Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Countering Syn Flood Denial-Of-Service (Dos) Attacks: Ross Oliver Tech Mavens

    Hochgeladen von

    Sherif Gamal
    52 Ansichten27 Seiten
    Countering SYN Flood Denial-of-Service (DoS) Attacks by Ross Oliver Tech Mavens What is a dos attack?! Attacker generates unusually large volume of requests, overwhelming your servers! legitimate users are denied access! can last from a few minutes to several days.

    Originalbeschreibung:

    Originaltitel

    syn flood

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Countering SYN Flood Denial-of-Service (DoS) Attacks by Ross Oliver Tech Mavens What is a dos attack?! Attacker generates unusually large volume of requests, overwhelming your servers! legitimate users are denied access! can last from a few minutes to several days.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    52 Ansichten27 Seiten

    Countering Syn Flood Denial-Of-Service (Dos) Attacks: Ross Oliver Tech Mavens

    Hochgeladen von

    Sherif Gamal
    Countering SYN Flood Denial-of-Service (DoS) Attacks by Ross Oliver Tech Mavens What is a dos attack?! Attacker generates unusually large volume of requests, overwhelming your servers! legitimate users are denied access! can last from a few minutes to several days.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 27

    Countering SYN Flood Denial-of-Service (DoS) Attacks

    Ross Oliver Tech Mavens reo@tech-mavens.com

    What is a Denial-ofService (DoS) attack?


    ! Attacker generates unusually large
    volume of requests, overwhelming your servers

    ! Legitimate users are denied access ! Can last from a few minutes to
    several days

    What is a SYN Flood?


    ! One kind of Denial-of-Service
    attack

    ! Simulates initial handshake of


    TCP/IP connection

    ! Web servers are particularly


    vulnerable

    Example SYN Flood Attack


    ! February 5 th 11th, 2000 ! Victims included CNN, eBay, Yahoo,
    Amazon

    ! Attacks allegedly perpetrated by


    teenagers

    ! Used compromised systems at UCSB


    4

    Detailed Account of DDoS


    ! Gibson Research Corporation
    www.grc.com/dos/intro.htm

    ! May 4th-20th, 2001 ! DDoS attack from 474 machines ! Completely saturated two T1s ! 13-year-old claimed responsibility
    5

    Dont Expect Outside Help


    ! GRC discovered: ! ISPs were unresponsive ! Law enforcement unable to help ! Under-age perpetrators have
    blanket immunity

    Normal TCP/IP Connection Initiation


    SYN SYN / ACK ACK

    Web surfer Web sever

    Unfinished TCP/IP Connection Initiation


    SYN SYN / ACK ???

    Web surfer Web sever

    Web Servers Table of Normal TCP/IP Connections


    Address 192.168.3.16 192.168.15.88 192.168.3.94 192.168.54.7 192.168.27.112 192.168.4.23 0.0.0.0 0.0.0.0 0.0.0.0 Port 80 80 80 80 80 80 0 0 0 State ESTABLISHED TIME_WAIT ESTABILISHED SYN ESTABLISHED TIME_WAIT FREE FREE FREE

    Connections Table During SYN Flood


    Address 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 192.168.7.99 Port 80 80 80 80 80 80 80 80 80 State SYN SYN SYN SYN SYN SYN SYN SYN SYN

    10

    Why Defense is Difficult


    ! SYN packets are part of normal
    traffic

    ! Source IP addresses can be faked ! SYN packets are small ! Lengthy timeout period

    11

    Possible Defenses
    ! Increase size of connections table ! Add more servers ! Trace attack back to source ! Deploy firewalls employing SYN
    flood defense

    12

    Who Offers a Defense?


    ! PIX by Cisco ! Firewall-1 by Checkpoint ! Netscreen 100 by Netscreen ! AppSafe/AppSwitch by Top Layer

    13

    Firewall-1 SYNDefender

    SYN

    SYN SYN / ACK ACK

    Web surfer

    FW-1 Web sever

    14

    SYN Proxy

    SYN SYN / ACK ACK

    Web surfer

    Netscreen or AppSafe

    Web sever

    15

    Measuring Effectiveness
    ! Create a realistic test environment ! Generate a SYN flood ! Measure how well each firewall
    keeps legitimate traffic flowing

    16

    Test Configuration
    Attacker

    Test Firewall Hub Web Server

    Web Client
    17

    Test Configuration
    ! Web Server: Linux (RedHat 7.2)
    "

    Apache web server Script using wget to fetch web pages, measure response time SYN flood generator
    18

    ! Web Client: Windows 2000


    "

    ! Attacker: Linux (RedHat 7.2)


    "

    Benchmark Results
    None PI X Firew all-1 Netscreen AppSafe 1 10 100 1,000 10,000 100 100 500 14,000 22,000 100,000

    Maximum SYNs per second


    19

    Cisco PIX Results


    ! No significant difference over no
    firewall

    ! Large embrionic value allowed


    flood through to server

    ! Small embrionic value blocked


    both flood and normal traffic

    20

    Firewall-1 Results
    ! Protected up to 500 SYNs/sec, but
    with degraded response time

    ! Above 500 SYNs/sec, web page


    requests failed

    ! Web server recovered to normal


    3-10 minutes after attack ceased

    21

    Netscreen 100 Results


    ! Protected up to 14,000 SYNs/sec
    with acceptable server response times

    ! Above 14,000, web server

    continued to respond, with increasing delays normal immediately after attack ceased

    ! Response times recovered to


    22

    AppSafe Results
    ! Effective up to 22,000 SYNs/sec ! Maximum test setup could produce ! No measurable change in response
    time

    23

    How Bad Can It Get?


    ! Theoretical maximums for
    attackers using:
    " " " "

    Analog modem: 87 SYNs/sec ISDN, Cable, DSL: 200 SYNs/sec T1: 2,343 SYNs/sec 474 hacked systems 94,800 SYNs/sec

    24

    How Much Do You Need?


    ! Single firewall for attacker with
    single ISDN, DSL, or T1

    ! Multiple parallel units for higher


    bandwidth

    ! Transparent mode permits rapid


    deployment

    25

    Conclusion
    ! SYN floods are nasty ! Firewalls with SYN flood defense
    can successfully counter attacks

    ! Multiple or distributed attacks may


    require multiple parallel firewalls

    26

    Acknowledgements
    ! PIX provided by Atebion, Inc. ! Netscreen 100 provided by
    Yipes Communications

    ! AppSafe provided by
    Top Layer Networks

    ! Information Warehouse! Inc.


    27

    Das könnte Ihnen auch gefallen