CSCI6268L26 - Foundations of Network and Computer Security...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
Foundations of Network and Foundations of Network and Computer Security Computer Security J J ohn Black Lecture #26 Nov 4 th 2009 CSCI 6268/TLEN 5550, Fall 2009
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
How Common are DDoS Attacks? Backscatter Analysis http://www.caida.org/outreach/papers/2001/BackScatter/index.xml I’m not assigning this as reading Idea is that almost all spoofed traffic uses a randomly generated source IP All popular DDoS attack tools do this trinoo, TFN, TFN2k, Stacheldraht, etc. When replies from victim are sent, they go to this (bogus) source IP
Background image of page 2
Backscatter Technique CAIDA (San Diego) owns large block of IP address space They have a lightly-used Class A network They assumed All source addresses uniformly chosen Misses reflection attacks All attack packets reliably reach victim All replies reliable leave victim Any unsolicited replies seen by CAIDA were backscatter
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Approach Backscatter packets revealed Type of attack SYN/ACK means SYN flood ICMP messages from routers indicated other types of attacks like UDP floods IP of victim Source address of backscatter Intensity of attack Duration of attack
Background image of page 4
Results 12,805 distinct attacks against over 5,000 hosts in 2,000 organizations in three weeks About 6000 packets per sec on average
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
DDoS: Preventative Measures Tracing and filtering If source addresses could not be forged, filtering would be a reasonable solution Ingress filtering Idea: if you are an ISP, don’t let packets leave your IP address space if they have source addresses out side your address space Old idea Simple Still a lot of ISPs don’t do this Even with ingress filtering, attackers can jump around within a range of IP addresses Note that this limitation meant some backscatter numbers were probably a bit off
Background image of page 6
SYN Cookies A SYN flood leaves half-open connections The “SYN queue” is a data structure which keeps track of these half-open connections We track the source IP and port of client, server IP and port, seq# of client, seq# of server Idea: we don’t really need to keep all of this We just need enough to recognize the ACK of the client Can we get away without storing anything locally?
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
SYN Cookies: The Idea Store nothing locally ISN: Initial sequence number Encode all we need to remember in the ISN we send back to the client t: a 32-bit counter which increments every 64 seconds K: a secret key selected by server for uptime of server Limitations: MSS limited to 8 values t mod 32 MSS hash(client IP and port || server IP and port || t || K) Server ISN 5 3 24
Background image of page 8
SYN Cookies: Details MSS: Maximum Segment Size Suggested by client, server then computes best value Details depend on whether they are on the same network, MTU on network, etc Server can have only 8 values to encode here What happens when client replies with ACK? Client will reply with ISN+1 of server in the ACK
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 03/11/2010 for the course CS 6268 taught by Professor Black during the Spring '09 term at University of Colombo.

Page1 / 35

CSCI6268L26 - Foundations of Network and Computer Security...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online