attacks on tcp
play

Attacks on TCP 1 Outline What is TCP protocol? How the TCP - PowerPoint PPT Presentation

Jan 25, 2024 •122 likes •598 views

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack 2 TCP Protocol Transmission Control Protocol (TCP) is a core protocol

  1. Attacks on TCP 1

  2. Outline What is TCP protocol? ● How the TCP Protocol Works ● SYN Flooding Attack ● TCP Reset Attack ● TCP Session Hijacking Attack ● 2

  3. TCP Protocol ● Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite ● transport layer, sits on the top of the IP layer; ● Provide host-to-host communication services for applications ● Two transport Layer protocols o TCP: provides a reliable and ordered communication channel between applications. e.g., Browser, SSH, telnet, email … ○ UDP: lightweight protocol with lower overhead and can be used for applications that do not require reliability or communication order. ● No built-in security mechanism o Eavesdrop on connections, inject fake data into connections, break connections, hijack connections 3

  4. Why TCP? ● Main problem with IP ○ Due to unpredictable network behavior, load balancing, and network congestions, packets can be lost, duplicated, or delivered out of order ● TCP handles these by ○ Acknowledging every packet received ○ Rearranging out-of-order data ○ Automatic retransmission of lost data ○ By TCP Congestion avoidance algorithms "TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network." https://en.wikipedia.org/wiki/Transmission_Control_Protocol 4

  5. TCP Client Program Create a socket ; specify the type of communication. TCP uses SOCK_STREAM and UDP uses SOCK_DGRAM. Initiate the TCP connection • three-way handshake • logical connection [src/dst ip/port] Send data 5

  6. TCP Server Program Step 1 : Create a socket. Same as Client Program. Step 2 : Bind to a port number. An application needs to register a port # on the host, using bind() system call When a packet arrives, OS knows the receiver application based on the port # 6

  7. TCP Server Program Step 3 : Listen for connections. ● After setting up the socket, call listen() to wait for connections i.e., ready to receive connection requests ● Once a connection request is received, go through the 3-way handshake to establish the connection ● The established connection is placed in the queue, waiting for the application to take it. The second argument is the number of connection that can be stored in the queue. 7

  8. TCP Server Program Step 4 : Accept a connection request After the connection is established, an application needs to “accept” the connection before being able to access it. The accept() system call extracts the first connection request from the queue, creates a new socket, and returns the file descriptor referring to the socket. Step 5 : Send and Receive data Once a connection is established and accepted, both sides can send and receive data using this new socket. 8

  9. TCP Server Program To accept multiple connections : ● fork() system call creates a new process by duplicating the calling process. ● On success, the process ID of the child process is returned in the parent process and 0 in the child process. Line ① and Line ② ● executes child and parent process respectively. 9

  10. Data Transmission ● Once a connection is established, OS allocates two buffers at each end, i.e., send buffer and receive buffer. ● When an application needs to send data out, it places data into the TCP send buffer. 10

  11. Data Transmission Each octet in the send buffer has a sequence number field in the ● header o indicates the sequence of the packets o at the receiver end, these sequence numbers are used to place data in the right position inside receive buffer Once data is placed in the receive buffer, they are merged into a single ● data stream. o Regardless whether they are from one packet or different packets Applications read from the receive buffer. ● o Blocked if no data is available o Unblocked when there is enough data to read The receiver informs the sender about receiving of data using ● acknowledgement packets 11

  12. TCP Header TCP Segment: TCP Header + Data. Source and Destination port (16 bits each) : Specify port numbers of the sender and the receiver. Sequence number (32 bits) : Specifies the sequence number of the first octet in the TCP segment. If Acknowledgement number (32 bits) : Contains SYN bit is set, it is the initial sequence number. the value of the next sequence number expected by the sender of this segment. Valid only if ACK bit is set. 12

  13. TCP Header Header length (4 bits): Length of TCP header is measured by the number of 32-bit words in the header, so we multiply by 4 to get number of octets in the header. Reserved (6 bits): This field is not used. Code bits (6 bits): There are six code bits, including SYN,FIN,ACK,RST,PSH and URG. Window (16 bits): Window advertisement to specify the number of octets that the sender of this TCP segment is willing to accept. The purpose of this field is for flow control. 13

  14. TCP Header Checksum (16 bits): The checksum is calculated using part of IP header, TCP header and TCP data. Urgent Pointer (16 bits): If the URG code bit is set, the first part of the data contains urgent data (do not consume sequence numbers). The urgent pointer specifies where the urgent data ends and the normal TCP data starts. Urgent data is for priority purposes as they do not wait in line in the receive buffer, and will be delivered to the applications immediately. Options (0-320 bits, divisible by 32): TCP segments can carry a variable length of options which provide a way to deal with the limitations of the original header. 14

  15. TCP 3-way Handshake Protocol SYN Packet: • The client sends a special packet called SYN packet to the server using a randomly generated number x as its sequence number. SYN-ACK Packet: • On receiving it, the server sends a reply packet using its own randomly generated number y as its sequence number. ACK Packet • Client sends out ACK packet to conclude the handshake 15

  16. TCP 3-way Handshake Protocol ● When the server receives the initial SYN packet, it uses TCB (Transmission Control Block) to store the information about the connection. ● This is called half-open connection as only client-server connection is confirmed. ● The server stores the TCB in a queue that is only for the half-open connection. ● After the server gets ACK packet, it will take this TCB out of the queue and store in a different place. ● If ACK doesn’t arrive, the server will resend SYN+ACK packet. The TCB will eventually be discarded after a certain time period. 16

  17. SYN Flooding Attack Idea : To fill the queue storing the half-open connections so that there will be no space to store TCB for any new half-open connection, basically the server cannot accept any new SYN packets. Steps to achieve this : Continuously send a lot of SYN packets to the server. This consumes the space in the queue by inserting the TCB record. ● Do not finish the 3rd step of handshake as it will dequeue the TCB record. 17

  18. SYN Flooding Attack ● When flooding the server with SYN packets, we need to use random source IP addresses. Why? ● Otherwise the attacks may be blocked by the firewalls. ● The SYN+ACK packets sent by the server may be dropped because forged IP address may not be assigned to any machine. ● What happen if it does reach an existing machine? ● a RST packet will be sent out, and the TCB will be dequeued. ● As the second option is less likely to happen, TCB records will mostly stay in the queue. This causes SYN Flooding Attack . 18

  19. Launching SYN Flooding Attack – Before Attacking Check the TCP states TCP States • LISTEN: waiting for TCP connection. • ESTABLISHED: completed 3-way handshake • SYN_RECV: half-open connections 19

  20. SYN Flooding Attack – Launch the Attack • Turn off the SYN Cookie countermeasure: $sudo sysctl -w net.ipv4.tcp_syncookies=0 Targeting telnet server • Launch the attack using netwox • Result 20

  21. SYN Flooding Attack - Results ● Using netstat command, we can see that there are a large number of half-open connections on port 23 with random source IPs. ● Using top command, we can see that CPU usage is not high on the server machine. The server is alive and can perform other functions normally, but cannot accept telnet connections only. 21

  22. SYN Flooding Attack - Launch with Spoofing Code ● We can write our own code to spoof IP SYN packets. 22

  23. Countermeasures Don't store SYN requests. Only store accepted connections (after the 3-handshake protocol is completed) No queue present, so cannot be flooded! Not working! • Since SYN requests are not stored, validity of ACK packets cannot be determined. • Send spoofed ACK packets to flood the Accept-Queue. 23

  24. Countermeasures: SYN Cookies ● D. J. Bernstein (1996). Owns a secret key K Incorporated in Linux and FreeBSD kernels. ● Spoofed SYN attacks can be blocked by the firewall. ● If we can identify an ACK packet is valid, without storing the SYN t packets, then spoofed ACK attacks will not be possible too. 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding & DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
Organizational Structure More than simply related or not. Reveals the direction of

Organizational Structure More than simply related or not. Reveals the direction of

3/30/2011 Presenter: Zhang Bo Organizational Structure More than simply related or not. Reveals the direction of supervision and influence. Examples: Advisor-advisee relationship Terrorist organization hierarchy 1 3/30/2011

312 views • 12 slides
Mobile Network Security Refik MOLVA Institut Eurcom B.P. 193 06904 Sophia Antipolis Cedex -

Mobile Network Security Refik MOLVA Institut Eurcom B.P. 193 06904 Sophia Antipolis Cedex -

Mobile Network Security Refik MOLVA Institut Eurcom B.P. 193 06904 Sophia Antipolis Cedex - France Refik.Molva@eurecom.fr Institut Eurecom 2005 Outline Wireless LAN 802.11 (WiFi) Mobile Telecommunications Security

950 views • 60 slides
Pakistan and Terrorism Before and After 9/11 October 2003 PDF created with pdfFactory trial

Pakistan and Terrorism Before and After 9/11 October 2003 PDF created with pdfFactory trial

Pakistan and Terrorism Before and After 9/11 October 2003 PDF created with pdfFactory trial version www.pdffactory.com Introduction Pakistan before 9/11 Pakistan as key US ally after 9/11 Is Pakistan really an ally?

196 views • 15 slides
Wh-movement basics A wh -question is a sentence that crucially contains somewhere in it a wh

Wh-movement basics A wh -question is a sentence that crucially contains somewhere in it a wh

Wh-movement basics A wh -question is a sentence that crucially contains somewhere in it a wh -word. Words that are informally identifiable as wh -words are found across the languages of the world but the semantics of these elements is a

1k views • 52 slides
5/18/2010 Traditional PC application Shuo Chen Rui Wang, XiaoFeng Wang and Kehuan Zhang Web

5/18/2010 Traditional PC application Shuo Chen Rui Wang, XiaoFeng Wang and Kehuan Zhang Web

5/18/2010 Traditional PC application Shuo Chen Rui Wang, XiaoFeng Wang and Kehuan Zhang Web application Web application (1) split between client and server (1) split between client and server (2) state transitions driven by network traffic

287 views • 4 slides
Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2

Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2

Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2 Operating Modes User mode Causes exceptions when protected resources are accessed. May be used for algorithm/application code Supervisor mode

987 views • 64 slides
Darrell Bethea June 8, 2011 Program 4 due Friday Final exam Comprehensive Monday,

Darrell Bethea June 8, 2011 Program 4 due Friday Final exam Comprehensive Monday,

Darrell Bethea June 8, 2011 Program 4 due Friday Final exam Comprehensive Monday, 6/13, 8-11 AM SN014 2 3 Inheritance and polymorphism 4 Person has a jump method, so all subclasses have a jump method Person Athlete

632 views • 25 slides
http://lcl.uniroma1.it ERC Starting Grant MultiJEDI No. 259234 ERC StG: Multilingual Joint

http://lcl.uniroma1.it ERC Starting Grant MultiJEDI No. 259234 ERC StG: Multilingual Joint

Babelfying the Multilingual Web: state-of-the-art Disambiguation and Entity Linking of Web pages in 50 languages Roberto Navigli navigli@di.uniroma1.it http://lcl.uniroma1.it ERC Starting Grant MultiJEDI No. 259234 ERC StG: Multilingual

1.16k views • 38 slides

More recommend