An Active Defense Mechanism for TCP SYN flooding attacks
Added on 2021-08-30
6 Pages3528 Words82 Views
An Active Defense Mechanism for TCP SYN flooding attacks
1
Saravanan K 1, Gowri Shankar A 2
1ME (CSE) Student, MCET Pollachi, India
2Asst.Professor, MCET Pollachi, India
Email:saravanankumarasamy@gmail.com1, ags@drmcet.ac.in2
Abstract
Distributed denial-of-service attacks on public servers have recently become a serious problem. To
assure that network services will not be interrupted and more effective defense mechanisms to
protect against malicious traffic, especially SYN floods. One problem in detecting SYN flood traffic
is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections
from those of a SYN flood attack. Another problem is single-point defenses (e.g. firewalls) lack the
scalability needed to handle an increase in the attack traffic. We have designed a new defense
mechanism to detect the SYN flood attacks. First, we introduce a mechanism for detecting SYN flood
traffic more accurately by taking into consideration the time variation of arrival traffic. We
investigate the statistics regarding the arrival rates of both normal TCP SYN packets and SYN flood
attack packets. We then describe a new detection mechanism based on these statistics. Through the
trace driven approach defense nodes which receive the alert messages can identify legitimate traffic
and block malicious traffic by delegating SYN/ACK packets.
Keywords
Distributed Denial of Service (DDoS), DoS Attacks, TCP SYN flood
1
Saravanan K 1, Gowri Shankar A 2
1ME (CSE) Student, MCET Pollachi, India
2Asst.Professor, MCET Pollachi, India
Email:saravanankumarasamy@gmail.com1, ags@drmcet.ac.in2
Abstract
Distributed denial-of-service attacks on public servers have recently become a serious problem. To
assure that network services will not be interrupted and more effective defense mechanisms to
protect against malicious traffic, especially SYN floods. One problem in detecting SYN flood traffic
is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections
from those of a SYN flood attack. Another problem is single-point defenses (e.g. firewalls) lack the
scalability needed to handle an increase in the attack traffic. We have designed a new defense
mechanism to detect the SYN flood attacks. First, we introduce a mechanism for detecting SYN flood
traffic more accurately by taking into consideration the time variation of arrival traffic. We
investigate the statistics regarding the arrival rates of both normal TCP SYN packets and SYN flood
attack packets. We then describe a new detection mechanism based on these statistics. Through the
trace driven approach defense nodes which receive the alert messages can identify legitimate traffic
and block malicious traffic by delegating SYN/ACK packets.
Keywords
Distributed Denial of Service (DDoS), DoS Attacks, TCP SYN flood
An Active Defense Mechanism for TCP SYN flooding attacks
2
1. INTRODUCTION
On the Internet, a distributed denial-of-service
(DDoS) attack is one in which a multitude of
compromised systems attack a single target, thereby
causing denial of service for users of the targeted
system. The flood of incoming messages to the target
system essentially forces it to shut down, thereby
denying service to the system to legitimate users. An
attempt to make a computer resource unavailable to
its intended users. Although the means to, motives for
and targets of a DoS attack may vary, it generally
comprises the concerted, malevolent efforts of a
person or persons to prevent an Internet site or service
from functioning efficiently or at all, temporarily or
indefinitely. It has been shown that more than 90% of
the DoS attacks use TCP [1]. The TCP SYN flooding
is the most commonly-used attack [2]. It consists of a
stream of spoofed TCP SYN packets directed to a
listening TCP port of the victim. Not only the Web
servers but also any system connected to the Internet
providing TCP-based network services, such as FTP
servers or Mail servers, is susceptible to the TCP
SYN flooding attacks. SYN attacks exploits TCP’s
three-way handshake mechanism and TCP’s
limitation in maintaining half-open connections.
2. CLASSIFICATION OF DOS ATTACKS
There are several general categories of DoS attacks.
They are classified into three types: bandwidth
attacks, logic attacks, and protocol attacks.
2.1Bandwidthattacks
Bandwidth attacks are relatively straightforward
attempts to consume resources, such as network
bandwidth or equipment throughput. High-data-
volume attacks can consume all available bandwidth
between an ISP and site. The link fills up, and
legitimate traffic slows down. Timeouts may occur,
causing retransmission, generating even more traffic.
An attacker can consume bandwidth by transmitting
any traffic at all the network connection. [17]. A basic
flood attack might use UDP or ICMP packets to
simply consume all available bandwidth.
2.2LogicAttacks
logic attacks exploit vulnerabilities in network
software, such as a web server, or the underlying
TCP/IP stack. Some vulnerability by crafting even a
single malformed packet. They following are few
examples logical attacks.Teardrop attacks sending IP
fragments with overlapping, over-sized, payloads to
the target machine. Peer-to-peer attacks have found a
way to exploit a number of bugs in peer-to-peer
servers to initiate DDoS attacks. Application level
floods are Various DoS-causing exploits such as
buffer overflow can cause server-running software to
get confused and fill the disk space or consume all
available memory or CPU time. A Nuke is an old
denial-of-service attack against computer networks
consisting of fragmented or otherwise invalid ICMP
packets to the target, achieved by using a modified
ping utility to repeatedly send this corrupt data, thus
slowing down the affected computer until it comes to
a complete stop
2.3ProtocolAttacks
The basic flood attack can be further refined to take
advantage of the inherent design of common network
protocols. These attacks do not directly exploit
weaknesses in TCP/IP stacks or network applications
but, instead, use the expected behavior of protocols
such as TCP, UDP, and ICMP to the attacker's
advantage. Examples of protocol attacks
SYN flood is an asymmetric resource starvation
attack in which the attacker floods the victim with
TCP SYN packets and the victim allocates resources
to accept perceived incoming connection. These are
classified as Smurf Attack [3], SYN attack, UDP
Attack, ICMP Attack, CGI request attack,
Authentication server attack, Attack using DNS
systems, Attack using spoofed address in ping.
2
1. INTRODUCTION
On the Internet, a distributed denial-of-service
(DDoS) attack is one in which a multitude of
compromised systems attack a single target, thereby
causing denial of service for users of the targeted
system. The flood of incoming messages to the target
system essentially forces it to shut down, thereby
denying service to the system to legitimate users. An
attempt to make a computer resource unavailable to
its intended users. Although the means to, motives for
and targets of a DoS attack may vary, it generally
comprises the concerted, malevolent efforts of a
person or persons to prevent an Internet site or service
from functioning efficiently or at all, temporarily or
indefinitely. It has been shown that more than 90% of
the DoS attacks use TCP [1]. The TCP SYN flooding
is the most commonly-used attack [2]. It consists of a
stream of spoofed TCP SYN packets directed to a
listening TCP port of the victim. Not only the Web
servers but also any system connected to the Internet
providing TCP-based network services, such as FTP
servers or Mail servers, is susceptible to the TCP
SYN flooding attacks. SYN attacks exploits TCP’s
three-way handshake mechanism and TCP’s
limitation in maintaining half-open connections.
2. CLASSIFICATION OF DOS ATTACKS
There are several general categories of DoS attacks.
They are classified into three types: bandwidth
attacks, logic attacks, and protocol attacks.
2.1Bandwidthattacks
Bandwidth attacks are relatively straightforward
attempts to consume resources, such as network
bandwidth or equipment throughput. High-data-
volume attacks can consume all available bandwidth
between an ISP and site. The link fills up, and
legitimate traffic slows down. Timeouts may occur,
causing retransmission, generating even more traffic.
An attacker can consume bandwidth by transmitting
any traffic at all the network connection. [17]. A basic
flood attack might use UDP or ICMP packets to
simply consume all available bandwidth.
2.2LogicAttacks
logic attacks exploit vulnerabilities in network
software, such as a web server, or the underlying
TCP/IP stack. Some vulnerability by crafting even a
single malformed packet. They following are few
examples logical attacks.Teardrop attacks sending IP
fragments with overlapping, over-sized, payloads to
the target machine. Peer-to-peer attacks have found a
way to exploit a number of bugs in peer-to-peer
servers to initiate DDoS attacks. Application level
floods are Various DoS-causing exploits such as
buffer overflow can cause server-running software to
get confused and fill the disk space or consume all
available memory or CPU time. A Nuke is an old
denial-of-service attack against computer networks
consisting of fragmented or otherwise invalid ICMP
packets to the target, achieved by using a modified
ping utility to repeatedly send this corrupt data, thus
slowing down the affected computer until it comes to
a complete stop
2.3ProtocolAttacks
The basic flood attack can be further refined to take
advantage of the inherent design of common network
protocols. These attacks do not directly exploit
weaknesses in TCP/IP stacks or network applications
but, instead, use the expected behavior of protocols
such as TCP, UDP, and ICMP to the attacker's
advantage. Examples of protocol attacks
SYN flood is an asymmetric resource starvation
attack in which the attacker floods the victim with
TCP SYN packets and the victim allocates resources
to accept perceived incoming connection. These are
classified as Smurf Attack [3], SYN attack, UDP
Attack, ICMP Attack, CGI request attack,
Authentication server attack, Attack using DNS
systems, Attack using spoofed address in ping.
An Active Defense Mechanism for TCP SYN flooding attacks
3
2.3.1Smurf Attacks
The network floods it with excessive messages in
order to impede normal traffic. It is accomplished by
sending ping requests (ICMP echo requests) to a
broadcast address on the target network or an
intermediate network. The return address is spoofed
to the Victim’s address
2.3.2UDP Attacks
Using UDP for denial-of-service attacks is not as
straightforward as with the TCP.The UDP flood
attack can be initiated by sending a large number of
UDP packets to random ports on a remote host. Thus,
for a large number of UDP packets, the victimized
system will be forced into sending many ICMP
packets, eventually leading it to be unreachable by
other clients. The attacker may also spoof the IP
address of the UDP packets.
2.3.3SYN Flood Attack
A SYN flood is a form of denial-of-service attack in
which an attacker sends a succession of SYN requests
to a target's system. When a client attempts to start a
TCP connection to a server, the client and server
exchange a series of messages which normally
working the client requests a connection by sending a
SYN (synchronize) message to the server. The server
acknowledges this request by sending SYN-ACK
back to the client. The client responds with an ACK,
and the connection is established. This is called the
TCP three-way handshake, and is the foundation for
every connection established using the TCP protocol.
This is a well known type of attack and is generally
not effective against modern networks. It works if a
server allocates resources after receiving a SYN, but
before it has received the ACK.
3. PREVENTION AND RESPONSE
3.1 SYN Cache
In the SYN cache [4] mechanism, the server node has
a global hash table to keep half-open states of all
applications, while in the original TCP these are
stored in the backlog queue provided for each
application. As a result, the node can have a larger
number of half-open states and the impact of a SYN
flood attack can be reduced.
3.2SYN Cookies
SYN cookies [5] modify the TCP protocol handling
of the server by delaying allocation of resources until
the client address has been verified. This seems to be
the most powerful defense against SYN attacks. This
technique used to guard against SYN flood attacks.
The use of SYN Cookies [15] allows a server to avoid
dropping connections when the SYN queue fills up.
Instead, the server behaves as if the SYN queue had
been enlarged. The server sends back the appropriate
SYN+ACK response to the client but discards the
SYN queue entry. If the server then receives a
subsequent ACK response from the client, the server
is able to reconstruct the SYN queue entry using
information encoded in the TCP sequence number.
3.3Firewalls
Firewalls have simple rules such as to allow or deny
protocols, ports or IP addresses. Some DoS attacks
are too complex for today's firewalls, e.g. if there is
an attack on port 80 (web service), firewalls cannot
prevent that attack because they cannot distinguish
good traffic from DoS attack traffic. Additionally,
firewalls are too deep in the network hierarchy. The
router may be affected even before the firewall gets
the traffic. Nonetheless, firewalls can effectively
prevent users from launching simple flooding type
attacks from machines behind the firewall.
3.4Switches and Routers
Most switches have some rate-limiting and ACL
capability. Some switches provide automatic and or
system-wide rate limiting, traffic shaping, delayed
binding to detect and remediate denial of service
attacks through automatic rate filtering and WAN
Link failover and balancing.
3
2.3.1Smurf Attacks
The network floods it with excessive messages in
order to impede normal traffic. It is accomplished by
sending ping requests (ICMP echo requests) to a
broadcast address on the target network or an
intermediate network. The return address is spoofed
to the Victim’s address
2.3.2UDP Attacks
Using UDP for denial-of-service attacks is not as
straightforward as with the TCP.The UDP flood
attack can be initiated by sending a large number of
UDP packets to random ports on a remote host. Thus,
for a large number of UDP packets, the victimized
system will be forced into sending many ICMP
packets, eventually leading it to be unreachable by
other clients. The attacker may also spoof the IP
address of the UDP packets.
2.3.3SYN Flood Attack
A SYN flood is a form of denial-of-service attack in
which an attacker sends a succession of SYN requests
to a target's system. When a client attempts to start a
TCP connection to a server, the client and server
exchange a series of messages which normally
working the client requests a connection by sending a
SYN (synchronize) message to the server. The server
acknowledges this request by sending SYN-ACK
back to the client. The client responds with an ACK,
and the connection is established. This is called the
TCP three-way handshake, and is the foundation for
every connection established using the TCP protocol.
This is a well known type of attack and is generally
not effective against modern networks. It works if a
server allocates resources after receiving a SYN, but
before it has received the ACK.
3. PREVENTION AND RESPONSE
3.1 SYN Cache
In the SYN cache [4] mechanism, the server node has
a global hash table to keep half-open states of all
applications, while in the original TCP these are
stored in the backlog queue provided for each
application. As a result, the node can have a larger
number of half-open states and the impact of a SYN
flood attack can be reduced.
3.2SYN Cookies
SYN cookies [5] modify the TCP protocol handling
of the server by delaying allocation of resources until
the client address has been verified. This seems to be
the most powerful defense against SYN attacks. This
technique used to guard against SYN flood attacks.
The use of SYN Cookies [15] allows a server to avoid
dropping connections when the SYN queue fills up.
Instead, the server behaves as if the SYN queue had
been enlarged. The server sends back the appropriate
SYN+ACK response to the client but discards the
SYN queue entry. If the server then receives a
subsequent ACK response from the client, the server
is able to reconstruct the SYN queue entry using
information encoded in the TCP sequence number.
3.3Firewalls
Firewalls have simple rules such as to allow or deny
protocols, ports or IP addresses. Some DoS attacks
are too complex for today's firewalls, e.g. if there is
an attack on port 80 (web service), firewalls cannot
prevent that attack because they cannot distinguish
good traffic from DoS attack traffic. Additionally,
firewalls are too deep in the network hierarchy. The
router may be affected even before the firewall gets
the traffic. Nonetheless, firewalls can effectively
prevent users from launching simple flooding type
attacks from machines behind the firewall.
3.4Switches and Routers
Most switches have some rate-limiting and ACL
capability. Some switches provide automatic and or
system-wide rate limiting, traffic shaping, delayed
binding to detect and remediate denial of service
attacks through automatic rate filtering and WAN
Link failover and balancing.
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Understanding DoS and DDoS Attackslg...
|4
|834
|488
Denial of Service and Distributed Denial of Service Attackslg...
|4
|586
|366
Denial-Of-Service and Distributed Denial-Of-Service Attackslg...
|5
|675
|90
Computer Security: Melbourne IT Attacklg...
|10
|2318
|138
Ransom DDoS Attacks on VMware based cloud systems and possible counter measureslg...
|115
|22008
|154
Preventive Mechanisms Against DoS Attackslg...
|13
|3895
|485