Presentation is loading. Please wait.

Presentation is loading. Please wait.

0x1A Great Papers in Computer Security

Published byIlene Reeves Modified over 5 years ago

Similar presentations

Presentation on theme: "0x1A Great Papers in Computer Security"— Presentation transcript:

1 0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov

2 D. Bernstein SYN cookies (1996)

3 TCP Handshake C S SYNC Listening… Spawn a new thread, store data
(connection state, etc.) SYNS, ACKC Wait ACKS Connected

4 SYN Flooding Attack S SYNC1 Listening… Spawn a new thread,
store connection data SYNC2 SYNC3 … and more SYNC4 … and more … and more SYNC5 … and more … and more

5 SYN Flooding Explained
Attacker sends many connection requests with spoofed source addresses Victim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied This is a classic denial of service attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must spawn a thread for each request - asymmetry!

6 Preventing Denial of Service
DoS is caused by asymmetric state allocation If responder opens new state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least two messages Responder’s state (IP addresses and ports of the con-nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

7 SYN Cookies C S [Bernstein and Schenk] SYNC SYNS, ACKC ACKS Listening…
Compatible with standard TCP; simply a “weird” sequence number Does not store state SYNS, ACKC sequence # = cookie F(source addr, source port, dest addr, dest port, coarse time, server secret) Cookie must be unforgeable and tamper-proof (why?) F=Rijndael or crypto hash ACKS sequence # = cookie+1 Recompute cookie, compare with the received cookie, only establish connection if they match More info:

8 Anti-Spoofing Cookies: Basic Pattern
Client sends request (message #1) to server Typical protocol: Server sets up connection, responds with message #2 Client may complete session or not - potential DoS! Cookie version: Server responds with hashed connection data instead of message #2 Client confirms by returning hashed data If source IP address is spoofed, attacker can’t confirm Need an extra step to send postponed message #2, except in TCP (SYN-ACK already there)

Download ppt "0x1A Great Papers in Computer Security"

Similar presentations

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.

TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.

Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google