Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

advertisement 
CS 380S
0x1A Great Papers in
Computer Security
Vitaly Shmatikov
http://www.cs.utexas.edu/~shmat/courses/cs380s/
slide 1
D. Bernstein
SYN cookies
(1996)
slide 2
TCP Handshake
C
S
SYNC
SYNS, ACKC
Listening…
Spawn a new thread,
store data
(connection state, etc.)
Wait
ACKS
Connected
slide 3
SYN Flooding Attack
S
SYNC1
Listening…
SYNC2
Spawn a new thread,
store connection data
SYNC3
… and more
SYNC4
SYNC5
… and more
… and more
… and more
… and more
slide 4
SYN Flooding Explained
Attacker sends many connection requests with
spoofed source addresses
Victim allocates resources for each request
• New thread, connection state maintained until timeout
• Fixed bound on half-open connections
Once resources exhausted, requests from
legitimate clients are denied
This is a classic denial of service attack
• Common pattern: it costs nothing to TCP initiator to
send a connection request, but TCP responder must
spawn a thread for each request - asymmetry!
slide 5
Preventing Denial of Service
DoS is caused by asymmetric state allocation
• If responder opens new state for each connection
attempt, attacker can initiate thousands of connections
from bogus or forged IP addresses
Cookies ensure that the responder is stateless
until initiator produced at least two messages
• Responder’s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator
• After initiator responds, cookie is regenerated and
compared with the cookie returned by the initiator
slide 6
SYN Cookies
C
S
SYNC
Compatible with standard TCP;
simply a “weird” sequence number
SYNS, ACKC
[Bernstein and Schenk]
Listening…
Does not store state
sequence # = cookie
F=Rijndael or crypto hash
F(source addr, source port,
dest addr, dest port,
coarse time, server secret)
ACKS
sequence # = cookie+1
Cookie must be unforgeable
and tamper-proof (why?)
Recompute cookie,
compare with the received
cookie, only establish
connection if they match
More info: http://cr.yp.to/syncookies.html
slide 7
Anti-Spoofing Cookies: Basic Pattern
Client sends request (message #1) to server
Typical protocol:
• Server sets up connection, responds with message #2
• Client may complete session or not - potential DoS!
Cookie version:
• Server responds with hashed connection data instead
of message #2
• Client confirms by returning hashed data
– If source IP address is spoofed, attacker can’t confirm
• Need an extra step to send postponed message #2,
except in TCP (SYN-ACK already there)
slide 8
Related documents
Kristen's Cookie Company
Kristen's Cookie Company
MASSACHUSETTS INSTITUTE OF TECHNOLOGY Sloan School of Management
MASSACHUSETTS INSTITUTE OF TECHNOLOGY Sloan School of Management
the doorbell rang powerpoint
the doorbell rang powerpoint
Client-side security
Client-side security
Download
advertisement