Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."— Presentation transcript:

1 Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004

2 Related Work SYN flood defense categories 1. Firewall based 2. Server based 3. Agent based 4. Router based

3 Firewall based Examples: SYN Defender, SYN proxying Filters packets and requests before router Maintains state for each connection Drawbacks: can be overloaded, extra delay for processing each packet

4 Server Based Examples: SYN Cache, SYN cookies SYN cache receives packets first and then uses a hash table, to partially store states, however much more streamlined than firewall. If the SYN-ACK is “acked” then the connection is established with the server. Removes the need to watch half open connections

5 SYN kill – this is kind of cool SYN kill monitors the network and if it detects SYNs that are not being acked, it automatically generates RST packets to free resources, also it classifies addresses as likely to be spoofed or legitimate… Performance???

6 MULTOPS Monitors the packets going to and from a victim and then blocks IPs from outside of network… limiting IP range of attack.

7 Ingress Filtering If a packet does not have an IP address from within the network, the router will not route the message. This would restrict attackers to the IPs within the network(s) from which they are attacking

8 Route-based Distributed Packet filtering Uses packet information to determine if packet arriving at router has a spoofed Source / Destination addresses Results show many packets can be filtered and those that can’t can be traced back easily

9 Future Work Any ideas on how to break the SYN-FIN pair scheme?? Just send FINs along with the SYNs… Will result in more traffic… but what about DDoS that send FINs and SYNs

10 Alternatives to improve detection Monitoring SYN-ACK packets also SYN-ACKs wont go back through the same router that they originally passed through Backbone Router to Spoofed IP Router to Attacker Router to Victim

11 Can it work??? Spoofed address must be in different AS Also, if packet does not take same path back and forth from server it could possibly result in false positives Any other ways to beat it Large enough AS could spoof in AS Requires inter-FDS communication

Download ppt "Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service

Similar presentations

Ads by Google