Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy...
Transcript of Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy...
![Page 1: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/1.jpg)
Transport layer attacks
Slides from
• Dave Levin 414-spring2016
![Page 2: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/2.jpg)
Layer 4: Transport layer
Application
Transport
(Inter)network
Link
Physical
7
4
3
2
1
• End-to-end communication between processes
• Different types of services provided:
• UDP: unreliable datagrams
• TCP: reliable byte stream
• “Reliable” = keeps track of what data were received properly and retransmits as necessary
![Page 3: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/3.jpg)
TCP: reliability• Given best-effort deliver, the goal is to ensure
reliability • All packets are delivered to applications • … in order • … unmodified (with reasonably high probability)
• Must robustly detect and retransmit lost data
![Page 4: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/4.jpg)
TCP’s bytestream service• Process A on host 1:
• Send byte 0, byte 1, byte 2, byte 3, …
• Process B on host 2: • Receive byte 0, byte 1, byte 2, byte 3, …
• The applications do not see: • packet boundaries (looks like a stream of bytes) • lost or corrupted packets (they’re all correct) • retransmissions (they all only appear once)
![Page 5: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/5.jpg)
TCP bytestream service
byte1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7 byte 8
byte1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7 byte 8
Process A on host H1
Process B on host H2
Abstraction: Each byte reliably delivered in order
![Page 6: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/6.jpg)
TCP bytestream service
byte1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7 byte 8
Reality: Packets sometimes retransmitted, sometimes arrive out of order
Packet 1 Packet 2 Packet 3
Needs to be retransmitted Needs to be
buffered
![Page 7: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/7.jpg)
TCP bytestream service
byte1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7 byte 8
Reality: Packets sometimes retransmitted, sometimes arrive out of order
Packet 1 Packet 2 Packet 3
Needs to be retransmitted Needs to be
bufferedTCP’s first job: achieve the abstraction while
hiding the reality from the application
![Page 8: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/8.jpg)
How does TCP achieve reliability?A B
Tim
e
Waterfalldiagram
![Page 9: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/9.jpg)
How does TCP achieve reliability?A B
Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 10: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/10.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500 Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 11: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/11.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501
Tim
e
Waterfalldiagram
![Page 12: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/12.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501
Tim
e
Waterfalldiagram ACK 1501
![Page 13: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/13.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501
Tim
e
Waterfalldiagram ACK 1501
Reliability through acknowledgments to determine whether something was received.
![Page 14: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/14.jpg)
How does TCP achieve reliability?A B
Tim
e
Waterfalldiagram
![Page 15: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/15.jpg)
How does TCP achieve reliability?A B
Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 16: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/16.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500 Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 17: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/17.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000
Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 18: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/18.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Tim
e
Waterfalldiagram
![Page 19: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/19.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Still expecting byte 1000
Tim
e
Waterfalldiagram
![Page 20: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/20.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Still expecting byte 1000
Tim
e
Waterfalldiagram
ACK 1000
![Page 21: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/21.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Still expecting byte 1000Still expecting byte 1000Ti
me
Waterfalldiagram
ACK 1000
![Page 22: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/22.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Still expecting byte 1000Still expecting byte 1000Ti
me
Waterfalldiagram
ACK 1000
ACK 1000
![Page 23: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/23.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Bytes 1000-1500
Still expecting byte 1000Still expecting byte 1000Ti
me
Waterfalldiagram
ACK 1000
ACK 1000
![Page 24: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/24.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Bytes 1000-1500
Still expecting byte 1000Still expecting byte 1000
Expecting packet 3001
Tim
e
Waterfalldiagram
ACK 1000
ACK 1000
![Page 25: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/25.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Bytes 1000-1500
Still expecting byte 1000Still expecting byte 1000
Expecting packet 3001
Tim
e
Waterfalldiagram
ACK 1000
ACK 1000
ACK 3001
![Page 26: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/26.jpg)
How does TCP achieve reliability?A B
Bytes 1000-1500
Bytes 1501-2000Bytes 2001-3000
Expecting byte 1000
Bytes 1000-1500
Still expecting byte 1000Still expecting byte 1000
Expecting packet 3001
Tim
e
Waterfalldiagram
ACK 1000
ACK 1000
ACK 3001
Buffer these until
![Page 27: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/27.jpg)
TCP congestion control
• Try to use as much of the network as is safe (does not adversely affect others’ performance) and efficient (makes use of network capacity)
• Dynamically adapt how quickly you send based on the network path’s capacity
• When an ACK doesn’t come back, the network may be beyond capacity: slow down.
TCP’s second job: don’t break the network!
![Page 28: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/28.jpg)
TCP header16-bit
Source port16-bit
Destination port32-bit
Sequence number32-bit
Acknowledgment4-bit
Header Length
Reserved 6-bitFlags
16-bitAdvertised window
16-bitChecksum
16-bitUrgent pointer
Options (variable) Padding
Data
![Page 29: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/29.jpg)
TCP header16-bit
Source port16-bit
Destination port32-bit
Sequence number32-bit
Acknowledgment4-bit
Header Length
Reserved 6-bitFlags
16-bitAdvertised window
16-bitChecksum
16-bitUrgent pointer
Options (variable) Padding
Data
IP Header
![Page 30: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/30.jpg)
TCP ports• Ports are associated with OS processes
• Sandwiched between IP header and the application data
• {src IP/port, dst IP/port} : this 4-tuple uniquely identifies a TCP connection
• Some port numbers are well-known • 80 = HTTP • 53 = DNS
![Page 31: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/31.jpg)
TCP header16-bit
Source port16-bit
Destination port32-bit
Sequence number32-bit
Acknowledgment4-bit
Header Length
Reserved 6-bitFlags
16-bitAdvertised window
16-bitChecksum
16-bitUrgent pointer
Options (variable) Padding
Data
IP Header
![Page 32: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/32.jpg)
TCP seqno• Each byte in the byte stream has a unique
“sequence number” • Unique for both directions
• “Sequence number” in the header = sequence number of the first byte in the packet’s data
• Next sequence number = previous seqno + previous packet’s data size
• “Acknowledgment” in the header = the next seqno you expect from the other end-host
![Page 33: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/33.jpg)
TCP header16-bit
Source port16-bit
Destination port32-bit
Sequence number32-bit
Acknowledgment4-bit
Header Length
Reserved 6-bitFlags
16-bitAdvertised window
16-bitChecksum
16-bitUrgent pointer
Options (variable) Padding
Data
IP Header
![Page 34: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/34.jpg)
TCP flags• SYN
• Used for setting up a connection
• ACK • Acknowledgments, for data and “control” packets
• FIN
• RST
![Page 35: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/35.jpg)
Setting up a connectionA B
Tim
e
Waterfalldiagram
Three-way handshake
![Page 36: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/36.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram
Three-way handshake
![Page 37: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/37.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram
Three-way handshake
Let’s SYNchronizesequence numbers
![Page 38: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/38.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
Three-way handshake
Let’s SYNchronizesequence numbers
![Page 39: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/39.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
![Page 40: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/40.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
ACK
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
![Page 41: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/41.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
ACK
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
Got yours, too
![Page 42: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/42.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
ACK
Data
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
Got yours, too
![Page 43: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/43.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
ACK
DataData
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
Got yours, too
![Page 44: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/44.jpg)
Setting up a connectionA B
SYN
Tim
e
Waterfalldiagram SYN + ACK
ACK
DataDataData
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
Got yours, too
![Page 45: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/45.jpg)
Setting up a connectionA B
SYN seqno=x
Tim
e
Waterfalldiagram SYN seqno=y
+ACK x+1
ACK y+1
DataDataData
Three-way handshake
Let’s SYNchronizesequence numbers
Got yours; here’s mine
Got yours, too
![Page 46: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/46.jpg)
TCP flags• SYN
• ACK
• FIN: Let’s shut this down (two-way) • FIN • FIN+ACK
• RST: I’m shutting you down • Says “delete all your local state, because I don’t know
what you’re talking about
![Page 47: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/47.jpg)
Attacks• SYN flooding
• Injection attacks
• Opt-ack attack
![Page 48: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/48.jpg)
SYN flooding
![Page 49: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/49.jpg)
SYN floodingA B
Tim
e
Waterfalldiagram
Recall the three-way handshake:
![Page 50: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/50.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
Recall the three-way handshake:
![Page 51: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/51.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
![Page 52: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/52.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
IP/port, MSS,…
![Page 53: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/53.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
SYN + ACK
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
IP/port, MSS,…
![Page 54: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/54.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
SYN + ACK
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
IP/port, MSS,…
ACK
![Page 55: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/55.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
SYN + ACK
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
IP/port, MSS,…
ACK
SYN + ACK
![Page 56: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/56.jpg)
SYN floodingA B
SYN
Tim
e
Waterfalldiagram
SYN + ACK
Recall the three-way handshake:
At this point, B allocates state for this newconnection (incl. IP, port,maximum segment size)
IP/port, MSS,…
ACK
B will hold onto this local state and retransmit SYN+ACK’s until it hears back or times out (up to 63 sec).
SYN + ACK
![Page 57: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/57.jpg)
SYN floodingA B
The attackC
![Page 58: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/58.jpg)
SYN floodingA B
SYN
The attackC
![Page 59: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/59.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…
C
![Page 60: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/60.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
C
![Page 61: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/61.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…
C
![Page 62: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/62.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
C
![Page 63: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/63.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
C
![Page 64: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/64.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
SYNSYNSYNSYNSYNSYNSYNSYN
C
![Page 65: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/65.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
SYNSYNSYNSYNSYNSYNSYNSYNIP/port, MSS,…IP/port, MSS,…IP/port, MSS,…IP/port, MSS,…
C
![Page 66: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/66.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
SYNSYNSYNSYNSYNSYNSYNSYNIP/port, MSS,…IP/port, MSS,…IP/port, MSS,…IP/port, MSS,…
Exhaust memory at the victim B.
C
![Page 67: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/67.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
SYNSYNSYNSYNSYNSYNSYNSYNIP/port, MSS,…IP/port, MSS,…IP/port, MSS,…IP/port, MSS,…
Exhaust memory at the victim B.
C
SYN
![Page 68: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/68.jpg)
SYN floodingA B
SYN
The attack
IP/port, MSS,…SYN
IP/port, MSS,…SYN
IP/port, MSS,…
SYNSYNSYNSYNSYNSYNSYNSYNIP/port, MSS,…IP/port, MSS,…IP/port, MSS,…IP/port, MSS,…
Exhaust memory at the victim B.
C
SYN
New connectionswill fail (insufficientmemory)
![Page 69: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/69.jpg)
SYN flooding details• Easy to detect many incomplete handshakes from a
single IP address
• Spoof the source IP address • It’s just a field in a header: set it to whatever you like
• Problem: the host who really owns that spoofed IP address may respond to the SYN+ACK with a RST, deleting the local state at the victim
• Ideally, spoof an IP address of a host you know won’t respond
![Page 70: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/70.jpg)
SYN cookiesA B
The defense
![Page 71: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/71.jpg)
SYN cookiesA B
SYN
The defense
![Page 72: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/72.jpg)
SYN cookiesA B
SYN
The defense
IP/port, MSS,…
![Page 73: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/73.jpg)
SYN cookiesA B
SYN
The defense
IP/port, MSS,…
Rather than store this data, send it to the host who is initiating the connection and have him return it to you
![Page 74: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/74.jpg)
SYN cookiesA B
SYN
The defense
IP/port, MSS,…
Rather than store this data, send it to the host who is initiating the connection and have him return it to youSYN + ACK
seqno = f(data)
Store the necessary state in your seqno
![Page 75: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/75.jpg)
SYN cookiesA B
SYN
The defense
Rather than store this data, send it to the host who is initiating the connection and have him return it to youSYN + ACK
seqno = f(data)
Store the necessary state in your seqno
![Page 76: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/76.jpg)
SYN cookiesA B
SYN
The defense
Rather than store this data, send it to the host who is initiating the connection and have him return it to youSYN + ACK
seqno = f(data)
Store the necessary state in your seqno
ACK f(data)+1
![Page 77: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/77.jpg)
SYN cookiesA B
SYN
The defense
Rather than store this data, send it to the host who is initiating the connection and have him return it to youSYN + ACK
seqno = f(data)
Store the necessary state in your seqno
ACK f(data)+1Check that f(data) is valid for this connection. Only at that point do you allocate state.
![Page 78: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/78.jpg)
SYN cookiesA B
SYN
The defense
Rather than store this data, send it to the host who is initiating the connection and have him return it to youSYN + ACK
seqno = f(data)
Store the necessary state in your seqno
ACK f(data)+1Check that f(data) is valid for this connection. Only at that point do you allocate state.IP/port,
MSS,…
![Page 79: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/79.jpg)
SYN cookie format A B
SYN
SYN + ACK
seqno = f(data)
ACK f(data)+1
IP/port, MSS,…
The secure hash makes it difficult for the attacker to guess what f() will be, and therefore the attacker cannot guess a correct ACKif he spoofs.
f(.) = Slow-moving timestamp MSS Secure hash
Preventsreplayattacks
The info weneed for thisconnection
Includes:IPs/ports, MSS,
timestamp
32-bit seqno
![Page 80: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/80.jpg)
Injection attacks• Suppose you are on the path between src and dst;
what can you do? • Trivial to inject packets with the correct sequence
number
• What if you are not on the path? • Need to guess the sequence number • Is this difficult to do?
![Page 81: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/81.jpg)
Initial sequence numbers• Initial sequence numbers used to be deterministic
• What havoc can we wreak? • Send RSTs • Inject data packets into an existing connection (TCP
veto attacks) • Initiate and use an entire connection without ever
hearing the other end
![Page 82: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/82.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
![Page 83: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/83.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server
![Page 84: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/84.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server
![Page 85: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/85.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
![Page 86: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/86.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
![Page 87: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/87.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
![Page 88: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/88.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
![Page 89: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/89.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST4. ACK with the guessed seqno
![Page 90: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/90.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno
![Page 91: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/91.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno“echo ++ >> ./rhosts”
![Page 92: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/92.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno“echo ++ >> ./rhosts”
5. Grant access to all sources
![Page 93: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/93.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno“echo ++ >> ./rhosts”
5. Grant access to all sources
ACK
![Page 94: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/94.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno“echo ++ >> ./rhosts”
5. Grant access to all sources
ACK
6. RSTs to trusted server (cleanup)
![Page 95: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/95.jpg)
Mitnick attack
X-terminalserver
Server that X-term trusts
Attacker
Any connection initiated from this IP address isallowed access to theX-terminal server
1. SYN flood the trusted server2. Spoof trusted server’s IP addr in SYN to X-terminal
SYN src:
SYN+ACK seqno
3. Trusted server too busy to RST
ACK src:seqno+1
4. ACK with the guessed seqno“echo ++ >> ./rhosts”
5. Grant access to all sources
ACK
6. RSTs to trusted server (cleanup)
![Page 96: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/96.jpg)
Defenses• Initial sequence number must be difficult to predict!
![Page 97: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/97.jpg)
Opt-ack attackA B
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
![Page 98: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/98.jpg)
Opt-ack attackA B
Expecting byte 1000
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
![Page 99: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/99.jpg)
Opt-ack attackA B
Bytes 1000-1500 Expecting byte 1000
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
![Page 100: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/100.jpg)
Opt-ack attackA B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
![Page 101: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/101.jpg)
Opt-ack attackA B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501ACK 1501
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
![Page 102: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/102.jpg)
Opt-ack attackA B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501ACK 1501
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
Bytes 1501-2001
![Page 103: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/103.jpg)
Opt-ack attackA B
Bytes 1000-1500 Expecting byte 1000
Expecting byte 1501ACK 1501
TCP uses ACKs not only for reliability, but also for congestion control:
the more ACKs come back, the faster I can send
Bytes 1501-2001Bytes 2002-2502
![Page 104: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/104.jpg)
Opt-ack attackA B
Bytes 1000-1500
ACK 1501
Bytes 1501-2001Bytes 2002-2502
![Page 105: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/105.jpg)
Opt-ack attackA B
Bytes 1000-1500
ACK 1501
Bytes 1501-2001Bytes 2002-2502 If I could convince you to send REALLY quickly, then you would effectively DoS your own network!
![Page 106: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/106.jpg)
Opt-ack attackA B
Bytes 1000-1500
ACK 1501
Bytes 1501-2001Bytes 2002-2502 If I could convince you to send REALLY quickly, then you would effectively DoS your own network!
But to get you to send faster, I need to get data in order to ACK, so I need to receive quickly
![Page 107: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/107.jpg)
Opt-ack attackA B
Bytes 1000-1500
ACK 1501
Bytes 1501-2001Bytes 2002-2502 If I could convince you to send REALLY quickly, then you would effectively DoS your own network!
But to get you to send faster, I need to get data in order to ACK, so I need to receive quickly …or do I?
![Page 108: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/108.jpg)
Opt-ack attackA B
![Page 109: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/109.jpg)
Opt-ack attackA B
Bytes 1000-1500
![Page 110: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/110.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
![Page 111: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/111.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
![Page 112: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/112.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501 Then I could ACK early! (“optimistically”)
![Page 113: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/113.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501 Then I could ACK early! (“optimistically”)ACK 2001
![Page 114: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/114.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501 Then I could ACK early! (“optimistically”)ACK 2001ACK 2502
![Page 115: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/115.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001
Then I could ACK early! (“optimistically”)ACK 2001ACK 2502
![Page 116: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/116.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)ACK 2001ACK 2502
![Page 117: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/117.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
![Page 118: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/118.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
Eventually, A’s outgoing packets will start to get dropped.
![Page 119: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/119.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
Eventually, A’s outgoing packets will start to get dropped.
![Page 120: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/120.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
ACK Eventually, A’s outgoing packets will start to get dropped.
![Page 121: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/121.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
ACK Eventually, A’s outgoing packets will start to get dropped.
But so long as I keep ACKing correctly, it doesn’t matter.
![Page 122: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/122.jpg)
Opt-ack attackA B
Bytes 1000-1500If I can predict what the last seqno will be and when A will send it
ACK 1501
Bytes 1501-2001Bytes 2002-2502
Then I could ACK early! (“optimistically”)
A will think “what a fast, legit connection!”
ACK 2001ACK 2502
ACK Eventually, A’s outgoing packets will start to get dropped.
But so long as I keep ACKing correctly, it doesn’t matter.
![Page 123: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/123.jpg)
Amplification• The big deal with this attack is its Amplification
Factor • Attacker sends x bytes of data, causing the victim to
send many more bytes of data in response • Recent examples: NTP, DNSSEC
• Amplified in TCP due to cumulative ACKs • “ACK x” says “I’ve seen all bytes up to but not
including x”
![Page 124: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/124.jpg)
Opt-ack’s amplification factor• Max bytes sent by victim per ACK:
• Max ACKs attacker can send per second:
![Page 125: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/125.jpg)
Opt-ack’s amplification factor• Max bytes sent by victim per ACK:
Max window sizeMSS
x (14 + 40 + MSS)
Packets sent per ACK Bytes per packet
Etherne
t
TCP/IP
Payloa
d
• Max ACKs attacker can send per second:
![Page 126: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/126.jpg)
Opt-ack’s amplification factor• Max bytes sent by victim per ACK:
Max window sizeMSS
x (14 + 40 + MSS)
Packets sent per ACK Bytes per packet
Etherne
t
TCP/IP
Payloa
d
• Max ACKs attacker can send per second:
Attacker bandwidth (bytes/sec)(14 + 40)
Size of ACK packet
![Page 127: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/127.jpg)
Opt-ack’s amplification factor• Boils down to max window size and MSS
• Default max window size: 65,536 • Default MSS: 536
• Default amp factor: 65536 * (1/536 + 1/54) ~ 1336x
• Window scaling lets you increase this by a factor of 2^14
• Window scaling amp factor: ~1336 * 2^14 ~ 22M
• Using minimum MSS of 88: ~ 32M
![Page 128: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/128.jpg)
Opt-ack defenses• Is there a way we could defend against opt-ack in
a way that is still compatible with existing implementations of TCP?
• An important goal in networking is incremental deployment: ideally, we should be able to benefit from a system/modification when even a subset of hosts deploy it.
![Page 129: Transport layer attacks - University Of Maryland · 2017-04-09 · SYN flooding details • Easy to detect many incomplete handshakes from a single IP address • Spoof the source](https://reader034.fdocuments.in/reader034/viewer/2022042023/5e7aa2def2d22f6db70d9775/html5/thumbnails/129.jpg)
Opt-ack defenses• Nonces
• Mostly solve problem, but not incremental
• ACK alignment
• Send ~MSS or MSS-1; make hard to keep sync’d
• Breaks if routers split packet
• Random skip
• Sender randomly skips a segment
• Good receiver will ask for lost packet again (Sanity check)
• Attacker won’t be able to distinguish, will ACK
• Costs receiver 1RT of performance