Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.

Slides:



Advertisements
Similar presentations
TCP/IP Christopher Zacky. lolwut Decimal Numbers.
Advertisements

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
TCP & UDP - Protocol Details Yen-Cheng Chen
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.
Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
CSE 461: Transport Layer Connections. Naming Processes/Services  Process here is an abstract term for your Web browser (HTTP), servers (SMTP),
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
source router Destination IP packet IP packet fragments Reassembly Required Fragments Created.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 ELEN 602 Lecture 15 More on IP TCP. 2 byte stream Send buffer segments Receive buffer byte stream Application ACKs Transmitter Receiver TCP Streams.
Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)
The Transmission Control Protocol (TCP) TCP is a protocol that specifies: –How to distinguish among multiple destinations on a given machine –How to initiate.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
TCP/IP Vulnerabilities
CSE 461 Section. Let’s learn things first! Joke Later!
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Connection Establishment and Termination. Tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
DoS/DDoS attack and defense
Breno de MedeirosFlorida State University Fall 2005 The IP, TCP, UDP protocols A quick refresher.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
© 2002, Cisco Systems, Inc. All rights reserved..
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
TCP Insecurity Rocky K. C. Chang 30 March Rocky K. C. Chang Outline  SYN flooding  Sequence number attacks  Extraneous TCP state transitions.
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
Port Scanning James Tate II
09-Transport Layer: TCP Transport Layer.
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
General Classes of TCP/IP Problems
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
5. End-to-end protocols (part 1)
Introduction to Networking
CS 5565 Network Architecture and Protocols
Lab 2: TCP IP Attacks ( Indirect)
The IP, TCP, UDP protocols
0x1A Great Papers in Computer Security
CS 5565 Network Architecture and Protocols
CS4470 Computer Networking Protocols
Syara Hamdani Sandi Reza Fitroh
Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
CSC Advanced Unix Programming, Fall 2015
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security Researcher, Outpost24 Creator of Sockstress Robert E. Lee – CSO, Outpost24

Goals of this talk Review TCP Sockets Discuss Historical TCP DoS Issues Reintroduce SYN Cookie Concept Present Sockstress

Problem Statement Availability Critical to Function -Standard Security Triad – CIA Confidentiality Availability Integrity Confidentiality IntegrityAvailability

Problem Statement Availability Critical to Function -Standard Security Triad – CIA -Without Availability, remaining security becomes less useful Confidentiality Availability Integrity Confidentiality IntegrityAvailability

TCP Connection Primer Simplified example of a TCP Connection Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 4. Interested in buying more life insurance? (PSH) 5. No. (PSH) 6. Goodbye! (FIN) 7. Bye! (FIN)

States, Timers, & Counters Every connection is tracked -TCP connection states expire -Probe packets have max retries -There are kernel defaults, but applications may also specify settings -Applications can orphan connections Local Address Foreign Address STATETimeoutRetries Left : :49328SYN_RCVD75 Seconds 5 SYN Legit User Server State Table

TCP Socket Connection Introduction to the virtual circuit Client Server Time : :80 S, seq: W: : :80 A, seq: W: : :80 S, seq: A, seq: W:5672 Local Address Foreign Address STATE *:80*:*LISTEN : : SYN_RCVD : : ACK_WAIT : : ESTABLISHED Server State Table

Client Server Time : :80 P, seq: W: : :80 P, seq: A, seq: W: : :80 A, seq: W:89 Local Address Foreign Address STATE : : ESTABLISHED : : ESTABLISHED : : ESTABLISHED Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

Client Server Time : :80 F, seq: A, seq: W: : :80 A, seq: W: : :80 A, seq: W:65535 Local Address Foreign Address STATE : : FIN_WAIT_ : : FIN_WAIT_ : : FIN_WAIT_2 Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

Client Server Time : :80 F, seq: A, seq: W: : :80 A, seq: W:89 Local Address Foreign Address STATE : : CLOSE_WAIT_ : : CLOSED *:80*LISTEN Server State Table TCP Socket Connection Introduction to the virtual circuit – Continued

DoS Timeline for TCP TCP has been around since In it’s history, only 4 major DoS attack types for the general protocol. -SYN Flood, ICMP, RST, Client SYN 1985 Morris Paper* 1996 SYN Flood Phrack DJB - SYN Cookies Mafiaboy DDoS 2004 RST Attacks* 2005 Client SYN Cookie Attacks* ICMP Attacks * Client SYN Cookie Scanners TCP/IP Born

SYN Flood Every connection attempt must be accounted for -Assume system has 1024 available slots -Trivial to consume all slots Availability Attacker Local Address Foreign Address STATE *:80*:*LISTEN : : 1 SYN_RCVD … : : 1024 SYN_RCVD Server Finite Number of Available Slots SYN Legit User No Response

SYN Flood Why SYN-Flooding Works -Spoofed SYN packets consume server resources -No (attacker) local state tracking Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 5 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 4 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 3 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 2 Retries 2. Hello, this is Martha (SYN/AC K) 75 Second timeout 1 Retry Hello? Hello? Hello? Hello? Hello? 

SYN Cookies How to combat SYN Flooding -SYN Cookies defer TCP Connection State Tracking until after 3-way handshake -SYN Cookie is sent by Server as Initial Sequence Number -Cookie is hashed meta-data representing the connection details SYN Cookie Hash

SYN Cookies How to combat SYN Flooding – Continued -When ACK of ISN received, server compares (response - 1) to hash list -If match found, state is ESTABLISHED -Otherwise, rejected Availability Local Address Foreign Address STATE *:80*:*LISTEN SYN Cookie Magic : : ESTABLISHED Meta-Data SYN Cookie Hash Table SYN SYN: ACK ACK: Legit User

SYN Cookies How to combat SYN Flooding – Continued -Requiring valid cookie response: -Ensures attacker must see SYN/ACK responses (is a “legitimate IP address”) -Requires attacker to consume resources to account for state -Reduced resource load on server -Frees connection slots for other legit users

Full Connection Flood Why Full Connection Flooding isn’t more popular -A full connection requires attacker to consume state tracking resources too Availability 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) 1. Dial Number (SYN) 2. Hello, this is Martha (SYN/ACK) 3. Hello Martha, this is Bob (ACK) Oh no! No more outgoing lines. 

Defeating SYN Cookies Fight Fire with Fire -To defeat Server side SYN Cookies... -Employ Client side SYN Cookies -Start with a random 32-bit number -XOR this number against Client side of a connection attempt ( :51242) -Use output as ISN for SYN packets

Defeating SYN Cookies Fight Fire with Fire – Continued -When Client receives SYN/ACK’s -(Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port -Client can now complete a full 3 way handshake without ever tracking anything in a table. -Client can also transmit data on this connection

Defeating SYN Cookies Fight Fire with Fire – Continued -No need on Client side to even keep a hash table. XOR is reversible. Availability Local Address Foreign Address STATE *:80*:*LISTEN SYN Cookie Magic : : ESTABLISHED : : ESTABLISHED Meta-Data SYN Cookie Hash Table SYN: SYN: ACK: ACK: Attacker PSH

Sockstress Attacks To be seen and experienced live at the show… -We are still working with vendors, so we must limit the details of what Sockstress is Attacking -We will share more background information at the talk -We will also demonstrate the attacks live

One Step Ahead!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.