Document

advertisement
The Computer Communication Lab (236340)
Winter 2004/2005
Denial of Service attack protection
First Report
Submitted by:
Aviram Naama
034432781
snaviram@t2
Koyfman Oleg
308827351
skoyfman@t2
Shmerlin Boris
308900075
sbshmerl@t2
1.Introduction
Denial of Service attack attempt to prevent legitimate users of a network
service from using that service. DoS techniques include variants such as the
Teardrop and TCP SYN Attack.
Teardrop attack uses overlapping offset fields in the IP fragmentation. A TCP
connection starts by a SYN packet sent from a host to a destination, a SYN
ACK that is sent back and finally an Ack of the last SYN again from the host
to the destination. This is referred to as the "TCP 3 way handshake". While
waiting for the last ACK, a connection queue of finite size on the destination
host keeps track of connections waiting to be completed. This queue typically
empties quickly since the ACK is expected to arrive very quickly after the
SYN ACK. The TCP SYN attack exploits this design by having an attacking
source host generate TCP SYN packets with random source addresses toward
a victim host. The victim destination host sends a SYN ACK back to the
random source address and adds an entry to the connection queue. Since the
SYN ACK is destined for an incorrect or nonexistent host, the last part of the
"three-way handshake" is never completed and the entry remains in the
connection queue until a timer expires, typically for about one minute. By
generating TCP SYN packets from random IP addresses at a rapid rate, the
connection queue is blocked and any TCP services cannot be served.
Figure
1.a
Ethernet
Internet
Firewall
2.Firewall Description
2.1.
SYN attack protection description:
The firewall works as proxy. When it gets the first packet (the syn
packet) in three way handshake process the firewall stores it in current
connection oriented buffer and sends client second packet ( syn + ack
packet) and waits for third packet (client ack packet). If client ack
packet arrives in defined period of time, firewall opens connection to
server using client previous packets so it stops to function as proxy.
Figure 2.a
Client
Firewall
Msg1
:SYN(C
lie
+A
SYN
nt.IP,S
erver.I
P)
lie
r.IP,C
erve
CK(S
ACK(
Server
Clien
t.IP, S
e
)
nt.IP
rver.I
P)
SYN(M
sg1)
+A
SYN
t.IP)
Clien
r.IP,
e
v
r
e
CK ( S
ACK(
TCP p
a
cket
TCP p
a
2.2.
Clien
t.IP, S
erv
er.IP)
cket
TCP packe
t
TCP packe
t
Teardrop attack protection description:
As in case of SYN attack firewall functions as proxy and gets
fragmented packets. On each fragment arrival firewall checks if arrived
packet offset field does not overlap previous fragment of the same
packet. In case it does overlap the firewall realizes that it's under attack
and closes the connection, otherwise sends the fragment to the server,
keeps needed information in order to perform next check and waits for
next fragment. If next fragment does not arrive in timeout the packet is
dropped.
3.Firewall modules
Firewall is build from three main modules: sender, receiver and inspector.
Figure 3.a
Firewall module
Sender module
Receiver module
Input buffer
Output buffer
Inspector module
Input buffer
Sender module
Data
Base
Data
Base
Data
Base
Output buffer
Receiver module
3.1. Sender module
This is a thread that samples the output buffer. When the packet is in the
buffer, the thread takes it, and sends it on the NIC (network card), on
which it is running. In our system there are two such modules: one is
running on internal NIC (for incoming messages for server) and one on
external NIC (for outgoing messages from server).
3.2. Receiver module
This is a thread that receives packets from a NIC, on which it is running.
The thread is listening on the specified TCP port, and when the packet is
sent to that port, the receiver module receives it, and enters it to the input
buffer.
3.3. Inspector module
This module is in charge of two tasks:
 Detecting SYN attack
 We define suitable granularity of measurement time period T.
Each T seconds we sample the number of pending
connections – f(T)
 Establishing a connection
 Acts as a proxy on establishing a connection. For each
incoming SYN packet, answers with SYN+ACK and waits for
ACK from a client. That’s way it protects the server against
SYN attack. When the connection with the client is
established, it is establishing the connection with a server (see
figure 2.a). The connection from firewall module to server is
performed as it was the connection establishing from client to
server, so it will be transparent for both sides (neither the
client, nor the server will know that the firewall intermediate).
 Detecting Teardrop attack
 Performs inspection of incoming fragmented packets. For
each fragmented packet, ensures that fragments are not
overlapping with each other.
4.Algorithms
Syn attack protection
There is an IP database, the "Black IP list", which holds all the ip addresses
that are suspected as SYN attackers. For each address entered the database, it
is removed from it after one minute. Each time the attack detected from the IP
from the database, the timeout is initialized. If SYN packet arrives from the IP
from this database, the packed is discarded.
Statistics:
 Formula
F (ti )   * f (ti 1 )  (1   ) * F (ti 2 )
 Definitions:
1. ti - time period between two inspections of pending
connections.
2. f (ti ) - number of pending connections in current
inspection.
3. F (ti ) - expected value of pending connections for current
inspection.
4.  - weight of last inspection in total computation.
 Explanation:
Each ti we compute f (ti ) . If f (ti ) is much bigger than
F (ti ) we understand that we are under attack and enter
“defense SYN attack” mode. In this mode, we reduce timeout
of waiting for third ACK in three way handshake, we stop
calculating the new F (ti ) until we exit this mode by reaching
number of pending connections compatible with previous
F (ti ) . When we exit the “defense SYN attack” mode we
increase the third ACK timeout, back to its original value.
 Remarks:
1.  and ti will be defined experimentally and may be
changed by user.
2. Statistic calculations and SYN protection algorithm will be
implemented by different threads.
SYN protection algorithm:
1. SYN packet arrives – receiver module enters the packet to input buffer.
2. The inspector module takes the packet from the input buffer and detects
that this is a SYN packet
3. If this is a SYN message: saves it in its database and answers with
SYN+ACK in order to establish a connection with a client. SYN+ACK
packets destination IP is client's IP, and source IP is servers IP (the firewall
is faking the response)
4. Firewall waits for ACK from client during defined time out period.
4.1. If the ACK arrives during time out period – connection established. For
5.
6.
7.
8.
9.
each incoming packet from a client, destined for the server we will
save it in the database and after a connection with a server will be
established, we will send them to server.
4.2. Else:
4.2.1. We suspect this to be a SYN attack – so we check source IP
against “suspected SYN attackers” database.
4.2.1.1. If this IP in the database: we increase a counter of received
SYN without ACK packets.
4.2.1.2. Else we enter it to the database with initialization of it’s
counter to 1
4.2.1.3. If the counter reached Z – we say that this IP is an attacker,
and enter it to the “Black IP list” and SYN packet that
belongs to this connection dropped from the buffer.
The firewall takes the original SYN that arrived form client and sends it to
the server (now the firewall faking the initiation of connection)
The server will respond with the SYN+ACK of his own.
The firewall will generate ACK for the server, with source IP of clients IP,
and destination IP of servers IP. The connection between firewall and
server is established. Now we can say that a connection between client and
server is established.
Any packet that arrives to firewall after a connection has been established,
is inspected, and then passed to the other side (for example, if the packet
from server to client is arrived, the firewall will send it to client and vice
versa)
When server or client sends FIN – the database is cleared of all data from
this connection
Teardrop denial
Database description:
For each "source IP" we will hold all the fragmented packets, so when the
packet arrives we can easily find the rest of the fragments.
1. When a fragmented packet arrives, the packet saved in a database,
according to a connection.
2. The timeout is set to be X minutes: after X minutes, if not all fragmented
packets arrived, the packets are dropped.
3. For each additional fragmented packet that comes from this connection:
a. Verify that the offsets are not overlapping
i. If the overlapping is detected:
1. The database is cleared
2. The connection is closed in both sides (client and
server)
3. The IP of the attacker is entered into the "Black IP
list"
b. Verify that you have all the fragmented packets
i. If you have all packets – assemble the packets into one TCP
packet and send it to the server
ii. Else enter the packet into the database
4. After timeout – if we still have fragmented packets and we can't
reassemble them:
a. The packets are dropped
b. The database is cleared
c. The IP of the sender is entered the database of "suspected
Teardrop attackers"
d. If counter of IP in the "suspected Teardrop attackers" is reached
value of Y attacks:
i. The IP is entered to the "Black IP list"
ii. Removed from the "suspected Teardrop attackers"
iii. Connection closed in both sides (client and server)
5. Database
In our algorithms we use several databases:
1. Suspected Teardrop attackers
2. Black IP list
3. Suspected SYN attackers
This is an example of suspected databases:
IP address
Entrance
timestamp
203.0.2.1
12:04:23 PM
This is an example of black IP list database:
IP address
Entrance
timestamp
203.0.2.1
12:04:23 PM
Counter
3
In each of the databases we have a timeout, after which we remove the entry
from the database.
6. Timetable
21.11.2004 – 1.12.2004 – Design of classes (Low level design)
2.12.2004 – 2.1.2005 – Implementation + Unit tests
3.1.2005 – 15.1.2005 – Testing
16.1.2005
– Project presentation
16.1.2005 – 30.1.2005 – Final report preparation
30.1.2005
– Final report submission
Download