Cristina Nita-Rotaru Spring 2004/Lecture 3 1Security Topics in Networkingand Distributed SystemsCS 590DLecture 3Department of Computer SciencesPurdue UniversityCristina Nita-Rotaru Spring 2004/Lecture 3 2Outline• Attacks on TCP exploiting thehandshake protocol. Analysis of a Denial of Service Attack onTCP, Christoph L. Schuba, Ivan V. Krsul,Markus G. Kuhn, Eugene H. Spafford,Aurobindo Sundaram, Diego Zamboni,Security & Privacy 1997• Attacks on TCP exploiting thecongestion control mechanism Low-Rate TCP-Targeted Denial of ServiceAttacks (The Shrew vs. the Mice andElephants), by Aleksandar Kuzmanovic andEdward W. Knightly, SIGCOM 2003Cristina Nita-Rotaru Spring 2004/Lecture 3 3Transmission Control Protocol - TCP• Connection oriented protocol for a userprocess:– Established a connection (channel) betweentwo end-points– Reliable, full-duplex channel:acknowledgements, retransmissions, timeouts,flow-control, congestion control– The packets are delivered in the same order inwhich they were sent.Cristina Nita-Rotaru Spring 2004/Lecture 3 4Establishing the Connection• Hardware addresses identify network cards• IP addresses identify hosts• Names identify hosts in a human friendlyway.• Transport protocols (TCP and UDP) ensurecommunication between processes.• How do computers differentiate what data isfor which process?Cristina Nita-Rotaru Spring 2004/Lecture 3 5Ports• Once data reached a computer, the porthelps identifying what is the process thedata is for.• In general servers use well-known ports,while clients use ephemeral ports• Example: port 80 is assigned to webserver (HTTP)• Port numbers:– Well-known ports: 0 - 1023– Registered ports: 1024 – 49151– Dynamic/private ports: 49152 - 65535Cristina Nita-Rotaru Spring 2004/Lecture 3 6Socket• Socket: identifies a communication end-point.socket = (IP address, port number)• Socket pair: uniquely identifies a TCPconnection over the Internet: socket pair = (local IP address, local IP port, remote IP, remote IP port)• Information is maintained by OS in thesocket structure:– Protocol information– State– Addressing– Connection queues– Buffers– flagsRESOURCESCristina Nita-Rotaru Spring 2004/Lecture 3 7TCP Handshakeclient serverSYNxSYNy, ACKx+1ACKy+1connectionestablishedResources allocated; There is a max.number of connections that can be inthis state (SYN_RECVD state)Wait for the ACK (75 seconds)If timeout expires or RSTreceived, data deallocatedIf ACK received, connectionestablished,can also contain data.Cristina Nita-Rotaru Spring 2004/Lecture 3 8SYN Attack• An attacker sends many SYN with sourceaddress spoofed packets to a target.• If the limit is reached, target machine will refuseany incoming connections till the timeoutexpires.• Spoofed address chosen to be a non-existentone (If the spoofed address belongs to amachine, then SYN+ACK packet will reach thatmachine and trigger a RST answer that willclose the connection).WHY IS THIS ATTACK POSSIBLE?Cristina Nita-Rotaru Spring 2004/Lecture 3 9Basis of the Attack• There is no authentication of the sourceof the packets• Addresses can be spoofed• The protocol requires asymmetricallocation of resourcesCristina Nita-Rotaru Spring 2004/Lecture 3 10Possible Solutions• Configuration optimizations• Infrastructure improvements• Connection establishmentimprovements• Firewall approach• Active monitoringCristina Nita-Rotaru Spring 2004/Lecture 3 11Configuration Optimizations• System configuration– Reduce the timeout to 10 seconds– Increase the size of the queue– Disable non-essential services, reducing thenumber of ports to be attacked• Router configuration– Block packets that have source addresses fromthe internal network– Block packets to the outside that have sourceaddresses from outside the internal networkCristina Nita-Rotaru Spring 2004/Lecture 3 12Infrastructure Improvements• If addresses prefixes separate clearthe inside from the outside, thenrouter configuration can beimproved.• Example: routers that attach anorganization or an ISP to abackbone network.Cristina Nita-Rotaru Spring 2004/Lecture 3 13Connection Establishment Improvements• The handshake protocolrequires the sequence yfrom the 2nd and 3rd stepto be the same. WHY?• One way the destinationcan recreate y is to use ahash function based onaddresses, x and a secretkey known only by thedestination.client serverSYNxSYNy, ACKx+1ACKy+1Cristina Nita-Rotaru Spring 2004/Lecture 3 14Firewall Approach• Main idea: each packet for insidenetwork if first examined by thefirewall• Additional delays• Two approaches:– Firewall as a relay– Firewall as a gatewayCristina Nita-Rotaru Spring 2004/Lecture 3 15Firewall as a Relay: Attack ScenarioclientserverSYNxSYNy, ACKx+1firewallCristina Nita-Rotaru Spring 2004/Lecture 3 16Firewall as a Semi-transparentGateway: Attack ScenarioclientserverSYNSYN, ACKfirewallACKRSTTimeoutCristina Nita-Rotaru Spring 2004/Lecture 3 17Active Monitoring• Monitor the TCP traffic within a local areanetwork and figure out which ones areillegitimate connection.• Send RST for the illegitimate connections(this closes the connection).• Does not require protocol stackmodification.• Monitor can be tricked to classify badaddresses as good addressesCristina Nita-Rotaru Spring 2004/Lecture 3 18Attack Against TCPExploiting Its CongestionControl MechanismCristina Nita-Rotaru Spring 2004/Lecture 3 19What’s Different?• Traditional attacks require high-ratetransmission (flood of SYN packets),unusual network traffic, attackers arerelatively easy to detect and filter.• TCP can be attacked by using TCPfriendly traffic, low rate, therefore it cancause maximal damage withoutdetection.Cristina Nita-Rotaru Spring 2004/Lecture 3 20TCP Congestion Control• Source determines how much bandwidth isavailable for it to send, it starts slow andincreases the window of send packet based onACKS.• ACKS are also used to control the transmission ofpackets.• Uses Additive Increase Multiplicative Decrease(AIMD)• Uses Retransmission Timeout (RTO) to avoidcongestion• TCP Fairness: if k TCP sessions share samebottleneck link of bandwidth B, each should haveaverage rate of B/kCristina Nita-Rotaru Spring 2004/Lecture 3 21AIMD• CongestionWindow (cwnd) is set based on thelevel of congestion• If a timeout occurred TCP cwnd is cut in half.• For each received
View Full Document
Unlocking...