Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta.

Published byChristiana Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta."— Presentation transcript:

1 Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta

2 Abstract Network administrators enforce usage restrictions by terminating connections when deemed undesirable. This is usually achieved by injecting artificial TCP Reset packets into the network. By exploiting the out-of-band nature of injected packets, we can detect interference, and fingerprint the injection device.

3 Motivation To what degree can we detect when a network actively disrupts communication? Deployment of RST injectors: Great Firewall of China: terminates Internet connections deemed undesirable by the Chinese government. Restricting P2P traffic: practiced by multiple ISPs (Comcast), particularly to block bulk transfers such as those of BitTorrent.

4 Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Difference compared to a traditional firewall: All flows are initially allowed through. ◦ Potential blocking decisions are taken later.

5 Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Devices to terminate flows: Inline devices: the device ceases to forward packets associated with the flow: a performance bottleneck. Out of path devices are hence preferred.

6 Techniques used to block communication Out of path blocking methods 1. Instruct an in-path device, such as a router, to block the flow. 2. Inject forged TCP FIN packets, one in either direction. 3. Inject forged TCP RST packets, in one direction. The techniques discussed should work with all out-of- band flow termination because passive monitoring faces race conditions.

7 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : a)The injector sees a data packet that triggers its decision to terminate the connection. After some time it sends out a fake RST packet. b)During this interval, more packets from the sender may pass the injector’s observation point. c)Receiver gets an RST packet with sequence number less than expected.

8 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : seq no =42

9 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : seq no=50

10 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA : RST, Seq no=42

11 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST: a)At the time RST is injected, further packets are already in flight, or will be sent soon: the sender is not yet shut down! b)The receiver will see data packets from the sender after it has received the RST.

12 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST 42 50

13 Detection Toolbox 3. RST_SEQ_CHANGE: a)By sending multiple RSTs with increasing sequence numbers, an injector increases the likelihood of getting one through. b)It faces the dilemma of having to pick a higher sequence number without knowing what the source will send. c)Look for a back to back pair of RST packets, where the 2 nd has a higher sequence number than the 1 st, and exceeds the current sequence number.

14 Experiments The detector was run by capturing traffic traces at: 1. ICSI (International Computer Science Institute) 2. UC Berkeley 3. Columbia University 4. George Mason University By correlating the characteristics of injected RST packets across datasets, a number of injectors were identified.

15 Results Sandvine RST injector: Comcast uses RST injection to manage P2P traffic, and their devices have been purchased from Sandvine. Fingerprint: Back to back pair of RST packets, for which the 2 nd one has a sequence number 12503 higher than the 1 st, and IPID increased by 1. Comcast injection alerts came in bursts: 10 on Feb 9 th, 23 on Feb 18 th etc. These burst correspond to excessive usage of P2P software by students.

16 Results BezeqInt injector: ◦ Always uses IPID 16448 ◦ Differing TTL ◦ Increments ACK number (?) IPID 256 injector Chinese Firewall injectors ◦ IPID 64 injector ◦ IPID -26 injector ◦ SEQ 1460 injector

17 QUESTIONS?

Download ppt "Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta."

Similar presentations

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
NETWORK COMPONENTS WEEK 9 SESSION 1 READING 1. A network consists of many components. We need to understand the purpose of these components.

NETWORK COMPONENTS WEEK 9 SESSION 1 READING 1. A network consists of many components. We need to understand the purpose of these components.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Agenda TMA2 Feedback TMA3 T821 Bock 2. 2 Packet Switching.

1 Agenda TMA2 Feedback TMA3 T821 Bock 2. 2 Packet Switching.
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Measuring Packet Reordering NETREAD UC Berkeley George Porter Oct 4, 2002.

Measuring Packet Reordering NETREAD UC Berkeley George Porter Oct 4, 2002.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.
On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.

On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

Similar presentations

Ads by Google