TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

Slides:



Advertisements
Similar presentations
Analysis of a DOS attack on TCP
Advertisements

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Programming with TCP – I
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Outline Definition Point-to-point network denial of service
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 Ch. 7 : Internet Transport Protocols. Transport Layer Our goals: r understand principles behind transport layer services: m Multiplexing / demultiplexing.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 ELEN 602 Lecture 15 More on IP TCP. 2 byte stream Send buffer segments Receive buffer byte stream Application ACKs Transmitter Receiver TCP Streams.
Network Monitoring Tool: Wireshark
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 04_b Transport Protocols - TCP Instructor: Dr. Li-Chuan Chen Date: 09/22/2003 Based in part upon slides.
Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Transmission Control Protocol TCP. Transport layer function.
Transport Layer: TCP and UDP. Overview of TCP/IP protocols Comparing TCP and UDP TCP connection: establishment, data transfer, and termination Allocation.
Some Network Attacks and Lessons Learned Notes for CSCI 4220 and CSCI 5220.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
TCP/IP Vulnerabilities
CSE 461 Section. Let’s learn things first! Joke Later!
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Bishop: Chapter 26 Network Security Based on notes by Prashanth Reddy Pasham.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
TCP Security Vulnerabilities Phil Cayton CSE
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
DoS/DDoS attack and defense
Breno de MedeirosFlorida State University Fall 2005 The IP, TCP, UDP protocols A quick refresher.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
NUS.SOC.CS2105 Ooi Wei Tsang Application Transport Network Link Physical you are still here.
© 2002, Cisco Systems, Inc. All rights reserved..
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
The Transport Layer (TCP)
TCP.
CS 5565 Network Architecture and Protocols
TCP - Part I Karim El Defrawy
The IP, TCP, UDP protocols
0x1A Great Papers in Computer Security
CS 5565 Network Architecture and Protocols
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Transport Layer 9/22/2019.
TCP Connection Management
Attacks on TCP.
Presentation transcript:

TCP Flooding

TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected

TCP handshake ● What is stored at the server in the handshake? – TCP Control Block (TCB) keeps track of what the server “agreed to” ● > 280 bytes ● FlowID, timer info, Sequence number, flow control status, out-of-band data, MSS, other options agreed to – Half-open TCB entries exist until timeout – Fixed bound on half-open connections ● Resources exhausted  requests rejected

SYN Flooding C S SYN C1 Listening Store data SYN C2 SYN C3 SYN C4 SYN C5

TCP SYN flooding ● Basic problem – No client authentication of packets before resources allocated ● Attacker sends many connection requests – Spoofed source addresses – RSTs quickly generated if source address exists – No reply for non-existent sources ● Attacker exhausts TCP buffer to w/ half-open connections

TCP SYN flooding TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

SYN-flood TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

TCP SYN flooding counter-measures ● End host – Reduce half-open timeout value ● May deny legitimate access – Increase backlog queue ● Increase in resource usage – Disable non-essential services ● Router – Ingress filtering to prevent spoofing

TCP SYN flooding counter-measures ● Firewall – Full connection proxy ● Terminates handshake, re-establishes connection on valid 3-way handshake ● Must not be vulnerable to SYN flooding? ● Must translate each subsequent packet – Semi-transparent ● Spoofs ACKs optimistically when receiving SYN/ACK ● Subsequent (duplicate) ACK let through or RST generated if ACK not received

TCP SYN flooding counter-measures ● Active monitoring (synkill) – synkill ● keep track of source IP addresses – null (never seen), good (seen to be OK before) – new (seen, but not sure yet if spoofed) – bad (non-existent, , , , , etc.) ● Send RST packets for bad source IP addresses ● Send ACK packets for new, potentially spoofed IP addresses – degrade service if you can't tell for sure – if ACK or RST received, place in “good” – if ACK or RST not observed, reclassify IP as bad ● Reclassify periodically ● ACK/RST spoofing is a problem

TCP SYN cookies ● General idea – Client sends SYN w/ ACK number – Server responds to Client with SYN-ACK cookie ● sqn = f(src addr, src port, dest addr, dest port, rand) ● Server does not save state – Honest client responds with ACK(sqn) – Server checks response – If matches SYN-ACK, establishes connection

TCP SYN cookie ● Server's TCP SYN/ACK seqno encodes a cookie – seqno = 32-bits ● t mod 32 => counter to ensure seqno's increase every 64sec ● MSS => encoding of server MSS (can only have 8 settings) ● Cookie => easy to create and validate, hard to forge blindly t mod bits MSS 3 bits Cookie=HMAC(t, N s, SIP, SPort, DIP, DPort)

SYN-Cookies ● Modified TCP Handshake ● Example of “stateless” handshake – client ● sends SYN packet and ACK number to server ● waits for SYN-ACK from server w/ matching ACK number – server ● responds w/ SYN-ACK packet w/ initial SYN-cookie sequence number ● Sequence number is cryptographically generated value based on client address, port, and time. ● No TCP buffers are allocated – client ● sends ACK to server w/ matching sequence number – server ● If ACK is to an unopened socket, server validates returned sequence number as SYN-cookie ● If value is reasonable, a buffer is allocated and socket is opened.. Spoofed packets will not consume TCP buffers SYN ack-number SYN-ACK seq-number as SYN-cookie, ack-number NO BUFFER ALLOCATED ACK seq_number ack-number+data SYN-ACK seq-number, ack-number TCP BUFFER ALLOCATED

Status? ● Support exists in all modern operating systems ● Not turned on by default....Why? – Not sure, but it... ● May break some options such as large windows ● Assumes TCP parameters that are negotiated do not change

Cookies for the “bad guy” ● TCP SYN cookies – Used by good guy to securely keep track of valid half- open connections using constant-state at the server – Encode information in destination seqno ● Inverse TCP SYN cookies – Used by bad guy to securely keep track of valid half- open connections using constant-state at the client – Encode information in the source port/seqno – Allows for high-speed scanning

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com Inc. All rights reserved.