Detecting SYN Flooding Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Detecting SYN Flooding Attacks

Description:

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati Outline Introduction Related Issues Attack Detection ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 35
Provided by: HareeshP
Learn more at: http://web.cs.wpi.edu
Category:

less

Transcript and Presenter's Notes

Title: Detecting SYN Flooding Attacks


1
Detecting SYN Flooding Attacks
  • Haining Wang, Dandle Zhang, Kang G. Shin
  • Presented By
  • Hareesh Pattipati

2
Outline
  • Introduction
  • Related Issues
  • Attack Detection
  • Performance Evaluation
  • Future Work
  • Conclusion

3
Introduction
  • Attacks on popular sites
  • Most of them are DoS using TCP
  • SYN Flooding exploits TCP 3-way hand-shake
  • Syn Cache, Syn cookies, SynDefender, Syn Proxying
    and SynKill
  • Installed on firewall or victim server

4
Introduction (cont)
  • Specialized firewalls become worthless with 14000
    packets per sec.
  • FDS Flooding Detection System
  • Installed on leaf routers (First-mile or
    Last-mile routers)
  • FDS uses key feature of TCP SYN-FIN pairs
    behavior.

5
Client
Server
Socket, Connect (blocks) (active open) SYN_SENT
socket,bind,listen (passive open) accept( blocks)
SYN_RCVD
ESTABLISHED Connect returns
ESTABLISHED accept returns read (blocks)
write read (blocks)
read returns
write read (blocks)
read returns
Close (active
close) FIN_WAIT_1
CLOSE_WAIT (passive close) read returns 0
FIN_WAIT_2
Close LAST_ACK
TIME_WAIT
CLOSED
6
(No Transcript)
7
Introduction (cont)
  • TCP packet classification is done at leaf router
  • SYN (beginning) FIN (END) for each TCP connection
  • No means to distinguish active FIN and passive
    FIN
  • RST violates the SYN-FIN pairs
  • Three new variables introduced to count SYN,FIN,
    and RST

8
Related Issues
  • Packet Classification
  • Placement of Detection Mechanism
  • Discrepancy between SYNs and FINs

9
Packet classification
  • Packet Classification is done at the leaf router
  • First two steps confirm that it is a TCP packet
  • Code Bits in IP packet equals the sum of the
    length of IP header and offset of code BITs in
    TCP

10
(No Transcript)
11
Placement of Detection Mechanism
  • FDS is installed at the first-mile and last mile
    router
  • First-mile is more likely to catch flooding
    detection due to proximity to sources.
  • Last-mile quickly detects the flooding but cant
    provide hint about flooding sources
  • FDS is not installed at core due to a) it is
    close to neither flooding sources not the victim
    b) packets of the same flow could traverse
    different paths

12
(No Transcript)
13
Discrepancy btw SYNs and FINs
  • Single RST packet can terminate a TCP session
  • Passive RST transmitted in response to close the
    port
  • Active RST transmitted in response to abort a TCP
    connection and associated with a SYN
  • Normal behavior of TCP(SYN,FIN), (SYN/ACK,FIN)
    and (SYN,RSTactive)
  • FDS cannot differentiate between active and
    passive RST

14
Discrepancy btw SYNs and FINs
  • Normal Conditions
  • SYN and RST have a strong correlation
  • Difference between SYNs and FINs is equal to RSTs
  • Threshold is set at 75, i.e., 3 out of 4 RSTs
    are active

15
Attack Detection
  • Data Sampling and Detection Mechanism
  • SYN and FIN packets collected over time t0
  • Sampling time of FIN(RST) td later than SYN
  • Recent study TCP Connections 12-19 sec
  • td set to 10 sec and t0 is set to 20 sec
  • The CUSUM algorithm
  • ?n,n0,1,.. Number of SYNs-FINs.
  • ?n is Normalized by average number of F of
    FINs(RSTs)

16
Attack Detection
  • Xn ?n / F. Xn denoted as C and ranges between 0
    and 1.
  • - yn large value indicates of an attack.

17
Performance Evaluation
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
SYN Flooding Detection
  • UNC 2000 used a normal traffic
  • UNC_in inbound as Last-mile monitoring
  • UNC_out outbound as First-mile monitoring
  • Flooded traffic is mixed and FDS is simulated at
    the leaf router

28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
Future Work
  • SYN-FIN detection paralyzed is the attacker sends
    SYNs and FINs

34
Conclusion
  • SYN flooding detection installed at leaf router
  • FDS is stateless and low computation overhead
  • In-sensitive to the site
  • Does not under mine the end-to-end TCP
    performance.
Write a Comment
User Comments (0)
About PowerShow.com