syn_flooding_related..

Download Report

Transcript syn_flooding_related..

Detecting SYN-Flooding Attacks
Aaron Beach
CS 395 Network Security
Spring 2004
Related Work
SYN flood defense categories
• 1. Firewall based
• 2. Server based
• 3. Agent based
• 4. Router based
Firewall based
• Examples: SYN Defender, SYN proxying
• Filters packets and requests before
router
• Maintains state for each connection
• Drawbacks: can be overloaded, extra
delay for processing each packet
Server Based
• Examples: SYN Cache , SYN cookies
• SYN cache receives packets first and then
uses a hash table, to partially store
states, however much more streamlined
than firewall. If the SYN-ACK is “acked”
then the connection is established with
the server.
• Removes the need to watch half open
connections
SYN kill – this is kind of cool
• SYN kill monitors the network and if it
detects SYNs that are not being acked,
it automatically generates RST packets
to free resources, also it classifies
addresses as likely to be spoofed or
legitimate…
• Performance???
MULTOPS
• Monitors the packets going to and from
a victim and then blocks IPs from
outside of network… limiting IP range of
attack.
Ingress Filtering
• If a packet does not have an IP address
from within the network, the router will
not route the message.
• This would restrict attackers to the IPs
within the network(s) from which they
are attacking
Route-based
Distributed Packet filtering
• Uses packet information to determine if
packet arriving at router has a spoofed
Source / Destination addresses
• Results show many packets can be
filtered and those that can’t can be
traced back easily
Future Work
• Any ideas on how to break the SYN-FIN
pair scheme??
• Just send FINs along with the SYNs…
• Will result in more traffic… but what
about DDoS that send FINs and SYNs
Alternatives to improve
detection
• Monitoring SYN-ACK packets also
• SYN-ACKs wont go back through the same
router that they originally passed through
Router to
Spoofed IP
Backbone
Router to
Victim
Router to
Attacker
Can it work???
• Spoofed address must be in different AS
• Also, if packet does not take same path
back and forth from server it could
possibly result in false positives
• Any other ways to beat it
• Large enough AS could spoof in AS
• Requires inter-FDS communication