Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:

Published byShawn Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:"— Presentation transcript:

1 Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htmhttp://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edujgast@cs.wisc.edu, UW-Madison

2 2 Normal Connection Establishment The Server sets up retransmission timers, allocates receive buffers, etc. Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources. Note: SYN packets are very small and take up very little bandwidth. Graphics stolen from http://grc.com/dos/drdos.htm

3 3 State Transition Diagram CLOSED LISTEN SYN_RCVDSYN_SENT ESTABLISHED CLOSE_WAIT LAST_ACKCLOSING TIME_WAIT FIN_WAIT_2 FIN_WAIT_1 Passive openClose Send/SYN SYN/SYN + ACK SYN + ACK/ACK SYN/SYN + ACK ACK Close/FIN FIN/ACKClose/FIN FIN/ACK ACK + FIN/ACK Timeout after two segment lifetimes FIN/ACK ACK Close/FIN Close CLOSED Active open/SYN

4 4 SYN Flood Each SYN creates one half-open connection Half-open connections take minutes to time-out Servers have finite connection tables Perpetrator would be easily caught (Source IP) Unless SourceIP is spoofed See: CERT Advisory CA-1996-21 http://www.cert.org/advisories/CA-1996-21.html 100 SYN packets per second fits in 56 Kbps Graphics stolen from http://grc.com/dos/drdos.htm

5 5 Spoofed IP Address The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter) Graphics stolen from http://grc.com/dos/drdos.htm

6 6 Example SYN Flood Attack February 5 th -11 th, 2000 Victims included CNN, eBay, Yahoo, Amazon Attackers (allegedly) used simple, readily available tools (script-kiddies) Law enforcement unable (unwilling?) to help Under-age perpetrators have blanket immunity

7 7 Defense against SYN Flood Increase size of connection table Add more servers Trace attack back to source Ask your ISP to filter malicious packets Add firewall Typically “SYN proxy” Dave Parter will talk on firewalls later in the semester Ultimate solution was “SYN-cookies” Reply to SYN with SYN-cookie Allocate no resources until SYN-cookie is returned

8 8 Potential places to stop DoS flood Graphics stolen from http://grc.com/dos/drdos.htm

9 9 Distributed DoS Rather than filling connection table, fill all available bandwidth Infect innocent bystanders (zombies) Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will) Attacker need not have high bandwidth connection Typical Program: EvilGoat EvilBot Graphics stolen from http://grc.com/dos/drdos.htm

10 10 Example Distributed DOS Attack 6 attacks on 5 different days One attack lasted for 17 hours 474 infected windows PC as zombies 2.4 billion malicious packets Graphics stolen from http://grc.com/dos/grcdos.htm Goodput? Time (minutes?)

11 11 Flood-based Distributed DoS Attacks Coordinate zombies to attack with big packets Use up “last-hop” bandwidth “Last-hop” router discards packets indiscriminately Zombies need not spoof addresses See http://grc.com/dos/intro.htm for example horror storyhttp://grc.com/dos/intro.htm Graphics stolen from http://grc.com/dos/drdos.htm

12 12 Newest Twist - Reflection Many routers accept connections on port 179 (Border Gateway Protocol) Although any big server and any port it listens on will work Send a SYN to a router, claiming it came from the victim The router will send a SYN/ACK to the victim And then re-transmit several times before giving up (typically about 4X) Note: Tar-pits will not see any “Backscatter” but honey-pots might see the attacker’s commands.

13 13 Reflection Mechanism Graphics stolen from http://grc.com/dos/drdos.htm

14 14 Distributed Reflection DoS Graphics stolen from http://grc.com/dos/drdos.htm

15 15 Other ports susceptible to DRDoS 22 – Secure Shell 23 – Telnet 53 – DNS 80 – HTTP / Web 4001 – Proxy Servers 6668 – Internet Relay Chat But reflection from port 179 is so powerful it easily overwhelms others Easily detected ports 1-1023 “Well-Known” (so far)

16 16 Call to action Ingress filtering at all ISPs would stop the spoofed SYN packets before they left home Egress filtering at all ISPs would prevent spoofed IP addresses from traversing the Internet Flagging multiply-tried, failed SYN/ACKs could be used to discover victims and filter further attack Disable raw socket interface in client PCs

17 17 Questions?

Download ppt "Distributed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on:"

Similar presentations

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CS 6401 Transport Control Protocol Outline TCP objectives revisited TCP basics New algorithms for RTO calculation.

CS 6401 Transport Control Protocol Outline TCP objectives revisited TCP basics New algorithms for RTO calculation.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007. A note on the use.

1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July A note on the use.
Transmission Control Protocol (TCP). TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581 r reliable, in-order byte steam: m no “message boundaries” r send.

Transmission Control Protocol (TCP). TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581 r reliable, in-order byte steam: m no “message boundaries” r send.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
8. Transport Protocol and UDP 8.1 Transport protocol : End-to-end protocol –IP: Host to host packet delivery –Transport: Process to process communication.

8. Transport Protocol and UDP 8.1 Transport protocol : End-to-end protocol –IP: Host to host packet delivery –Transport: Process to process communication.
1 Reliable Byte-Stream (TCP) Outline Connection Establishment/Termination Sliding Window Revisited Flow Control Adaptive Timeout.

1 Reliable Byte-Stream (TCP) Outline Connection Establishment/Termination Sliding Window Revisited Flow Control Adaptive Timeout.
6-May-154/598N: Computer Networks End-to-End Protocols Underlying best-effort network –drop messages –re-orders messages –delivers duplicate copies of.

6-May-154/598N: Computer Networks End-to-End Protocols Underlying best-effort network –drop messages –re-orders messages –delivers duplicate copies of.
TCP 4/15/2017.

TCP 4/15/2017.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
CSE 461: Transport Layer Connections. Naming Processes/Services  Process here is an abstract term for your Web browser (HTTP), servers (SMTP),

CSE 461: Transport Layer Connections. Naming Processes/Services  Process here is an abstract term for your Web browser (HTTP), servers (SMTP),
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Similar presentations

Ads by Google