A Study on SYN Flooding
Student: Tao-Wei Huang
Advisor: Prof. Wen-Nung Tasi
2001/06/13
1
Outline







Motivation
Introduction
Denial of Service Attacks
Related Works
Design and Implementation
Experimental Results
Conclusions and Future Works
2
Motivation




SYN Flooding attack affects network seriously
Attackers need only few resources to launch
the attack, it is difficult to trace the source of
attacker
TCP provides many important protocols, such
as HTTP, FTP, POP3, etc, frequently for
information exchanging
No mechanism seems to provide an optimal
solution [1999, L. Ricciulli]
3
TCP/IP Model
Application Layer
Application Layer
Transport Layer
Transport Layer
Network Layer
Network Layer
Network Layer
Data Link Layer
Data Link Layer
Data Link Layer
S
R
D
4
UDP -- connectionless


Provide an unreliable connectionless delivery
service
No flow control and retransmission
Client
Server
Data
Data
Data
5
TCP -- connection-oriented
Client
Server
SYNx , ACK0
SYNy , ACKx+1
LISTEN
SYN_RCVD
backlog
SYNx+1 , ACKy+1
ESTABLISHED
6
Denial of Service Attacks





Ping of Death
Smurf
Teardrop
Land
SYN Flooding
7
Smurf
8
Teardrop (1/2)
S
ETH
R1
IP 1500
R2
ETH
R3
R4
D
IP 1500 ETH
IP 512
ETH
IP 512
ETH
IP 512
ETH
IP 512
ETH
IP 512
ETH
IP 512
ETH
IP 476
ETH
IP 476
ETH
IP 476
ETH
IP 1500
9
Teardrop (2/2)
Start of header
Ident= x
0
Offset= 0
Rest of header
1500 data bytes
Start of header
Ident= x
1 Offset= 0
Rest of header
512 data bytes
Start of header
Ident= x
1 Offset= 512
Rest of header
512 data bytes
Start of header
Ident= x
0 Offset= 1024
Rest of header
476 data bytes
Normal IP Packet
Start of header
Ident= x
1 Offset= 0
Rest of header
512 data bytes
Start of header
Ident= x
1 Offset= 500
Rest of header
512 data bytes
Teardrop IP Packet
Start of header
Ident= x
0 Offset= 1000
Rest of header
476 data bytes
10
Land Attack

TCP SYN packet with the same source
and destination IP address, port


Ex: (140.113.215.125, 140.113.215.125,
80, 80)
Land attacks affect some OSs over the
Internet
11
SYN Flooding
Attacker
SYN Flooding
Attacker
Attacker
Server
backlog
SYN + ACK
??
12
Why SYN Flooding



Some DoS attacks are OS dependent
®
and CERT proposes some suggestions
SYN Flooding attack is the weakness in
protocol
No optimal solution to defense SYN
Flooding attack
13
Related Works

Firewall/Router Approach



Cookie Approach



Firewall Relay
[1997, E. H. Spafford]
Cisco TCP Intercept [7xxx Router & PIX 5.2
Firewall]
RST Cookie
SYN Cookie
Random Drop
[1996, E. Shenk]
[1996, Rex Di Bona]
[1999, L. Ricciulli]
14
Firewall Relay
C lient
Firewall
SYN
SYN
y1
Server
x1
, AC K
x1+1
AC K y1+1
SYN
SYN
y2
x2
, AC K
x2+1
AC K y2+1
Data
Data
Data
Data
Sequ en ce Num ber
C on version
15
Cisco TCP Intercept
C lient
C isco Firewall
Server
SYN x1
SYN y1, AC Kx1+1
AC K y1+1
SYN x1
SYN y2, AC Kx1+1
AC K y2+1
Data
Data
Data
Data
Sequence Num ber
C onversion
16
RST Cookie
C lient
Server
SYN x, A C K0
C heck Securit y A ssociat ion
SYN y=h a s h +,z A C Kz +1
R STz +1, A C Ky+1
(y+1)-(z+1) =? =hash
A llocate Securit y A ssociation
SYN
C heck Securit y A ssociat ion
SYN+A C K
AC K
C onnect ion E st ablished
17
SYN Cookie
C lient
Server
SYN x, AC K0
SYN y=ha s h +,x AC Kx+1
SYN x+1, AC Ky+1
(y+1)-(x+1) =? =hash
C onnect ion E st ablished
18
Random Drop
backlog
Spoofed SYN
Legitimate SYN
time
19
System Architecture Overview
the same IP
20
Design (1/2)



Filter and Server have the same IP
address and Server does not respond
ARP Request
Filter respond Server’s ARP with its
MAC address
Hide the Server to protect the Server
21
Design (2/2)

SYN Cache




Solve the packet lost problem in SYN Cookie
(client_ip, client_port, sequence_num, ack_num,
retransmit_info) 16 bytes
16 * 10000 = 160 Kbytes
Hash Function



Eliminate the overhead of sequence number
conversion
Hash(client_ip, client_port, server_ip, server_port,
key)  xor operation
key will be changed periodically
22
Connection Establishment
C lient
Filt er
Server
A R P Request
A R P Reply
x, 0
A llocat e SYN cache
if cache is not f ull
y, x+1
x+1, y+1
D eallocat e SYN cache
if needed
x, key
y, x+1
x+1, y+1
C onnect ion E st ablished
data t ransm ission
wit hout sequence num ber conversion
23
Modification on Filter
Application
tcp_inpu t()
tcp_outpu t()
ip_in pu t()
ip_outpu t()
in _arpinput()
ether_input()
ether_output()
ether_filter()
24
Modification on Server
Application
tcp_inpu t()
tcp_outpu t()
ip_in pu t()
ip_outpu t()
in _arpinput()
ether_input()
ether_output()
25
Experimental Environment
Scenario (1) and Scenario (2)
the same IP
26
Experimental Equipment

Hardware



Software




P-III 500 with 100Mbps Ethernet Card
100Mbps Hub, Router
Server (apache 1.3.12)  FreeBSD 4.1.1
Client (httpref 0.6)  FreeBSD 4.1.1
Attacker (synk4.c)  FreeBSD 4.1.1
Attacker Speed



FreeBSD default warning threshold : 200pps
Attack rate from 1000pps to 10000pps
Test file size from 1k to 200k Bytes
27
Experimental Results
Throughput (1/3)
28
Experimental Results
Throughput (2/3)
29
Experimental Results
Throughput (3/3)
30
Experimental Results
Request per Second (1/3)
31
Experimental Results
Request per Second (2/3)
32
Experimental Results
Request per Second (3/3)
33
Experimental Results
Execution Time (1/3)
34
Experimental Results
Execution Time (2/3)
35
Experimental Results
Execution Time (3/3)
36
Conclusions (1/2)

Strength of Proposed Approach



filter packet, authenticate client, and
forward packet
no other services provided
Comparisons with Existing Approaches
Our Approach
Cisco TCP Intercept
Firewall/Proxy
Connection
Establishment
NO
YES
YES
Sequence
Number
Conversion
NO
YES
YES
37
Conclusions (2/2)
Our Approach
SYN Cookie
RST Cookie
Random Drop
Guarantee
Service
YES
YES
YES
NO
Memory
Immunity
YES
YES
YES
YES
Computing
Immunity
NO
NO
NO
YES
Packet
Retransmission
YES
NO
NO
YES
Good
Performance
YES
YES
NO
YES
38
Future Works



Fault Tolerance Mechanism
Multiple Services Protecting
Intelligent Configuration
39