countering syn flood denial-of-service (dos) attacks · pdf file2 what is a denial-of-service...
TRANSCRIPT
![Page 2: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/2.jpg)
2
What is a Denial-of-Service (DoS) attack?
! Attacker generates unusually largevolume of requests, overwhelmingyour servers
! Legitimate users are denied access! Can last from a few minutes to
several days
![Page 3: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/3.jpg)
3
What is a SYN Flood?
! One kind of Denial-of-Serviceattack
! Simulates initial handshake ofTCP/IP connection
! Web servers are particularlyvulnerable
![Page 4: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/4.jpg)
4
Example SYN Flood Attack
! February 5th � 11th, 2000! Victims included CNN, eBay, Yahoo,
Amazon! Attacks allegedly perpetrated by
teenagers! Used compromised systems at UCSB
![Page 5: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/5.jpg)
5
Detailed Account of DDoS
! Gibson Research Corporationwww.grc.com/dos/intro.htm
! May 4th-20th, 2001! DDoS attack from 474 machines! Completely saturated two T1s! 13-year-old claimed responsibility
![Page 6: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/6.jpg)
6
Don�t Expect Outside Help
! GRC discovered:! ISPs were unresponsive! Law enforcement unable to help! Under-age perpetrators have
blanket immunity
![Page 7: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/7.jpg)
7
Normal TCP/IPConnection Initiation
Web surfer
Web sever
SYN
ACK
SYN / ACK
![Page 8: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/8.jpg)
8
Unfinished TCP/IPConnection Initiation
Web surfer
Web sever
SYN
???
SYN / ACK
![Page 9: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/9.jpg)
9
Web Server�s Table ofNormal TCP/IP Connections
FREE00.0.0.0FREE00.0.0.0FREE00.0.0.0TIME_WAIT80192.168.4.23ESTABLISHED80192.168.27.112SYN80192.168.54.7ESTABILISHED80192.168.3.94TIME_WAIT80192.168.15.88ESTABLISHED80192.168.3.16StatePortAddress
![Page 10: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/10.jpg)
10
Connections TableDuring SYN Flood
SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99SYN80192.168.7.99StatePortAddress
![Page 11: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/11.jpg)
11
Why Defense is Difficult
! SYN packets are part of normaltraffic
! Source IP addresses can be faked! SYN packets are small! Lengthy timeout period
![Page 12: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/12.jpg)
12
Possible Defenses
! Increase size of connections table! Add more servers! Trace attack back to source! Deploy firewalls employing SYN
flood defense
![Page 13: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/13.jpg)
13
Who Offers a Defense?
! PIX by Cisco! Firewall-1 by Checkpoint! Netscreen 100 by Netscreen! AppSafe/AppSwitch by Top Layer
![Page 14: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/14.jpg)
14
Firewall-1 SYNDefender
Web surfer
Web sever
SYN
ACK
SYN / ACK
FW-1
SYN
![Page 15: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/15.jpg)
15
SYN Proxy
Web surfer
Web sever
Netscreenor
AppSafe
SYN
ACK
SYN / ACK
![Page 16: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/16.jpg)
16
Measuring Effectiveness
! Create a realistic test environment! Generate a SYN flood! Measure how well each firewall
keeps legitimate traffic flowing
![Page 17: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/17.jpg)
17
Test Configuration
Attacker
Test Firewall
Web Client
Web ServerHub
![Page 18: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/18.jpg)
18
Test Configuration
! Web Server: Linux (RedHat 7.2)" Apache web server
! Web Client: Windows 2000" Script using wget to fetch web pages,
measure response time! Attacker: Linux (RedHat 7.2)
" SYN flood generator
![Page 19: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/19.jpg)
19
Benchmark Results
22,000
14,000
500
100
100
1 10 100 1,000 10,000 100,000
AppSafe
Netscreen
Firewall-1
PI X
None
Maximum SYNs per second
![Page 20: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/20.jpg)
20
Cisco PIX Results
! No significant difference over nofirewall
! Large �embrionic� value allowedflood through to server
! Small �embrionic� value blockedboth flood and normal traffic
![Page 21: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/21.jpg)
21
Firewall-1 Results
! Protected up to 500 SYNs/sec, butwith degraded response time
! Above 500 SYNs/sec, web pagerequests failed
! Web server recovered to normal3-10 minutes after attack ceased
![Page 22: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/22.jpg)
22
Netscreen 100 Results
! Protected up to 14,000 SYNs/secwith acceptable server responsetimes
! Above 14,000, web servercontinued to respond, withincreasing delays
! Response times recovered tonormal immediately after attackceased
![Page 23: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/23.jpg)
23
AppSafe Results
! Effective up to 22,000 SYNs/sec! Maximum test setup could produce! No measurable change in response
time
![Page 24: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/24.jpg)
24
How Bad Can It Get?
! Theoretical maximums forattackers using:" Analog modem: 87 SYNs/sec" ISDN, Cable, DSL: 200 SYNs/sec" T1: 2,343 SYNs/sec" 474 hacked systems 94,800 SYNs/sec
![Page 25: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/25.jpg)
25
How Much Do You Need?
! Single firewall for attacker withsingle ISDN, DSL, or T1
! Multiple parallel units for higherbandwidth
! �Transparent� mode permits rapiddeployment
![Page 26: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/26.jpg)
26
Conclusion
! SYN floods are nasty! Firewalls with SYN flood defense
can successfully counter attacks! Multiple or distributed attacks may
require multiple parallel firewalls
![Page 27: Countering SYN Flood Denial-of-Service (DoS) Attacks · PDF file2 What is a Denial-of-Service (DoS) attack?!Attacker generates unusually large volume of requests, overwhelming your](https://reader033.vdocuments.mx/reader033/viewer/2022042800/5a784e567f8b9a1b688ea2a8/html5/thumbnails/27.jpg)
27
Acknowledgements
! PIX provided by Atebion, Inc.! Netscreen 100 provided by
Yipes Communications! AppSafe provided by
Top Layer Networks! Information Warehouse! Inc.