Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.

Published byRolf Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security."— Presentation transcript:

1 Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security Researcher, Outpost24 Creator of Sockstress Robert E. Lee – CSO, Outpost24

2 Goals of this talk Review TCP Sockets Discuss Historical TCP DoS Issues Reintroduce SYN Cookie Concept Present Sockstress

3 Problem Statement Availability Critical to Function -Standard Security Triad – CIA Confidentiality Availability Integrity Confidentiality IntegrityAvailability

4 Problem Statement Availability Critical to Function -Standard Security Triad – CIA -Without Availability, remaining security becomes less useful Confidentiality Availability Integrity Confidentiality IntegrityAvailability

5 TCP Connection Primer Simplified example of a TCP Connection Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 4. Interested in buying more life insurance? (PSH) 5. No. (PSH) 6. Goodbye! (FIN) 7. Bye! (FIN)

6 States, Timers, & Counters Every connection is tracked -TCP connection states expire -Probe packets have max retries -There are kernel defaults, but applications may also specify settings -Applications can orphan connections Local Address Foreign Address STATETimeoutRetries Left 192.168.1.2:80192.168.1.1:49328SYN_RCVD75 Seconds 5 SYN Legit User 192.168.1.1 Server State Table

7 TCP Socket Connection Introduction to the virtual circuit Client 192.168.1.1 Server 192.168.1.2 Time 192.168.1.1:49328192.168.1.2:80 S, seq:3251277165 W:65535 192.168.1.1:49328192.168.1.2:80 A, seq:316612395 W:65535 192.168.1.1:49328192.168.1.2:80 S, seq:316612394 A, seq:3251277166 W:5672 Local Address Foreign Address STATE *:80*:*LISTEN 192.168.1.2:80192.168.1.1: 49328 SYN_RCVD 192.168.1.2:80192.168.1.1: 49328 ACK_WAIT 192.168.1.2:80192.168.1.1: 49328 ESTABLISHED Server State Table

8 Client 192.168.1.1 Server 192.168.1.2 Time 192.168.1.1:49328192.168.1.2:80 P, seq:3251277166-3251277173 W:65535 192.168.1.1:49328192.168.1.2:80 P, seq:316612395-316612613 A, seq:3251277173 W:89 192.168.1.1:49328192.168.1.2:80 A, seq:3251277173 W:89 Local Address Foreign Address STATE 192.168.1.2:80192.168.1.1: 49328 ESTABLISHED 192.168.1.2:80192.168.1.1: 49328 ESTABLISHED 192.168.1.2:80192.168.1.1: 49328 ESTABLISHED Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

9 Client 192.168.1.1 Server 192.168.1.2 Time 192.168.1.1:49328192.168.1.2:80 F, seq:316612613 A, seq:3251277173 W:89 192.168.1.1:49328192.168.1.2:80 A, seq:316612614 W:65535 192.168.1.1:49328192.168.1.2:80 A, seq:316612613 W:65535 Local Address Foreign Address STATE 192.168.1.2:80192.168.1.1: 49328 FIN_WAIT_1 192.168.1.2:80192.168.1.1: 49328 FIN_WAIT_1 192.168.1.2:80192.168.1.1: 49328 FIN_WAIT_2 Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

10 Client 192.168.1.1 Server 192.168.1.2 Time 192.168.1.1:49328192.168.1.2:80 F, seq:3251277173 A, seq:316612614 W:65535 192.168.1.1:49328192.168.1.2:80 A, seq:3251277174 W:89 Local Address Foreign Address STATE 192.168.1.2:80192.168.1.1: 49328 CLOSE_WAIT_ 1 192.168.1.2:80192.168.1.1: 49328 CLOSED *:80*LISTEN Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

11 DoS Timeline for TCP TCP has been around since 1979 -In it’s history, only 4 major DoS attack types for the general protocol. -SYN Flood, ICMP, RST, Client SYN 1985 Morris Paper* 1996 SYN Flood Phrack DJB - SYN Cookies Mafiaboy DDoS 2004 RST Attacks* 2005 Client SYN Cookie Attacks* ICMP Attacks * Client SYN Cookie Scanners TCP/IP Born 1980199020002010

12 SYN Flood Every connection attempt must be accounted for -Assume system has 1024 available slots -Trivial to consume all slots Availability Attacker 192.168.1.3 Local Address Foreign Address STATE *:80*:*LISTEN 192.168.1.2:80192.168.1.3: 1 SYN_RCVD … 192.168.1.2:80192.168.1.3: 1024 SYN_RCVD Server 192.168.1.2 Finite Number of Available Slots SYN Legit User 192.168.1.1 No Response

13 SYN Flood Why SYN-Flooding Works -Spoofed SYN packets consume server resources -No (attacker) local state tracking Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 5 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 4 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 3 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 2 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 1 Retry Hello? Hello? Hello? Hello? Hello? 

14 SYN Cookies How to combat SYN Flooding -SYN Cookies defer TCP Connection State Tracking until after 3-way handshake -SYN Cookie is sent by Server as Initial Sequence Number -Cookie is hashed meta-data representing the connection details SYN Cookie Hash

15 SYN Cookies How to combat SYN Flooding – Continued -When ACK of ISN received, server compares (response - 1) to hash list -If match found, state is ESTABLISHED -Otherwise, rejected Availability Local Address Foreign Address STATE *:80*:*LISTEN SYN Cookie Magic 192.168.1.2:80192.168.1.1: 49328 ESTABLISHED 3251277165Meta-Data SYN Cookie Hash Table SYN SYN:3251277165 ACK ACK:3251277166 Legit User 192.168.1.1

16 SYN Cookies How to combat SYN Flooding – Continued -Requiring valid cookie response: -Ensures attacker must see SYN/ACK responses (is a “legitimate IP address”) -Requires attacker to consume resources to account for state -Reduced resource load on server -Frees connection slots for other legit users

17 Full Connection Flood Why Full Connection Flooding isn’t more popular -A full connection requires attacker to consume state tracking resources too Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) Oh no! No more outgoing lines. 

18 Defeating SYN Cookies Fight Fire with Fire -To defeat Server side SYN Cookies... -Employ Client side SYN Cookies -Start with a random 32-bit number -XOR this number against Client side of a connection attempt (192.168.1.3:51242) -Use output as ISN for SYN packets

19 Defeating SYN Cookies Fight Fire with Fire – Continued -When Client receives SYN/ACK’s -(Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port -Client can now complete a full 3 way handshake without ever tracking anything in a table. -Client can also transmit data on this connection

20 Defeating SYN Cookies Fight Fire with Fire – Continued -No need on Client side to even keep a hash table. XOR is reversible. Availability Local Address Foreign Address STATE *:80*:*LISTEN SYN Cookie Magic 192.168.1.2:80192.168.1.3: 51235 ESTABLISHED 192.168.1.2:80192.168.1.3: 51235 ESTABLISHED 3251277165Meta-Data SYN Cookie Hash Table SYN:316612394 SYN:3251277165ACK:316612395 ACK:3251277166 Attacker 192.168.1.3 PSH

21 Sockstress Attacks To be seen and experienced live at the show… -We are still working with vendors, so we must limit the details of what Sockstress is Attacking -We will share more background information at the talk -We will also demonstrate the attacks live

22 One Step Ahead!

Download ppt "Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security."

Similar presentations

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.

Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
TCP & UDP - Protocol Details Yen-Cheng Chen

TCP & UDP - Protocol Details Yen-Cheng Chen
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.

Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Similar presentations

Ads by Google