1 / 17

Analysis of a Denial of Service Attack on TCP

Analysis of a Denial of Service Attack on TCP. Proceedings of IEEE Symposium on Security and Privacy (1997). Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni. July. 11, 2003 Presented by Yang, Sookhyun. Contents. Introduction

onella
Download Presentation

Analysis of a Denial of Service Attack on TCP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of a Denial of Service Attack on TCP Proceedings of IEEE Symposium on Security and Privacy (1997) Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July. 11, 2003 Presented by Yang, Sookhyun

  2. Contents • Introduction • Background • SYN Flooding Attack • Solutions • Synkill • Performance of Synkill • Conclusion

  3. Introduction • SYN flooding attack • Network-based denial of service attack for IP (Internet protocol) • Exploit weakness in TCP/IP(Transmission Control Protocol / Internet Protocol) • Active monitoring tool • Classify IP source address being falsified or genuine • Find connection establishment protocol messages coming from forged IP address • Reset illegitimate half-open connections

  4. Li S D SYNx LISTEN Resource allocation SYNy, ACKx+1 ACKy+1, data Fig 1. Three-way handshake Background • Connection establishment process of TCP • Three-way handshake • SYNx(Synchronize sequence number) • SYNy, ACKx+1(Acknowledgement) • ACKy+1, data • Sequence number initialization • Backlog queue of TCP • Require allocation of memory resources during TCP connection establishment • Allocated by both endpoints for information related with connection & Connection timer start Half-open connection SYN_RECVD CONNECTED

  5. Unreachable & spoofed SYN … SYN+ACK Port flooding Unreachable SYN Flooding Attack • Exploited TCP/IP vulnerabilities • Do not exploit weak authentication • Require for allocation of resources out of limited pool • System under attack Li Attacker Backlog queue Victim LISTEN … SYN_RECVD Fig 2. System under SYN flooding attack

  6. packet with internal address packet with external address router Solutions (1/5) • Configuration optimization • System configuration improvements • Defend against exhaustion of resource • Reduce timeout period • Increase the length of backlog queue • Disable non-essential services • Drawback • Deny legitimate packet • Increase resource usage • Router configuration improvements • Limit range of address spoofed by attacker • Drawback • Effective only if taken in large scale External network … Internal network

  7. Solutions (2/5) • Infrastructure improvements • Router configuration can be improved • Address spaces reachable over their various interfaces are disjoint and well-defined • Address prefixes separate inside and outside • Practical problems • Cannot make a clear distinction between inbound and outbound traffic in large backbone networks with complex topology

  8. Message Message Source IP address Destination IP address Port Source’s ISS Destination’s secret key Source IP address Destination IP address Port Source’s ISS Destination’s secret key H H Solution (3/5) • Connection establishment improvements • Remove requirement of resource allocation • Calculate ISS (initial send sequence) of destination as hash value • Hash value (y : ISS of destination) • Drawback • Require the modification of TCP standard and consequently every TCP implementation Third message : ACKy+1 y Second message : SYNy, ACKx+1 y’ compare

  9. Li Firewall D A SYN Li Firewall D A SYN SYN+ACK SYN+ACK ACK SYN SYN+ACK ACK Data Data Data Data Solution (4/5) • Firewall approach • Firewall as a relay • Receive packets for internal host on its behalf • Drawback • Delay Sequence Number conversion Fig 3. Attacker scenario Fig 4. Legitimate connection

  10. Li Li Firewall Firewall D D A A SYN SYN SYN+ACK SYN+ACK ACK ACK ACK Timeout Data RST Data Solution (5/5) • Firewall approach (cont’d) • Firewall as a semi-transparent gateway • Drawback • Waste a large number of illegitimate open connections at the destination if it is under attack Fig 6. Legitimate connection Fig 5. Attacker scenario

  11. Synkill (1/2) • Active monitor • Active : generate TCP packets and inject them into the network • Monitor : read and examine all TCP packets on the LAN • Algorithm • TCP packet processing • Source IP address prefiltering • Decision process based on events • Observed TCP packets • Timer events • Administrative commands • Classification of source IP address • Based on observed network traffic and administratively supplied input • null, good, new, bad • perfect, evil

  12. LISTEN SYN Synkill Synkill Synkill Synkill D D D D A A A A SYN+ACK SYN SYN SYN SYN_RECVD LISTEN LISTEN LISTEN ACK CONNETED Expiry SYN+ACK SYN_RECVD RST CLOSED RST SYN_RECVD SYN+ACK ACK SYN_RECVD ACK ACK Too late SYN+ACK CONNETED RST Expiry CONNETED ACK RST CLOSED Fig 7. Attack scenario Fig 8. Normal access scenario Synkill (2/2) • Algorithm (cont’d) • Actions • Send RST packet for bad or evil state • Generate ACK packet CLOSED Resource release

  13. Attacker Synkill A Destination Gateway Monitor Source G M D S2 25 S1 1 per 2s => 750 Source Performance of Synkill (1) Establishment of Experiments • Experimental configuration • Two metrics of experiments • Evaluate how many connection establishments can succeed under attack during time interval using S2 • Environment of S2 • SUN Sparc Ultra 1 workstations, 32MB of RAM, Solaris 2.5.1 • Success rate = ( # of successful connections ) / ( # of tried connections ) • Average delay for successful connections • Delay : time required for establishing a successful connection Fig 9. Experimental configuration

  14. Table 1. Summary of test cases Performance of Synkill (2) Test Case • Test case for Attacker Fig 10. Process growth for the attack in case 6

  15. Performance of Synkill (3) Evaluation Result • Test case 1 & Test case 2 • Test case 3 & Test case 4 : single address

  16. Performance of Synkill (4) Evaluation Result (cont’d) • Test case 5 : 20 addresses • Test case 6 : random addresses

  17. Conclusion • Contribute a detailed analysis of the SYN flooding attack • Discuss existing and proposed counterexamples • Introduce Active Monitor “Synkill” • Do not require any special hardware, operating systems, network stacks • Do not need modification in the protected end systems • Highly portable, extensible and easily configurable

More Related