Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13.

Similar presentations


Presentation on theme: "1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13."— Presentation transcript:

1 1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13

2 2 Outline Motivation Introduction Denial of Service Attacks Related Works Design and Implementation Experimental Results Conclusions and Future Works

3 3 Motivation SYN Flooding attack affects network seriously Attackers need only few resources to launch the attack, it is difficult to trace the source of attacker TCP provides many important protocols, such as HTTP, FTP, POP3, etc, frequently for information exchanging No mechanism seems to provide an optimal solution [1999, L. Ricciulli]

4 4 TCP/IP Model

5 5 UDP -- connectionless Provide an unreliable connectionless delivery service No flow control and retransmission ClientServer Data

6 6 ClientServer SYN x, ACK 0 SYN y, ACK x+1 SYN x+1, ACK y+1 LISTEN SYN_RCVD ESTABLISHED backlog TCP -- connection-oriented

7 7 Denial of Service Attacks Ping of Death Smurf Teardrop Land SYN Flooding

8 8 Smurf

9 9 Teardrop (1/2) R2R3R1 DS R4 ETHIP1500ETHIP1500ETHIP512 ETHIP512 ETHIP476 ETHIP512 ETHIP512 ETHIP476 ETHIP1500 ETHIP512 ETHIP512 ETHIP476

10 10 Teardrop (2/2) Ident = xOffset = 0 Start of header 0 Rest of header 1500 data bytes Ident = xOffset = 0 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 512 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 1024 Start of header 0 Rest of header 476 data bytes Ident = xOffset = 0 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 500 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 1000 Start of header 0 Rest of header 476 data bytes Normal IP Packet Teardrop IP Packet

11 11 Land Attack TCP SYN packet with the same source and destination IP address, port Ex: ( , , 80, 80) Land attacks affect some OSs over the Internet

12 12 Attacker Server Attacker ? backlog SYN + ACK SYN Flooding

13 13 Why SYN Flooding Some DoS attacks are OS dependent and CERT ® proposes some suggestions SYN Flooding attack is the weakness in protocol No optimal solution to defense SYN Flooding attack

14 14 Related Works Firewall/Router Approach Firewall Relay[1997, E. H. Spafford] Cisco TCP Intercept [7xxx Router & PIX 5.2 Firewall] Cookie Approach RST Cookie[1996, E. Shenk] SYN Cookie[1996, Rex Di Bona] Random Drop [1999, L. Ricciulli]

15 15 Firewall Relay

16 16 Cisco TCP Intercept

17 17 RST Cookie

18 18 SYN Cookie

19 19 Random Drop

20 20 System Architecture Overview the same IP

21 21 Design (1/2) Filter and Server have the same IP address and Server does not respond ARP Request Filter respond Server ’ s ARP with its MAC address Hide the Server to protect the Server

22 22 Design (2/2) SYN Cache Solve the packet lost problem in SYN Cookie (client_ip, client_port, sequence_num, ack_num, retransmit_info) 16 bytes 16 * = 160 Kbytes Hash Function Eliminate the overhead of sequence number conversion Hash(client_ip, client_port, server_ip, server_port, key)  xor operation key will be changed periodically

23 23 Connection Establishment

24 24 Modification on Filter

25 25 Modification on Server

26 26 Experimental Environment Scenario (1) and Scenario (2) the same IP

27 27 Experimental Equipment Hardware P-III 500 with 100Mbps Ethernet Card 100Mbps Hub, Router Software Server (apache )  FreeBSD Client (httpref 0.6)  FreeBSD Attacker (synk4.c)  FreeBSD Attacker Speed FreeBSD default warning threshold : 200pps Attack rate from 1000pps to 10000pps Test file size from 1k to 200k Bytes

28 28 Experimental Results Throughput (1/3)

29 29 Experimental Results Throughput (2/3)

30 30 Experimental Results Throughput (3/3)

31 31 Experimental Results Request per Second (1/3)

32 32 Experimental Results Request per Second (2/3)

33 33 Experimental Results Request per Second (3/3)

34 34 Experimental Results Execution Time (1/3)

35 35 Experimental Results Execution Time (2/3)

36 36 Experimental Results Execution Time (3/3)

37 37 Conclusions (1/2) Strength of Proposed Approach filter packet, authenticate client, and forward packet no other services provided Comparisons with Existing Approaches Our ApproachCisco TCP InterceptFirewall/Proxy Connection Establishment NOYES Sequence Number Conversion NOYES

38 38 Conclusions (2/2) Our ApproachSYN CookieRST CookieRandom Drop Guarantee Service YES NO Memory Immunity YES Computing Immunity NO YES Packet Retransmission YESNO YES Good Performance YES NOYES

39 39 Future Works Fault Tolerance Mechanism Multiple Services Protecting Intelligent Configuration


Download ppt "1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13."

Similar presentations


Ads by Google