Network Denial-of
Download
Report
Transcript Network Denial-of
Telecommunications Networking
II
Lecture 41d
Denial-of-Service Attacks
Network Denial-of-Service
Attacks
and
Other Network-ApplicationBased Attacks
Network Denial-of-Service
Attacks
• Attacker’s objective
To interrupt or reduce the quality of
services…as experienced by legitimate
users
• Many attacks have innocent counterparts
(e.g., someone sends me a very large E-mail
attachment, and blocks my access to other
messages)
Network Denial-of-Service
Attacks
• The “SYN” Flooding attack:
-In TCP, one establishes a connection by
sending a synchronization (SYN) message
to the host one wishes to communicate with
-The attack: send a large number of SYN
messages (with phony source addresses) to
a host. This overloads the buffer in the host
that keeps track of TCP connections (and
half-connections) in progress
TCP SYN Flooding Attack
SYN(500)
SYN(1024), ACK(501)
No
acknowledgement
of prior SYN
segment….
...More new SYN
segments
More SYN
acknowledgements ...
Network Denial-of-Service
Attacks
• The “SYN” Flooding attack:
-Some protection can be gained by
configuring networks so that they will not
accept IP packets from external (to the
network) sources whose source addresses
are internal to the network; and which will
not allow internal sources to send IP packets
to external destinations if the source
addresses used are not internal addresses
Sequence Number Attacks
• Disable a host that is trusted by the target
(intended victim) machine
• Initiate a TCP connection by impersonating
the disabled host (I.e., use it’s IP address)
and sending a SYN message.
• Guess the initial sequence number that the
target system will use; and respond with an
acknowledgement.
TCP Sequence Number Attack
SYN(500)
SYN(800), ACK(501)
ACK(801)
ACK(801), data
ACK(801), FIN(1012)
ACK(
)
ACK(1013)
ACK(1013), FIN(800)
ACK(801)
Ref: “Firewalls and
Internet Security”
Other Network-based Attacks
• See Cheswick and Bellovin Chapter 2
• Many network-based attacks are caused by
the lack of strong authentication of sources
(e.g., it is easy to impersonate another
machine by using its IP address) and lack of
encryption on IP network links