240 likes | 454 Views
Denial of Service (DoS) Attack Protection Project Presentation Submitters: Victoria Tchoudakov 309446300 Alexey Tsitkin 306371741 Sergey Ogurtsov 321653610. DoS Attacks:. SYN attack Teardrop attack. SYN Attack. In TCP protocol way to open connection is “tree way handshake”:
E N D
Denial of Service (DoS) Attack Protection Project Presentation Submitters: Victoria Tchoudakov 309446300 Alexey Tsitkin 306371741 Sergey Ogurtsov 321653610
DoS Attacks: • SYN attack • Teardrop attack
SYN Attack • In TCP protocol way to open connection is “tree way handshake”: Client sends to Server packet with syn bit=1, Server answers with packet with syn bit=1 and ack bit=1. Now client has to answer by packet with ack bit =1, and this is the point when TCP session is opened. • In Syn Attack, the attacker, using IP spoofing, sends multiple syn packets to the target machine. For each received syn packet, the target machine allocates resources and sends an acknowledgement (syn=1, ack=1) to the source IP address, which is spoofed. Naturally, the target machine doesn’t get acknowledgement from the spoofed IP address. In this way, attacker can expend all resources of target machine.
Teardrop Attack Teardrop attack uses vulnerability in the way fragmented IP packets are reassembled. Fragmentation is necessary when IP datagrams are larger than the maximum transmission unit (MTU) of a network segment across which the datagrams must traverse. In order to successfully reassemble packets at the receiving end, the IP header for each fragment includes an offset to identify the fragment's position in the original unfragmented packet. In a Teardrop attack, packet fragments are deliberately fabricated with overlapping offset fields causing the target host to hang or crash when it tries to reassemble them.
TCP SYN-attack protection • Our firewall responds on behalf of the internal host. A connection to the host is established only after the three-way handshake is successfully completed. • During an attack, the firewall responds to the SYN sent by the attacker; since the ACK never arrives, the firewall terminates the connection with an RST packet, and the host never receives the datagram. For legitimate connections, the firewall creates a new connection to the internal host on behalf of the client, and then acts as an almost transparent proxy, by passing the packets from side to side (with minor changes).
Teardrop protection • The firewall passes fragmented packets to the server only after proper checking: • there are no missing fragments • there are no overlapping offsets • Pros: In and ideal situation with unlimited buffers, protects host from Teardrop completely. • Cons: Depends on buffers size and overall network load to work properly.
General Implementation • In the implementation of the project we useWinPcapto interact with network adapters. • There are 3 components: • External client • Firewall • Internal server
External client • Consists of two parts: • Attacker • Legal client • The attacker consists of two standalone applications • SYN attacker • Teardrop attacker • Legal client simulates legal usage of the server. • Legal TCP connections are implemented by simple connecting to the server using Internet Explorer • An application exists for sending legal (correct) fragmented packets
Attackers - Input • Allows to choose number of packets sent, rate of sending packets etc. Teardrop attacker also allows to choose whether to produce packets with missing fragments or with overlapping offsets. • Using flag –d, one is not prompted to choose all of the above, default options are used instead. • Using flag –i, one can choose the IP address of the attacked machine.
Firewall – Input • The firewall allows the user to choose whether to assemble fragmented packets or send them as is. • By using flag –b the user is prompted to change the blacklist parameters (ban time frame, for example)
Firewall – Data structures • Handshakes_Map that contains arrived SYN packets – for current handshakes • Fragments_Map that contains arrived fragments of fragmented packets • Attackers_Map that contains IP addresses of suspected attackers (blacklist) • Connections_Map that contains constantly updated info for the currently open TCP sessions. • Statistics structure that gathers statistics of the firewall operations – number of packets received, blocked etc.
Firewall - Algorithm • The firewall listens on two devices: One for Client-to-Server communication, the other for Server-to-Client communication. • For each incoming packet, the firewall performs the following operations: • Packet is coming from a known attacker (in black list) - it is thrown. • Syn packet from Client – saves the data, responds with syn-ack • Ack packet from Client – starts TCP handshake with server (sends Server syn packet) • Syn-ack packet from Server – sends Ack to server, TCP connection is now open. • Fragmented packet – checks if fragmentation is legal, if it is – passes through to server. • All other TCP/IP traffic between server and client is passed through. • A log of firewall operations is written to LoggerOut.xml
Results • The firewall processes a packet in about 1sec time. • Hence, an attacker with a higher rate of sending packets can cause DoS. • The long processing time is mainly a result of waiting on the Server-to-Client adapter. The winPcap function pcap_next_ex timeouts in 1 sec when not receiving a packet. Meaning, the delay is caused by this winPcap feature and our serial (non multi threaded) design. • Some of the delay may be caused by inefficient high level code. Meaning, if our code was written/optimized in assembly, the firewall would work faster. If it were to work on a special HW (like a real firewall) it would work much faster.
Encountered Challenges • When passing packets between Client and Server (after the TCP connection is open), the firewall needs to adjust the seq_no and ack_no fields in TCP header, because in fact there are 2 TCP connections: Client-to Firewall and Firewall-to-Server. • In WinPcap pcap_open function note the to_ms parameter, which sets the reading packets timeout. This parameter can influence the performances(e.g. if set to 1000, will cause a delay of 1 sec when no packets arrive).
Results – Syn Attack • IE delay without attacks – immediate (no delay) • Average processing time of a packet: ~10 milliseconds. • Here are the delays of legal client operation (IE) when using the firewall: • With infinite number of attack packets, our firewall is able to process legal packets when attack rate is 100 packets/sec.
Result – Syn Attack • For attacking packets bursts over 6000 packets DoS is achieved, when legal client is Internet Explorer.
Results - Teardrop • Processing time of a fragment varies from ~10 millisec • Fragments are being processed in the order of arrival, so any attack delays legal fragments, but since the processing time is reasonable, the delays are reasonable as well. • Attacks are blocked by the firewall, and only checked and legal fragments go through • Processing time of a whole packet is, of course, the processing time of all of its fragments plus some negligible delay.
Conclusions • Blacklist of attackers’ IPs is not an efficient defense method, because usually attackers spoof their IPs. • DoS can still be achieved, by a large burst of attacking Syn/Teardrop packets. • The implemented method protects from Teardrop attack in the price of delays in traffic and possible losses of legal packets. Yet, the server will NOT crash trying to assemble false fragments.
Constraints • WinPcap has limited buffers (only ~10000 packets). Thus we cannot test attacks with more than 10000 packets burst. • Our server supports only five connections • The hardware in the lab isn’t very quick, faster computers could substantially decrease processing time
Future work • Improve the implementation by using multiple threads. (e.g. different threads for listening on the Client-to-Server device, and on the Server-to-Client design). • Optimization is possible in code, data structures and parameters, such as timeout, maximum allowed buffer usage etc.