1 / 39

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods. By Prateek Arora. Introduction. When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.

zasha
Télécharger la présentation

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoS Seminar 2Spoofed Packet Attacks and Detection Methods By Prateek Arora

  2. Introduction • When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.

  3. Types of DoS attacks • Ping Flood Attack (ICMP echo) • SYN Flood Attack (DoS attack) • DDoS Attack (Distributed SYN Flood) • UDP Flood Attacks • Smurf Attack • DNS name server Attack • Land Attack • Ping of Death Attack • Fragmentation / Teardrop Attack • Connection Spoofing • Bounce Scanning • Stealth Communication

  4. What is a “Spoofed Packet”? • Packets sent by an attacker such that the true source is not authentic • MAC spoofing • IP packet spoofing • Email spoofing • This is not same as routing attacks • These cause packets to be redirected • e.g. DNS cache poisoning; router table attacks; ARP spoofing

  5. Significance of “Spoofed Packets” in DoS attacks • Spoofed packets are a part of many attacks • SYN Flood Attack • Smurf Attack • Connection Spoofing • Bounce Scanning • Stealth Communication

  6. IP/TCP Header Review IP Header Format version header length TOS total length identification flags fragment offset TTL protocol header checksum 20 bytes source IP address destination IP address options (if any) data

  7. U R G A C K P S H R S T S Y N F I N IP/TCP Header Review TCP Header Format source port number destination port number sequence number acknowledgement number 20 bytes header length reserved window size TCP checksum urgent pointer options (if any) data (if any)

  8. Smurf Attack • In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network. • Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.

  9. 1 SYN Simultaneous10,000 SYN/ACKs - VICTIM IS DEAD Smurf Attack (contd.) ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply ICMP = Internet Control Message Protocol INTERNET PERPETRATOR VICTIM INNOCENTREFLECTOR SITES BANDWIDTH MULTIPLICATION: A T1 (1.54 Mbps) can easily yield 100 MBbps of attack SOURCE: CISCO

  10. SYN Flood Attack • TCP Handshake Review • client • sends SYN packet to server • waits for SYN-ACK from server • server • responds with SYN-ACK packet • waits for ACK packet from client • client • sends ACK to server SYN SYN-ACK ACK

  11. Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer SYN Flood Attack • Attacker causes TCP buffer to be exhausted with half-open connections • No reply from target needed, so source may be spoofed. • Claimed source must not be an active host. TCP Buffers 169.237.5.23 168.150.241.155 169.237.7.114

  12. Half-open connection; Waiting for ACK Completed handshake; connection open empty buffer SYN Flood Attack • Attacker causes TCP buffer to be exhausted with half-open connections • No reply from target needed, so source may be spoofed. • Claimed source must not be an active host. TCP Buffers 128.120.254.1 128.120.254.2 128.120.254.3 128.120.254.4 128.120.254.5 128.120.254.6 128.120.254.7 128.120.254.8 128.120.254.9 128.120.254.10 128.120.254.11 128.120.254.12 128.120.254.13 128.120.254.14 169.237.7.114 128.120.254.15

  13. Summary of attack methods

  14. Detection Methods • Routing-based • Active • Proactive • Reactive • Passive

  15. Routing-based Method • For a given network topology certain source IP addresses should never be seen • Internal addresses arriving on external interface • External addresses arriving on internal interface • IANA non-routable addresses on external interface • Other special addresses External NIC Internal NIC

  16. Special Addresses • 0.0.0.0/8 - Historical Broadcast • 10.0.0.0/8 - RFC 1918 Private Network • 127.0.0.0/8 - Loopback • 169.254.0.0/16 - Link Local Networks • 172.16.0.0/12 - RFC 1918 Private Network • 192.0.2.0/24 - TEST-NET • 192.168.0.0/16 - RFC 1918 Private Network • 240.0.0.0/5 - Class E Reserved • 248.0.0.0/5 - Unallocated • 255.255.255.255/32 - Broadcast

  17. Routing-based Methods • Most commonly used method • firewalls, filtering routers • Relies on knowledge of network topology and routing specs. • Primarily used at organizational border. • Cannot detect many examples of spoofing • Externally spoofed external addresses • Internally spoofed internal addresses

  18. Proactive methods • Looks for behavior that would not occur if client actually processed packet from client. • Method: change in IP stack behavior • Can observe suspicious activity • Examples – • TCP window games • SYN-Cookies (block with out detection)

  19. TCP Window Games • Modified TCP Handshake • client • sends SYN packet and ACK number to server • waits for SYN-ACK from server w/ matching ACK number • server • responds with SYN-ACK packet w/ initial “random” sequence number • Sets window size to zero • waits for ACK packet from client with matching sequence number • client • sends ACK to server with matching sequence number, but no data • Waits for ACK with window > 0 • After receiving larger window, client sends data. Spoofer will not see 0-len window and will send data without waiting. SYN ack-number SYN-ACK seq-number, ack-number window = 0 ACK seq_number, ack-number (no data) ACK seq-number, ack-number window = 4096 ACK seq_number, ack-number w/ data

  20. SYN-Cookies • Modified TCP Handshake • Example of “stateless” handshake • client • sends SYN packet and ACK number to server • waits for SYN-ACK from server with matching ACK number • server • responds with SYN-ACK packet with initial SYN-cookie sequence number • Sequence number is cryptographically generated value based on client address, port, and time. • No TCP buffers are allocated • client • sends ACK to server with matching sequence number • server • If ACK is to an unopened socket, server validates returned sequence number as SYN-cookie • If value is reasonable, a buffer is allocated and socket is opened. . Spoofed packets will not consume TCP buffers SYN ack-number SYN-ACK seq-number as SYN-cookie, ack-number NO BUFFER ALLOCATED ACK seq_number ack-number+data SYN-ACK seq-number, ack-number TCP BUFFER ALLOCATED

  21. Reactive methods • When a suspicious packet is received, a probe of the source is conducted to verify if the packet was spoofed • May use same techniques as proactive methods • Example probes • Is TTL appropriate? • Is ID appropriate? • Is host up? • Change window size

  22. Passive Methods • Learn expected values for observed packets • When an anomalous packet is received, treat it as suspicious • Example values – • Expected TTL • Expected client port • Expected client OS idiosyncrasies

  23. Experiments • Determine the validity of various spoofed-packet detection methods • Predictability of TTL • Predictability of TTL (active) • Predictability of ID (active)

  24. Experiment Description - Passive • Monitor network traffic • Record • Source IP address • TTL • Protocol • Count occurrences of all unique combinations • Statistically analyze predictability of the data

  25. Results - Passive • Data collected over 2 week periods at University of California, Davis • 23,000,000 IP packets observed • 23461 source IP addresses • 110 internal • 23351 external

  26. Results - Passive • Predictability measure • Conditional Entropy (unpredictability) • Values closer to zero indicate higher predictability

  27. All packets Protocol H mean H variance Number Addresses Number Packets All 0.055759 0.029728 23461 22999999 ICMP 0.027458 0.023726 801 223341 IGMP 0 0 23 297 TCP 0.046149 0.023114 15891 20925893 UDP 0.065164 0.040655 7397 1850468 Results - Passive

  28. External addresses only Protocol H mean H variance Number Addresses Number Packets All 0.055505 0.029731 23351 9229608 ICMP 0.026159 0.023271 780 88371 IGMP 0 0 3 26 TCP 0.046324 0.023201 15825 8857983 UDP 0.065537 0.041015 7306 283228 Results - Passive

  29. Internal Addresses Only Protocol H mean H variance Number Addresses Number Packets All 0.109633 0.026097 110 13770391 ICMP 0.075714 0.03822 21 134970 IGMP 0 0 20 271 TCP 0.004189 0.000321 66 12067910 UDP 0.035207 0.010859 91 1567240 Results - Passive

  30. Only Addresses with more than 250 packets Protocol H mean H variance Number Addresses Number Packets All 0.060041 0.035521 2876 22338795 ICMP 0.035778 0.020212 33 219605 IGMP 0 0 1 0 TCP 0.051132 0.027288 2713 20332940 UDP 0.165818 0.175238 148 1779896 Results - Passive

  31. Only Addresses with more than 500 packets Protocol H mean H variance Number Addresses Number Packets All 0.050635 0.031506 2306 22140140 ICMP 0.022401 0.014516 30 218560 IGMP 0 0 1 0 TCP 0.042716 0.022273 2190 20150197 UDP 0.164326 0.209436 104 1764716 Results - Passive

  32. Results - Passive • TTL differs by protocol • UDP most unreliable • traceroute is major contributor (can be filtered) • certain programs set TTL anomalously • ToS may be useful in reducing inconsistencies • TTL on local network highly regular • must filter traceroute traffic

  33. Experiment Description - Reactive • Monitor network traffic • Record IP address, Protocol, TTL and ID • Send probe packet(s) • ICMP echo reply packet • TCP syn packet • UDP packet • Note the differences between the stored TTL/ID to that of the returning probes.

  34. Results - Reactive • Evaluate – • initial vs. probe reply TTL • Initial vs. probe reply ID (delta from original) • Predictability measure • Conditional Entropy (unpredictability) • Values closer to zero indicate higher predictability

  35. Results - Reactive • Preliminary only • Ran for 18 hours • 8058 probes sent • 218 unique addresses • 173 external • 45 internal

  36. Results - Reactive • TTL off by: • Total # probes 8058 1591 • +/- 2 or less 6467 371 80% • +/-1 or less 6096 986 75% • 0 5110 63%

  37. Results - Reactive • ID off by: • Total # probes 8058 • Offset Count • 1 601 • 2 57 • 4 21 • 6 16 • 5 14 • 7 11 • 8 9 • Offset Count • 256 73 • 512 5 • 768 22 • 1280 10

  38. Conclusion • Spoofed-packets used in many different attacks • Spoofed-packets can be detected by a number of methods • High predictability in TTL and ID allow use of passive and active methods

  39. References • www.google.co.in • http://seclab.cs.ucdavis.edu/ • www.cert.org • www.caida.com • http://www.uspto.gov/ • www.cisco.com

More Related