Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are."— Presentation transcript:

1 slide 1 Attacks on TCP/IP

2 slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are public Smurf attacks uTCP connection requires state SYN flooding uTCP state is easy to guess TCP spoofing and connection hijacking

3 slide 3 network Packet Sniffing uMany applications send data unencrypted ftp, telnet send passwords in the clear uNetwork interface card (NIC) in “promiscuous mode” reads all passing data Solution: encryption (e.g., IPsec), improved routing

4 slide 4 “Smurf” Attack gateway victim 1 ICMP Echo Req Src: victim’s address Dest: broadcast address Looks like a legitimate “Are you alive?” ping request from the victim Every host on the network generates a ping (ICMP Echo Reply) to victim Stream of ping replies overwhelms victim Solution: reject external packets to broadcast addresses

5 slide 5 TCP Handshake CS SYN C SYN S, ACK C ACK S Listening… Spawn thread, store data (connection state, etc.) Wait Connected

6 slide 6 SYN Flooding Attack S SYN C1 Listening… Spawn a new thread, store connection data SYN C2 SYN C3 SYN C4 SYN C5 … and more

7 slide 7 SYN Flooding Explained uAttacker sends many connection requests with spoofed source addresses uVictim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections uOnce resources exhausted, requests from legitimate clients are denied uThis is a classic denial of service attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must spawn a thread for each request (asymmetry!)

8 slide 8 Preventing Denial of Service uDoS is caused by asymmetric state allocation If responder opens new state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses uCookies ensure that the responder is stateless until initiator produced at least 2 messages Responder’s state (IP addresses and ports of the con- nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

9 slide 9 SYN Cookies [Bernstein and Schenk] CS SYN C Listening… Does not store state F(source addr, source port, dest addr, dest port, coarse time, server secret) SYN S, ACK C sequence # = cookie F=Rijndael or crypto hash Recompute cookie, compare with with the one received, only establish connection if they match ACK S (cookie) Compatible with standard TCP; simply a “weird” sequence number scheme More info: http://cr.yp.to/syncookies.html

Download ppt "Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
The Internet! Layers, TCP, UDP, IP DDoS Reflection Attacks IPSEC, ARP Sharon Goldberg CS558 Boston University Spring 2015 Most slides and images borrowed.

The Internet! Layers, TCP, UDP, IP DDoS Reflection Attacks IPSEC, ARP Sharon Goldberg CS558 Boston University Spring 2015 Most slides and images borrowed.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Network Security IS250 Spring 2010 John Chuang. 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or.

Network Security IS250 Spring 2010 John Chuang. 2 Outline  What is Network Security? -Security properties -Cryptographic techniques  Availability (or.
Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.

Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.

Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.

Similar presentations

Ads by Google