BUT! We don’t protect server from BUT! We don’t protect server from excessive connections.excessive connections.

It appears that 2It appears that 2ndnd solution works worse in solution works worse in presence of even relatively low rate of presence of even relatively low rate of attacks, because many connections are still attacks, because many connections are still not closed (firewall waits for timeout) and not closed (firewall waits for timeout) and many new connections arrive (from regular many new connections arrive (from regular clients and attacks). clients and attacks).

The design of this solution doesn’t allow us The design of this solution doesn’t allow us prevent opening false connections, and they prevent opening false connections, and they “bomb” the server.“bomb” the server.

We cannot decrease timeout, since don’t We cannot decrease timeout, since don’t want to interfere with normal clients that want to interfere with normal clients that really require such timeout (packet loss etc.).really require such timeout (packet loss etc.).

Performance analysis Performance analysis (cont.)(cont.) Comparison of 2 solutions Comparison of 2 solutions under SYN attackunder SYN attack

Performance analysis Performance analysis (cont.)(cont.)

Conclusion: the 2Conclusion: the 2ndnd solution solution performs worse under SYN attack, performs worse under SYN attack, than the 1than the 1stst one. (See Simulations one. (See Simulations Results)Results)

22ndnd solutionsolution

11stst solution solution

Simulation ResultsSimulation Results

• Without attacks

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

0 500 1000 1500 2000 2500

clients/sec

clien

t serv

ice tim

e

Solution 1

Solution 2

Without attacks, client service time in the 1Without attacks, client service time in the 1stst solution is longer than that of the 2 solution is longer than that of the 2ndnd..It means that 1It means that 1stst solution can handle less clients/sec than the 2 solution can handle less clients/sec than the 2ndnd solution. solution.

Chart 1

1 normal client/sec

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

0 500 1000 1500 2000 2500

attacks/sec

cli

en

t serv

ice t

ime

Solution 1

Solution 2

50 normal clients/sec

0.00

0.20

0.40

0.60

0.80

1.00

0 500 1000 1500 2000

attacks/sec

cli

en

t serv

ice t

ime

Solution 1

Solution 2

Chart 2

With attacks, client service time in the 2With attacks, client service time in the 2ndnd solution is longer than that of the 1st. solution is longer than that of the 1st.It means that 2It means that 2ndnd solution can handle less clients/sec than the 1st solution. solution can handle less clients/sec than the 1st solution.

500 attacks/sec

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

0 100 200 300 400 500 600

normal clients/sec

cli

en

t serv

ice t

ime

Solution 1

Solution 2

1000 attacks/sec

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

1.20

0 50 100 150 200 250

normal clients/sec

cli

en

t serv

ice t

ime

Solution 1

Solution 2

Chart 3

With attacks, client service time in the 2With attacks, client service time in the 2ndnd solution is longer than that of the 1st. solution is longer than that of the 1st.It means that 2It means that 2ndnd solution can handle less clients/sec than the 1st solution. solution can handle less clients/sec than the 1st solution.

ConclusionsConclusions• In this project we have implemented and In this project we have implemented and

compared 2 differently designed Firewallscompared 2 differently designed Firewalls• As result, in normal conditions the 1As result, in normal conditions the 1stst

firewall is inferior than the 2firewall is inferior than the 2ndnd one, while one, while under SYN attack, the 1under SYN attack, the 1stst solution performs solution performs better than the 2better than the 2ndnd one. one.

• The implementation of the 2The implementation of the 2ndnd solution solution was much easier than that of the 1was much easier than that of the 1stst one. one.

• A definite result can not be made as to A definite result can not be made as to which firewall is better under SYN attack, which firewall is better under SYN attack, since in the conditions of the lab we had since in the conditions of the lab we had no opportunity to test other interesting no opportunity to test other interesting situations (for ex, higher rate of SYN situations (for ex, higher rate of SYN attack).attack).

ConclusionsConclusions• A notice should be made, that the problem A notice should be made, that the problem

with the 2with the 2ndnd solution was not actually SYN solution was not actually SYN attack, but excessive rate of TCP attack, but excessive rate of TCP connections, since the rate of incoming SYNs connections, since the rate of incoming SYNs was much bigger than rate of regular clients. was much bigger than rate of regular clients.

• In reality, to make a DoS is much more In reality, to make a DoS is much more difficult than SYN attack, since a real server difficult than SYN attack, since a real server handles enormous amount of clients. We handles enormous amount of clients. We don’t know how exactly SYN attack looks, but don’t know how exactly SYN attack looks, but we do know that a smaller number of SYN is we do know that a smaller number of SYN is required to fill up the buffer, than make DoS. required to fill up the buffer, than make DoS. That’s why the 2That’s why the 2ndnd solution MUST be checked solution MUST be checked in real conditions to make conclusions. in real conditions to make conclusions. (Impossible in the lab)(Impossible in the lab)

ConclusionsConclusions

• As to the 1As to the 1stst solution, it is useful for solution, it is useful for other reasons. Since it is “proxy”, it can:other reasons. Since it is “proxy”, it can:

sift or do something with other kinds of packetssift or do something with other kinds of packets do forwarding to another server. do forwarding to another server. Run NATRun NAT

• On question “What rate of attacks can On question “What rate of attacks can handle each firewall?” we can answer:handle each firewall?” we can answer:

Depends on rate of regular clients “N”Depends on rate of regular clients “N” In 1In 1stst solution – ~O(N) solution – ~O(N) In 2In 2ndnd solution – ~O(N^2) solution – ~O(N^2)

Conclusions (cont.)Conclusions (cont.)• The following enhancements could be The following enhancements could be

done:done: In the 1In the 1stst solution, a mechanism could be added solution, a mechanism could be added

to manage recognition of the retransmitted to manage recognition of the retransmitted packets.packets.

In the 1In the 1stst solution, maximum improvements solution, maximum improvements should be done to make code work faster (notice, should be done to make code work faster (notice, that such thing will bring no result to the 2that such thing will bring no result to the 2ndnd solution)solution)

Dynamically refuse some percent of connections Dynamically refuse some percent of connections under high pressure of connections – avoid under high pressure of connections – avoid crashes!!!crashes!!!

At least during our testing, we did not arrive at At least during our testing, we did not arrive at any possible enhancements to the 2any possible enhancements to the 2ndnd solution. solution.

AcknowledgementsAcknowledgements

We would like to thank Reuven We would like to thank Reuven Cohen and Itai Dabran for their Cohen and Itai Dabran for their guidance during our project and Stas, guidance during our project and Stas, without whom the project would without whom the project would hardly be accomplished, for his help hardly be accomplished, for his help in solving technical problems and in solving technical problems and their explanation. their explanation.