DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation By VIJAY CHAND UYYURU.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems
Outline Definition Point-to-point network denial of service
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Lecture 15 Denial of Service Attacks
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
Guide to TCP/IP, Third Edition
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
DoS/DDoS attack and defense
VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP The PING Tool Traceroute program IGMP.
or call for office visit,
© 2002, Cisco Systems, Inc. All rights reserved..
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
or call for office visit, or call Kathy Cheek,
Internet Control Message Protocol (ICMP)
or call for office visit,
Error and Control Messages in the Internet Protocol
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Intro to Denial of Serice Attacks
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
IIT Indore © Neminath Hubballi
TCP Connection Management
Presentation transcript:

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora

Introduction When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like and the Internet. An attack can be directed at an operating system or at the network.

Types of DoS attacks Ping Flood Attack (ICMP echo) SYN Flood Attack (DoS attack) DDoS Attack (Distributed SYN Flood) UDP Flood Attacks Smurf Attack DNS name server Attack Land Attack Ping of Death Attack Fragmentation / Teardrop Attack Connection Spoofing Bounce Scanning Stealth Communication

What is a “Spoofed Packet”? Packets sent by an attacker such that the true source is not authentic –MAC spoofing –IP packet spoofing – spoofing This is not same as routing attacks –These cause packets to be redirected e.g. DNS cache poisoning; router table attacks; ARP spoofing

Significance of “Spoofed Packets” in DoS attacks Spoofed packets are a part of many attacks –SYN Flood Attack –Smurf Attack –Connection Spoofing –Bounce Scanning –Stealth Communication

IP/TCP Header Review identification header checksum versionTOS header length destination IP address source IP address TTLprotocol options (if any) fragment offsetflags total length IP Header Format data 20 bytes

IP/TCP Header Review source port number header length acknowledgement number sequence number options (if any) destination port number reservedwindow size TCP Header Format data (if any) TCP checksumurgent pointer URGURG ACKACK PSHPSH SYNSYN FINFIN RSTRST 20 bytes

Smurf Attack In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network. Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.

Smurf Attack (contd.) INTERNET PERPETRATOR VICTIM ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply ICMP = Internet Control Message Protocol INNOCENT REFLECTOR SITES BANDWIDTH MULTIPLICATION: A T1 (1.54 Mbps) can easily yield 100 MBbps of attack 1 SYN Simultaneous10,000 SYN/ACKs - VICTIM IS DEAD SOURCE: CISCO

SYN Flood Attack TCP Handshake Review –client sends SYN packet to server waits for SYN-ACK from server –server responds with SYN-ACK packet waits for ACK packet from client –client sends ACK to server SYN SYN-ACK ACK

SYN Flood Attack Attacker causes TCP buffer to be exhausted with half-open connections No reply from target needed, so source may be spoofed. Claimed source must not be an active host TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

SYN Flood Attack Attacker causes TCP buffer to be exhausted with half-open connections No reply from target needed, so source may be spoofed. Claimed source must not be an active host TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

Summary of attack methods Attack packetsReply packets SmurfICMP echo queries to broadcast address ICMP echo replies SYN floodingTCP SYN packetsTCP SYN ACK packets RST floodingTCP packets to closed portsTCP RST packets ICMP floodingICMP queries UDP packets to closed ports IP packets with low TTL ICMP replies Port unreachable Time exceeded DNS reply flooding DNS queries (recursive) to DNS servers DNS replies

Detection Methods Routing-based Active –Proactive –Reactive Passive

Routing-based Method For a given network topology certain source IP addresses should never be seen –Internal addresses arriving on external interface –External addresses arriving on internal interface –IANA non-routable addresses on external interface –Other special addresses Internal NIC External NIC

Special Addresses /8- Historical Broadcast /8 - RFC 1918 Private Network /8 - Loopback /16 - Link Local Networks /12 - RFC 1918 Private Network /24 - TEST-NET /16 - RFC 1918 Private Network /5 - Class E Reserved /5 - Unallocated /32 - Broadcast

Routing-based Methods Most commonly used method –firewalls, filtering routers Relies on knowledge of network topology and routing specs. Primarily used at organizational border. Cannot detect many examples of spoofing –Externally spoofed external addresses –Internally spoofed internal addresses

Proactive methods Looks for behavior that would not occur if client actually processed packet from client. Method: change in IP stack behavior Can observe suspicious activity Examples – –TCP window games –SYN-Cookies (block with out detection)

TCP Window Games Modified TCP Handshake –client sends SYN packet and ACK number to server waits for SYN-ACK from server w/ matching ACK number –server responds with SYN-ACK packet w/ initial “random” sequence number Sets window size to zero waits for ACK packet from client with matching sequence number –client sends ACK to server with matching sequence number, but no data Waits for ACK with window > 0 After receiving larger window, client sends data. Spoofer will not see 0-len window and will send data without waiting. SYN ack-number SYN-ACK seq-number, ack-number window = 0 ACK seq_number, ack-number (no data) ACK seq-number, ack-number window = 4096 ACK seq_number, ack-number w/ data

SYN-Cookies Modified TCP Handshake Example of “stateless” handshake –client sends SYN packet and ACK number to server waits for SYN-ACK from server with matching ACK number –server responds with SYN-ACK packet with initial SYN-cookie sequence number Sequence number is cryptographically generated value based on client address, port, and time. No TCP buffers are allocated –client sends ACK to server with matching sequence number –server If ACK is to an unopened socket, server validates returned sequence number as SYN-cookie If value is reasonable, a buffer is allocated and socket is opened.. Spoofed packets will not consume TCP buffers SYN ack-number SYN-ACK seq-number as SYN-cookie, ack-number NO BUFFER ALLOCATED ACK seq_number ack-number+data SYN-ACK seq-number, ack-number TCP BUFFER ALLOCATED

Reactive methods When a suspicious packet is received, a probe of the source is conducted to verify if the packet was spoofed May use same techniques as proactive methods Example probes –Is TTL appropriate? –Is ID appropriate? –Is host up? –Change window size

Passive Methods Learn expected values for observed packets When an anomalous packet is received, treat it as suspicious Example values – –Expected TTL –Expected client port –Expected client OS idiosyncrasies

Experiments Determine the validity of various spoofed- packet detection methods Predictability of TTL Predictability of TTL (active) Predictability of ID (active)

Experiment Description - Passive Monitor network traffic Record –Source IP address –TTL –Protocol Count occurrences of all unique combinations Statistically analyze predictability of the data

Results - Passive Data collected over 2 week periods at University of California, Davis 23,000,000 IP packets observed –23461 source IP addresses 110 internal external

Results - Passive Predictability measure –Conditional Entropy (unpredictability) Values closer to zero indicate higher predictability

Results - Passive All packets ProtocolH meanH variance Number Addresses Number Packets All ICMP IGMP TCP UDP

Results - Passive External addresses only ProtocolH meanH variance Number Addresses Number Packets All ICMP IGMP00326 TCP UDP

Results - Passive Internal Addresses Only ProtocolH meanH variance Number Addresses Number Packets All ICMP IGMP TCP UDP

Results - Passive Only Addresses with more than 250 packets ProtocolH meanH variance Number Addresses Number Packets All ICMP IGMP0010 TCP UDP

Results - Passive Only Addresses with more than 500 packets ProtocolH meanH variance Number Addresses Number Packets All ICMP IGMP0010 TCP UDP

Results - Passive TTL differs by protocol UDP most unreliable –traceroute is major contributor (can be filtered) –certain programs set TTL anomalously –ToS may be useful in reducing inconsistencies TTL on local network highly regular –must filter traceroute traffic

Experiment Description - Reactive Monitor network traffic Record IP address, Protocol, TTL and ID Send probe packet(s) –ICMP echo reply packet –TCP syn packet –UDP packet Note the differences between the stored TTL/ID to that of the returning probes.

Results - Reactive Evaluate – –initial vs. probe reply TTL –Initial vs. probe reply ID (delta from original) Predictability measure –Conditional Entropy (unpredictability) Values closer to zero indicate higher predictability

Results - Reactive Preliminary only –Ran for 18 hours –8058 probes sent –218 unique addresses 173 external 45 internal

Results - Reactive TTL off by: –Total # probes –+/- 2 or less % –+/-1 or less % – %

Results - Reactive ID off by: –Total # probes8058 –OffsetCount –1601 –257 –421 –616 –514 –711 –89 –OffsetCount –25673 –5125 – –128010

Conclusion Spoofed-packets used in many different attacks Spoofed-packets can be detected by a number of methods High predictability in TTL and ID allow use of passive and active methods

References

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.