Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service...

of 27 /27
Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens [email protected]

Transcript of Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service...

Page 1: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

Countering SYN FloodDenial-of-Service (DoS)Attacks

Ross OliverTech [email protected]

Page 2: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

2

What is a Denial-of-Service (DoS) attack?

! Attacker generates unusually largevolume of requests, overwhelmingyour servers

! Legitimate users are denied access! Can last from a few minutes to

several days

Page 3: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

3

What is a SYN Flood?

! One kind of Denial-of-Serviceattack

! Simulates initial handshake ofTCP/IP connection

! Web servers are particularlyvulnerable

Page 4: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

4

Example SYN Flood Attack

! February 5th � 11th, 2000! Victims included CNN, eBay, Yahoo,

Amazon! Attacks allegedly perpetrated by

teenagers! Used compromised systems at UCSB

Page 5: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

5

Detailed Account of DDoS

! Gibson Research Corporationwww.grc.com/dos/intro.htm

! May 4th-20th, 2001! DDoS attack from 474 machines! Completely saturated two T1s! 13-year-old claimed responsibility

Page 6: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

6

Don�t Expect Outside Help

! GRC discovered:! ISPs were unresponsive! Law enforcement unable to help! Under-age perpetrators have

blanket immunity

Page 7: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

7

Normal TCP/IPConnection Initiation

Web surfer

Web sever

SYN

ACK

SYN / ACK

Page 8: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

8

Unfinished TCP/IPConnection Initiation

Web surfer

Web sever

SYN

???

SYN / ACK

Page 9: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

9

Web Server�s Table ofNormal TCP/IP Connections

FREE00.0.0.0FREE00.0.0.0FREE00.0.0.0TIME_WAIT80192.168.4.23ESTABLISHED80192.168.27.112SYN80192.168.54.7ESTABILISHED80192.168.3.94TIME_WAIT80192.168.15.88ESTABLISHED80192.168.3.16StatePortAddress

Page 10: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

10

Connections TableDuring SYN Flood

SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99StatePortAddress

Page 11: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

11

Why Defense is Difficult

! SYN packets are part of normaltraffic

! Source IP addresses can be faked! SYN packets are small! Lengthy timeout period

Page 12: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

12

Possible Defenses

! Increase size of connections table! Add more servers! Trace attack back to source! Deploy firewalls employing SYN

flood defense

Page 13: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

13

Who Offers a Defense?

! PIX by Cisco! Firewall-1 by Checkpoint! Netscreen 100 by Netscreen! AppSafe/AppSwitch by Top Layer

Page 14: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

14

Firewall-1 SYNDefender

Web surfer

Web sever

SYN

ACK

SYN / ACK

FW-1

SYN

Page 15: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

15

SYN Proxy

Web surfer

Web sever

Netscreenor

AppSafe

SYN

ACK

SYN / ACK

Page 16: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

16

Measuring Effectiveness

! Create a realistic test environment! Generate a SYN flood! Measure how well each firewall

keeps legitimate traffic flowing

Page 17: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

17

Test Configuration

Attacker

Test Firewall

Web Client

Web ServerHub

Page 18: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

18

Test Configuration

! Web Server: Linux (RedHat 7.2)" Apache web server

! Web Client: Windows 2000" Script using wget to fetch web pages,

measure response time! Attacker: Linux (RedHat 7.2)

" SYN flood generator

Page 19: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

19

Benchmark Results

22,000

14,000

500

100

100

1 10 100 1,000 10,000 100,000

AppSafe

Netscreen

Firewall-1

PI X

None

Maximum SYNs per second

Page 20: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

20

Cisco PIX Results

! No significant difference over nofirewall

! Large �embrionic� value allowedflood through to server

! Small �embrionic� value blockedboth flood and normal traffic

Page 21: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

21

Firewall-1 Results

! Protected up to 500 SYNs/sec, butwith degraded response time

! Above 500 SYNs/sec, web pagerequests failed

! Web server recovered to normal3-10 minutes after attack ceased

Page 22: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

22

Netscreen 100 Results

! Protected up to 14,000 SYNs/secwith acceptable server responsetimes

! Above 14,000, web servercontinued to respond, withincreasing delays

! Response times recovered tonormal immediately after attackceased

Page 23: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

23

AppSafe Results

! Effective up to 22,000 SYNs/sec! Maximum test setup could produce! No measurable change in response

time

Page 24: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

24

How Bad Can It Get?

! Theoretical maximums forattackers using:" Analog modem: 87 SYNs/sec" ISDN, Cable, DSL: 200 SYNs/sec" T1: 2,343 SYNs/sec" 474 hacked systems 94,800 SYNs/sec

Page 25: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

25

How Much Do You Need?

! Single firewall for attacker withsingle ISDN, DSL, or T1

! Multiple parallel units for higherbandwidth

! �Transparent� mode permits rapiddeployment

Page 26: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

26

Conclusion

! SYN floods are nasty! Firewalls with SYN flood defense

can successfully counter attacks! Multiple or distributed attacks may

require multiple parallel firewalls

Page 27: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your

27

Acknowledgements

! PIX provided by Atebion, Inc.! Netscreen 100 provided by

Yipes Communications! AppSafe provided by

Top Layer Networks! Information Warehouse! Inc.