Presentation is loading. Please wait.

Presentation is loading. Please wait.

Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the.

Published byMyra Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the."— Presentation transcript:

1 Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the Trilogy 2 project (ICT-317756)

2 © British Telecommunications plc 2 status draft-briscoe-tcpm-echo-cookie-00 initial individual draft arose from SYN-option-space extension work, but orthogonal separated out as focused draft all SYN-option-space-extensions need something like this replaces tcpcrypt SYNCOOKIE/ACKCOOKIE suboptions

3 © British Telecommunications plc 3 Problem SYN flood exhausts TCP server’s pending connection state while SYN/ACK checks validity of source address SYN cookie,.. and friends store server connection state in flight not in memory still needed (despite some thinking server config is sufficient) but... further problem 15 bits of cookie space embedded in 16b initial seq no (ISN) and 9 lowest significant bits of timestamp (if supported) only enough for degraded max seg size, wnd scale & SACK-ok plus some scope for server to infer other options it negotiated with more, larger options on SYN: not enough space with SYN-extension: really not enough space SYN flood becomes either connection state or option denial attack S C S S

4 © British Telecommunications plc 4 Echo Cookie TCP Option underlying the space problem: SYN cookie limited to fields that all TCP clients echo (ISN, TS) solution: a larger cookie jar mandatory to implement with any new TCP option and mandatory with extra SYN option space ie. other options implicitly signal client support for EchoCookie the EchoCookie option if host receives a cookie, it MUST reflect it back sender can choose size and contents client MAY include 2-octet EchoCookie flag option on SYN e.g. when using options that do not signal implicit support EchoCookieLen=X (X>1)Cookie 1B (X-2)B

5 © British Telecommunications plc 5 security considerations (discuss on list pls) if client negotiated state using a secured protocol cookie MUST be echoed with at least as strong security could be used as a reflection attack? SYN/ACK MUST NOT exceed size of SYN no need to include data in SYN within cookie server not ACKing the data causes a retransmit anyway TFO cookie serves as proof the source address is valid server can/SHOULD rate-limit to repeated and/or unresponsive source IPs? server SHOULD only use when under stress? mechanism server uses to verify returned cookie? no need to standardise? any other new attack vectors?

6 © British Telecommunications plc 6 next steps security discussion pls applicability: solely SYN/ACK – ACK? solely server-client-server? any segment? intended status: proposed std? adoption?

Download ppt "Echo Cookie TCP Option Bob Briscoe Nov 2014 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework Programme through the."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.

TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.
Inner Space Bob Briscoe Nov 2014 draft-briscoe-tcpm-inner-space-01 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework.

Inner Space Bob Briscoe Nov 2014 draft-briscoe-tcpm-inner-space-01 Bob Briscoe’s work is part-funded by the European Community under its Seventh Framework.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

Similar presentations

Ads by Google