Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13.

Published byAlan Steward Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13."— Presentation transcript:

1 1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13

2 2 Outline Motivation Introduction Denial of Service Attacks Related Works Design and Implementation Experimental Results Conclusions and Future Works

3 3 Motivation SYN Flooding attack affects network seriously Attackers need only few resources to launch the attack, it is difficult to trace the source of attacker TCP provides many important protocols, such as HTTP, FTP, POP3, etc, frequently for information exchanging No mechanism seems to provide an optimal solution [1999, L. Ricciulli]

4 4 TCP/IP Model

5 5 UDP -- connectionless Provide an unreliable connectionless delivery service No flow control and retransmission ClientServer Data

6 6 ClientServer SYN x, ACK 0 SYN y, ACK x+1 SYN x+1, ACK y+1 LISTEN SYN_RCVD ESTABLISHED backlog TCP -- connection-oriented

7 7 Denial of Service Attacks Ping of Death Smurf Teardrop Land SYN Flooding

8 8 Smurf

9 9 Teardrop (1/2) R2R3R1 DS R4 ETHIP1500ETHIP1500ETHIP512 ETHIP512 ETHIP476 ETHIP512 ETHIP512 ETHIP476 ETHIP1500 ETHIP512 ETHIP512 ETHIP476

10 10 Teardrop (2/2) Ident = xOffset = 0 Start of header 0 Rest of header 1500 data bytes Ident = xOffset = 0 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 512 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 1024 Start of header 0 Rest of header 476 data bytes Ident = xOffset = 0 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 500 Start of header 1 Rest of header 512 data bytes Ident = xOffset = 1000 Start of header 0 Rest of header 476 data bytes Normal IP Packet Teardrop IP Packet

11 11 Land Attack TCP SYN packet with the same source and destination IP address, port Ex: (140.113.215.125, 140.113.215.125, 80, 80) Land attacks affect some OSs over the Internet

12 12 Attacker Server Attacker ? backlog SYN + ACK SYN Flooding

13 13 Why SYN Flooding Some DoS attacks are OS dependent and CERT ® proposes some suggestions SYN Flooding attack is the weakness in protocol No optimal solution to defense SYN Flooding attack

14 14 Related Works Firewall/Router Approach Firewall Relay[1997, E. H. Spafford] Cisco TCP Intercept [7xxx Router & PIX 5.2 Firewall] Cookie Approach RST Cookie[1996, E. Shenk] SYN Cookie[1996, Rex Di Bona] Random Drop [1999, L. Ricciulli]

15 15 Firewall Relay

16 16 Cisco TCP Intercept

17 17 RST Cookie

18 18 SYN Cookie

19 19 Random Drop

20 20 System Architecture Overview the same IP

21 21 Design (1/2) Filter and Server have the same IP address and Server does not respond ARP Request Filter respond Server ’ s ARP with its MAC address Hide the Server to protect the Server

22 22 Design (2/2) SYN Cache Solve the packet lost problem in SYN Cookie (client_ip, client_port, sequence_num, ack_num, retransmit_info) 16 bytes 16 * 10000 = 160 Kbytes Hash Function Eliminate the overhead of sequence number conversion Hash(client_ip, client_port, server_ip, server_port, key)  xor operation key will be changed periodically

23 23 Connection Establishment

24 24 Modification on Filter

25 25 Modification on Server

26 26 Experimental Environment Scenario (1) and Scenario (2) the same IP

27 27 Experimental Equipment Hardware P-III 500 with 100Mbps Ethernet Card 100Mbps Hub, Router Software Server (apache 1.3.12)  FreeBSD 4.1.1 Client (httpref 0.6)  FreeBSD 4.1.1 Attacker (synk4.c)  FreeBSD 4.1.1 Attacker Speed FreeBSD default warning threshold : 200pps Attack rate from 1000pps to 10000pps Test file size from 1k to 200k Bytes

28 28 Experimental Results Throughput (1/3)

29 29 Experimental Results Throughput (2/3)

30 30 Experimental Results Throughput (3/3)

31 31 Experimental Results Request per Second (1/3)

32 32 Experimental Results Request per Second (2/3)

33 33 Experimental Results Request per Second (3/3)

34 34 Experimental Results Execution Time (1/3)

35 35 Experimental Results Execution Time (2/3)

36 36 Experimental Results Execution Time (3/3)

37 37 Conclusions (1/2) Strength of Proposed Approach filter packet, authenticate client, and forward packet no other services provided Comparisons with Existing Approaches Our ApproachCisco TCP InterceptFirewall/Proxy Connection Establishment NOYES Sequence Number Conversion NOYES

38 38 Conclusions (2/2) Our ApproachSYN CookieRST CookieRandom Drop Guarantee Service YES NO Memory Immunity YES Computing Immunity NO YES Packet Retransmission YESNO YES Good Performance YES NOYES

39 39 Future Works Fault Tolerance Mechanism Multiple Services Protecting Intelligent Configuration

Download ppt "1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13."

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
1

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 11 Ethernet Evolution: Fast and Gigabit Ethernet.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 11 Ethernet Evolution: Fast and Gigabit Ethernet.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
1 Optical network CERNET's experience and prospective Xing Li, Congxiao Bao 2004-02.

1 Optical network CERNET's experience and prospective Xing Li, Congxiao Bao
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment (11.3.2.1)

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
1 Hyades Command Routing Message flow and data translation.

1 Hyades Command Routing Message flow and data translation.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination. Introduction to the Business.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

Similar presentations

Ads by Google