Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

Published byJoelle Mullet Modified over 9 years ago

Similar presentations

Presentation on theme: "TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected."— Presentation transcript:

1 TCP Flooding

2 TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected

3 TCP handshake ● What is stored at the server in the handshake? – TCP Control Block (TCB) keeps track of what the server “agreed to” ● > 280 bytes ● FlowID, timer info, Sequence number, flow control status, out-of-band data, MSS, other options agreed to – Half-open TCB entries exist until timeout – Fixed bound on half-open connections ● Resources exhausted  requests rejected

4 SYN Flooding C S SYN C1 Listening Store data SYN C2 SYN C3 SYN C4 SYN C5

5 TCP SYN flooding ● Basic problem – No client authentication of packets before resources allocated ● Attacker sends many connection requests – Spoofed source addresses – RSTs quickly generated if source address exists – No reply for non-existent sources ● Attacker exhausts TCP buffer to w/ half-open connections

6 TCP SYN flooding 169.237.5.23 168.150.241.155 169.237.7.114 TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

7 SYN-flood 128.120.254.1 128.120.254.2 128.120.254.3 128.120.254.4 128.120.254.5 128.120.254.6 128.120.254.7 128.120.254.8 128.120.254.9 128.120.254.10 128.120.254.11 128.120.254.12 128.120.254.13 128.120.254.14 169.237.7.114 128.120.254.15 TCP Buffers Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer

8 TCP SYN flooding counter-measures ● End host – Reduce half-open timeout value ● May deny legitimate access – Increase backlog queue ● Increase in resource usage – Disable non-essential services ● Router – Ingress filtering to prevent spoofing

9 TCP SYN flooding counter-measures ● Firewall – Full connection proxy ● Terminates handshake, re-establishes connection on valid 3-way handshake ● Must not be vulnerable to SYN flooding? ● Must translate each subsequent packet – Semi-transparent ● Spoofs ACKs optimistically when receiving SYN/ACK ● Subsequent (duplicate) ACK let through or RST generated if ACK not received

10 TCP SYN flooding counter-measures ● Active monitoring (synkill) – synkill ● keep track of source IP addresses – null (never seen), good (seen to be OK before) – new (seen, but not sure yet if spoofed) – bad (non-existent, 0.0.0.0, 127.0.0.0, 10.0.0.0, 192.168.0.0, etc.) ● Send RST packets for bad source IP addresses ● Send ACK packets for new, potentially spoofed IP addresses – degrade service if you can't tell for sure – if ACK or RST received, place in “good” – if ACK or RST not observed, reclassify IP as bad ● Reclassify periodically ● ACK/RST spoofing is a problem

11 TCP SYN cookies ● General idea – Client sends SYN w/ ACK number – Server responds to Client with SYN-ACK cookie ● sqn = f(src addr, src port, dest addr, dest port, rand) ● Server does not save state – Honest client responds with ACK(sqn) – Server checks response – If matches SYN-ACK, establishes connection

12 TCP SYN cookie ● Server's TCP SYN/ACK seqno encodes a cookie – seqno = 32-bits ● t mod 32 => counter to ensure seqno's increase every 64sec ● MSS => encoding of server MSS (can only have 8 settings) ● Cookie => easy to create and validate, hard to forge blindly t mod 32 32 0 5 bits MSS 3 bits Cookie=HMAC(t, N s, SIP, SPort, DIP, DPort)

13 SYN-Cookies ● Modified TCP Handshake ● Example of “stateless” handshake – client ● sends SYN packet and ACK number to server ● waits for SYN-ACK from server w/ matching ACK number – server ● responds w/ SYN-ACK packet w/ initial SYN-cookie sequence number ● Sequence number is cryptographically generated value based on client address, port, and time. ● No TCP buffers are allocated – client ● sends ACK to server w/ matching sequence number – server ● If ACK is to an unopened socket, server validates returned sequence number as SYN-cookie ● If value is reasonable, a buffer is allocated and socket is opened.. Spoofed packets will not consume TCP buffers SYN ack-number SYN-ACK seq-number as SYN-cookie, ack-number NO BUFFER ALLOCATED ACK seq_number ack-number+data SYN-ACK seq-number, ack-number TCP BUFFER ALLOCATED

14 Status? ● Support exists in all modern operating systems ● Not turned on by default....Why? – Not sure, but it... ● May break some options such as large windows ● Assumes TCP parameters that are negotiated do not change

15 Cookies for the “bad guy” ● TCP SYN cookies – Used by good guy to securely keep track of valid half- open connections using constant-state at the server – Encode information in destination seqno ● Inverse TCP SYN cookies – Used by bad guy to securely keep track of valid half- open connections using constant-state at the client – Encode information in the source port/seqno – Allows for high-speed scanning

Download ppt "TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected."

Similar presentations

Analysis of a DOS attack on TCP

Analysis of a DOS attack on TCP
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.

Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Programming with TCP – I

Programming with TCP – I
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.

TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google