DoS Seminar 2 Spoofed Packet Attacks and Detection Methods
description
Transcript of DoS Seminar 2 Spoofed Packet Attacks and Detection Methods
![Page 1: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/1.jpg)
DoS Seminar 2
Spoofed Packet Attacks and Detection Methods
By
Prateek Arora
![Page 2: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/2.jpg)
Introduction
• When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.
![Page 3: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/3.jpg)
Types of DoS attacks
• Ping Flood Attack (ICMP echo)• SYN Flood Attack (DoS attack)• DDoS Attack (Distributed SYN Flood)• UDP Flood Attacks• Smurf Attack• DNS name server Attack• Land Attack• Ping of Death Attack• Fragmentation / Teardrop Attack• Connection Spoofing• Bounce Scanning• Stealth Communication
![Page 4: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/4.jpg)
What is a “Spoofed Packet”?
• Packets sent by an attacker such that the true source is not authentic– MAC spoofing– IP packet spoofing– Email spoofing
• This is not same as routing attacks– These cause packets to be redirected
• e.g. DNS cache poisoning; router table attacks; ARP spoofing
![Page 5: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/5.jpg)
Significance of “Spoofed Packets” in DoS attacks
• Spoofed packets are a part of many attacks– SYN Flood Attack– Smurf Attack– Connection Spoofing– Bounce Scanning– Stealth Communication
![Page 6: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/6.jpg)
IP/TCP Header Review
identification
header checksum
version TOSheaderlength
destination IP address
source IP address
TTL protocol
options (if any)
fragment offsetflags
total length
IP Header Format
data
20 bytes
![Page 7: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/7.jpg)
IP/TCP Header Review
source port number
headerlength
acknowledgement number
sequence number
options (if any)
destination port number
reserved window size
TCP Header Format
data (if any)
TCP checksum urgent pointer
URG
ACK
PSH
SYN
FIN
RST
20 bytes
![Page 8: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/8.jpg)
Smurf Attack
• In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network.
• Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.
![Page 9: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/9.jpg)
Smurf Attack (contd.)
INTERNET
PERPETRATORVICTIM
ICMP echo (spoofed source address of victim) Sent to IP broadcast address
ICMP echo reply ICMP = Internet Control Message Protocol
INNOCENTREFLECTOR SITES
BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack
1 SYN
Simultaneous10,000 SYN/ACKs - VICTIM IS DEAD
SOURCE: CISCO
![Page 10: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/10.jpg)
SYN Flood Attack
• TCP Handshake Review– client
• sends SYN packet to server• waits for SYN-ACK from server
– server • responds with SYN-ACK packet• waits for ACK packet from client
– client• sends ACK to server
SYN
SYN-ACK
ACK
![Page 11: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/11.jpg)
SYN Flood Attack
• Attacker causes TCP buffer to be exhausted with half-open connections
• No reply from target needed, so source may be spoofed.
• Claimed source must not be an active host.
169.237.5.23168.150.241.155
169.237.7.114
TCP Buffers
Half-open connection; Waiting for
ACK
Completed handshake; connection
open
emptybuffer
![Page 12: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/12.jpg)
SYN Flood Attack
• Attacker causes TCP buffer to be exhausted with half-open connections
• No reply from target needed, so source may be spoofed.
• Claimed source must not be an active host.
128.120.254.1128.120.254.2128.120.254.3128.120.254.4128.120.254.5128.120.254.6128.120.254.7128.120.254.8128.120.254.9128.120.254.10128.120.254.11128.120.254.12128.120.254.13128.120.254.14169.237.7.114128.120.254.15
TCP Buffers
Half-open connection; Waiting for
ACK
Completed handshake; connection
open
emptybuffer
![Page 13: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/13.jpg)
Summary of attack methods
Attack packets Reply packets
Smurf ICMP echo queries to broadcast address
ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding •ICMP queries•UDP packets to closed ports•IP packets with low TTL
•ICMP replies•Port unreachable•Time exceeded
DNS reply flooding
DNS queries (recursive) to DNS servers
DNS replies
![Page 14: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/14.jpg)
Detection Methods
• Routing-based
• Active– Proactive– Reactive
• Passive
![Page 15: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/15.jpg)
Routing-based Method
• For a given network topology certain source IP addresses should never be seen– Internal addresses arriving on
external interface
– External addresses arriving on internal interface
– IANA non-routable addresses on external interface
– Other special addresses
Internal NIC
External NIC
![Page 16: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/16.jpg)
Special Addresses
• 0.0.0.0/8 - Historical Broadcast• 10.0.0.0/8 - RFC 1918 Private Network• 127.0.0.0/8 - Loopback• 169.254.0.0/16 - Link Local Networks• 172.16.0.0/12 - RFC 1918 Private Network• 192.0.2.0/24 - TEST-NET• 192.168.0.0/16 - RFC 1918 Private Network• 240.0.0.0/5 - Class E Reserved• 248.0.0.0/5 - Unallocated• 255.255.255.255/32 - Broadcast
![Page 17: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/17.jpg)
Routing-based Methods
• Most commonly used method– firewalls, filtering routers
• Relies on knowledge of network topology and routing specs.
• Primarily used at organizational border.
• Cannot detect many examples of spoofing– Externally spoofed external addresses– Internally spoofed internal addresses
![Page 18: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/18.jpg)
Proactive methods
• Looks for behavior that would not occur if client actually processed packet from client.
• Method: change in IP stack behavior
• Can observe suspicious activity
• Examples –– TCP window games– SYN-Cookies (block with out detection)
![Page 19: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/19.jpg)
TCP Window Games• Modified TCP Handshake
– client • sends SYN packet and ACK number to server • waits for SYN-ACK from server w/ matching
ACK number
– server • responds with SYN-ACK packet w/ initial
“random” sequence number• Sets window size to zero• waits for ACK packet from client with
matching sequence number
– client• sends ACK to server with matching sequence
number, but no data • Waits for ACK with window > 0• After receiving larger window, client sends
data.
Spoofer will not see 0-len window and will send data without waiting.
SYN
ack-number
SYN-ACK
seq-number, ack-numberwindow = 0
ACK
seq_number, ack-number(no data)
ACK
seq-number, ack-numberwindow = 4096
ACK
seq_number, ack-numberw/ data
![Page 20: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/20.jpg)
SYN-Cookies• Modified TCP Handshake
• Example of “stateless” handshake– client
• sends SYN packet and ACK number to server • waits for SYN-ACK from server with matching ACK
number
– server • responds with SYN-ACK packet with initial SYN-cookie
sequence number• Sequence number is cryptographically generated value
based on client address, port, and time.• No TCP buffers are allocated
– client• sends ACK to server with matching sequence number
– server• If ACK is to an unopened socket, server validates
returned sequence number as SYN-cookie• If value is reasonable, a buffer is allocated and socket
is opened.
.
Spoofed packets will not consume TCP buffers
SYN
ack-number
SYN-ACK
seq-number as SYN-cookie,ack-number
NO BUFFER ALLOCATED
ACK
seq_numberack-number+data
SYN-ACK
seq-number, ack-number
TCP BUFFER ALLOCATED
![Page 21: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/21.jpg)
Reactive methods
• When a suspicious packet is received, a probe of the source is conducted to verify if the packet was spoofed
• May use same techniques as proactive methods • Example probes
– Is TTL appropriate?– Is ID appropriate?– Is host up?– Change window size
![Page 22: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/22.jpg)
Passive Methods
• Learn expected values for observed packets
• When an anomalous packet is received, treat it as suspicious
• Example values –– Expected TTL– Expected client port– Expected client OS idiosyncrasies
![Page 23: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/23.jpg)
Experiments
• Determine the validity of various spoofed-packet detection methods
• Predictability of TTL
• Predictability of TTL (active)
• Predictability of ID (active)
![Page 24: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/24.jpg)
Experiment Description - Passive
• Monitor network traffic• Record
– Source IP address– TTL– Protocol
• Count occurrences of all unique combinations• Statistically analyze predictability of the data
![Page 25: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/25.jpg)
Results - Passive
• Data collected over 2 week periods at University of California, Davis
• 23,000,000 IP packets observed– 23461 source IP addresses
• 110 internal• 23351 external
![Page 26: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/26.jpg)
Results - Passive
• Predictability measure– Conditional Entropy (unpredictability)
• Values closer to zero indicate higher predictability
yx
yxPyxPXYH,
)|(log),()|(
![Page 27: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/27.jpg)
Results - Passive
All packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.055759 0.029728 23461 22999999
ICMP 0.027458 0.023726 801 223341
IGMP 0 0 23 297
TCP 0.046149 0.023114 15891 20925893
UDP 0.065164 0.040655 7397 1850468
![Page 28: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/28.jpg)
Results - Passive
External addresses only
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.055505 0.029731 23351 9229608
ICMP 0.026159 0.023271 780 88371
IGMP 0 0 3 26
TCP 0.046324 0.023201 15825 8857983
UDP 0.065537 0.041015 7306 283228
![Page 29: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/29.jpg)
Results - Passive
Internal Addresses Only
Protocol H mean H varianceNumber Addresses
Number Packets
All0.109633 0.026097 110 13770391
ICMP0.075714 0.03822 21 134970
IGMP0 0 20 271
TCP0.004189 0.000321 66 12067910
UDP0.035207 0.010859 91 1567240
![Page 30: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/30.jpg)
Results - Passive
Only Addresses with more than 250 packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.060041 0.035521 2876 22338795
ICMP 0.035778 0.020212 33 219605
IGMP 0 0 1 0
TCP 0.051132 0.027288 2713 20332940
UDP 0.165818 0.175238 148 1779896
![Page 31: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/31.jpg)
Results - Passive
Only Addresses with more than 500 packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.050635 0.031506 2306 22140140
ICMP 0.022401 0.014516 30 218560
IGMP 0 0 1 0
TCP 0.042716 0.022273 2190 20150197
UDP 0.164326 0.209436 104 1764716
![Page 32: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/32.jpg)
Results - Passive
• TTL differs by protocol
• UDP most unreliable– traceroute is major contributor (can be
filtered)– certain programs set TTL anomalously– ToS may be useful in reducing
inconsistencies
• TTL on local network highly regular– must filter traceroute traffic
![Page 33: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/33.jpg)
Experiment Description - Reactive
• Monitor network traffic• Record IP address, Protocol, TTL and ID • Send probe packet(s)
– ICMP echo reply packet– TCP syn packet– UDP packet
• Note the differences between the stored TTL/ID to that of the returning probes.
![Page 34: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/34.jpg)
Results - Reactive
• Evaluate – – initial vs. probe reply TTL– Initial vs. probe reply ID (delta from original)
• Predictability measure– Conditional Entropy (unpredictability)
• Values closer to zero indicate higher predictability
![Page 35: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/35.jpg)
Results - Reactive
• Preliminary only– Ran for 18 hours– 8058 probes sent– 218 unique addresses
• 173 external• 45 internal
![Page 36: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/36.jpg)
Results - Reactive
• TTL off by:– Total # probes 8058 1591– +/- 2 or less 6467 371 80%– +/-1 or less 6096 986 75%– 0 5110 63%
![Page 37: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/37.jpg)
Results - Reactive
• ID off by:– Total # probes 8058
– Offset Count– 1 601– 2 57– 4 21– 6 16– 5 14– 7 11– 8 9
– Offset Count– 256 73– 512 5– 768 22– 1280 10
![Page 38: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/38.jpg)
Conclusion
• Spoofed-packets used in many different attacks
• Spoofed-packets can be detected by a number of methods
• High predictability in TTL and ID allow use of passive and active methods
![Page 39: DoS Seminar 2 Spoofed Packet Attacks and Detection Methods](https://reader036.fdocuments.in/reader036/viewer/2022062301/56813c7e550346895da61c32/html5/thumbnails/39.jpg)
References
• www.google.co.in
• http://seclab.cs.ucdavis.edu/
• www.cert.org
• www.caida.com
• http://www.uspto.gov/
• www.cisco.com