Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver - - PowerPoint PPT Presentation

countering syn flood denial of service dos attacks
SMART_READER_LITE
LIVE PREVIEW

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver - - PowerPoint PPT Presentation

Sep 22, 2022 202 likes •494 views

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens reo@tech-mavens.com What is a Denial-of- Service (DoS) attack? ! Attacker generates unusually large volume of requests, overwhelming your servers ! Legitimate

slide-1
SLIDE 1

Countering SYN Flood Denial-of-Service (DoS) Attacks

Ross Oliver Tech Mavens reo@tech-mavens.com

slide-2
SLIDE 2

2

What is a Denial-of- Service (DoS) attack?

! Attacker generates unusually large

volume of requests, overwhelming your servers

! Legitimate users are denied access ! Can last from a few minutes to

several days

slide-3
SLIDE 3

3

What is a SYN Flood?

! One kind of Denial-of-Service

attack

! Simulates initial handshake of

TCP/IP connection

! Web servers are particularly

vulnerable

slide-4
SLIDE 4

4

Example SYN Flood Attack

! February 5th – 11th, 2000 ! Victims included CNN, eBay, Yahoo,

Amazon

! Attacks allegedly perpetrated by

teenagers

! Used compromised systems at UCSB

slide-5
SLIDE 5

5

Detailed Account of DDoS

! Gibson Research Corporation

www.grc.com/dos/intro.htm

! May 4th-20th, 2001 ! DDoS attack from 474 machines ! Completely saturated two T1s ! 13-year-old claimed responsibility

slide-6
SLIDE 6

6

Don’t Expect Outside Help

! GRC discovered: ! ISPs were unresponsive ! Law enforcement unable to help ! Under-age perpetrators have

blanket immunity

slide-7
SLIDE 7

7

Normal TCP/IP Connection Initiation

Web surfer Web sever

SYN ACK SYN / ACK

slide-8
SLIDE 8

8

Unfinished TCP/IP Connection Initiation

Web surfer Web sever

SYN ??? SYN / ACK

slide-9
SLIDE 9

9

Web Server’s Table of Normal TCP/IP Connections

FREE 0.0.0.0 FREE 0.0.0.0 FREE 0.0.0.0 TIME_WAIT 80 192.168.4.23 ESTABLISHED 80 192.168.27.112 SYN 80 192.168.54.7 ESTABILISHED 80 192.168.3.94 TIME_WAIT 80 192.168.15.88 ESTABLISHED 80 192.168.3.16 State Port Address

slide-10
SLIDE 10

10

Connections Table During SYN Flood

SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 SYN 80 192.168.7.99 State Port Address

slide-11
SLIDE 11

11

Why Defense is Difficult

! SYN packets are part of normal

traffic

! Source IP addresses can be faked ! SYN packets are small ! Lengthy timeout period

slide-12
SLIDE 12

12

Possible Defenses

! Increase size of connections table ! Add more servers ! Trace attack back to source ! Deploy firewalls employing SYN

flood defense

slide-13
SLIDE 13

13

Who Offers a Defense?

! PIX by Cisco ! Firewall-1 by Checkpoint ! Netscreen 100 by Netscreen ! AppSafe/AppSwitch by Top Layer

slide-14
SLIDE 14

14

Firewall-1 SYNDefender

Web surfer Web sever

SYN ACK SYN / ACK

FW-1

SYN

slide-15
SLIDE 15

15

SYN Proxy

Web surfer Web sever Netscreen

  • r

AppSafe

SYN ACK SYN / ACK

slide-16
SLIDE 16

16

Measuring Effectiveness

! Create a realistic test environment ! Generate a SYN flood ! Measure how well each firewall

keeps legitimate traffic flowing

slide-17
SLIDE 17

17

Test Configuration

Attacker Test Firewall Web Client Web Server Hub

slide-18
SLIDE 18

18

Test Configuration

! Web Server: Linux (RedHat 7.2)

" Apache web server

! Web Client: Windows 2000

" Script using wget to fetch web pages,

measure response time

! Attacker: Linux (RedHat 7.2)

" SYN flood generator

slide-19
SLIDE 19

19

Benchmark Results

22,000 14,000 500 100 100 1 10 100 1,000 10,000 100,000 AppSafe Netscreen Firewall-1 PI X None Maximum SYNs per second

slide-20
SLIDE 20

20

Cisco PIX Results

! No significant difference over no

firewall

! Large “embrionic” value allowed

flood through to server

! Small “embrionic” value blocked

both flood and normal traffic

slide-21
SLIDE 21

21

Firewall-1 Results

! Protected up to 500 SYNs/sec, but

with degraded response time

! Above 500 SYNs/sec, web page

requests failed

! Web server recovered to normal

3-10 minutes after attack ceased

slide-22
SLIDE 22

22

Netscreen 100 Results

! Protected up to 14,000 SYNs/sec

with acceptable server response times

! Above 14,000, web server

continued to respond, with increasing delays

! Response times recovered to

normal immediately after attack ceased

slide-23
SLIDE 23

23

AppSafe Results

! Effective up to 22,000 SYNs/sec ! Maximum test setup could produce ! No measurable change in response

time

slide-24
SLIDE 24

24

How Bad Can It Get?

! Theoretical maximums for

attackers using:

" Analog modem:

87 SYNs/sec

" ISDN, Cable, DSL:

200 SYNs/sec

" T1:

2,343 SYNs/sec

" 474 hacked systems 94,800 SYNs/sec

slide-25
SLIDE 25

25

How Much Do You Need?

! Single firewall for attacker with

single ISDN, DSL, or T1

! Multiple parallel units for higher

bandwidth

! “Transparent” mode permits rapid

deployment

slide-26
SLIDE 26

26

Conclusion

! SYN floods are nasty ! Firewalls with SYN flood defense

can successfully counter attacks

! Multiple or distributed attacks may

require multiple parallel firewalls

slide-27
SLIDE 27

27

Acknowledgements

! PIX provided by Atebion, Inc. ! Netscreen 100 provided by

Yipes Communications

! AppSafe provided by

Top Layer Networks

! Information Warehouse! Inc.