Embed Size (px)
Citation preview
DoS Seminar 2
Spoofed Packet Attacks and Detection Methods
By
Prateek Arora
Introduction
• When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.
Types of DoS attacks
• Ping Flood Attack (ICMP echo)• SYN Flood Attack (DoS attack)• DDoS Attack (Distributed SYN Flood)• UDP Flood Attacks• Smurf Attack• DNS name server Attack• Land Attack• Ping of Death Attack• Fragmentation / Teardrop Attack• Connection Spoofing• Bounce Scanning• Stealth Communication
What is a “Spoofed Packet”?
• Packets sent by an attacker such that the true source is not authentic– MAC spoofing– IP packet spoofing– Email spoofing
• This is not same as routing attacks– These cause packets to be redirected
• e.g. DNS cache poisoning; router table attacks; ARP spoofing
Significance of “Spoofed Packets” in DoS attacks
• Spoofed packets are a part of many attacks– SYN Flood Attack– Smurf Attack– Connection Spoofing– Bounce Scanning– Stealth Communication
IP/TCP Header Review
identification
header checksum
version TOSheaderlength
destination IP address
source IP address
TTL protocol
options (if any)
fragment offsetflags
total length
IP Header Format
data
20 bytes
IP/TCP Header Review
source port number
headerlength
acknowledgement number
sequence number
options (if any)
destination port number
reserved window size
TCP Header Format
data (if any)
TCP checksum urgent pointer
URG
ACK
PSH
SYN
FIN
RST
20 bytes
Smurf Attack
• In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network.
• Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.
Smurf Attack (contd.)
INTERNET
PERPETRATORVICTIM
ICMP echo (spoofed source address of victim) Sent to IP broadcast address
ICMP echo reply ICMP = Internet Control Message Protocol
INNOCENTREFLECTOR SITES
BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack
1 SYN
Simultaneous10,000 SYN/ACKs - VICTIM IS DEAD
SOURCE: CISCO
SYN Flood Attack
• TCP Handshake Review– client
• sends SYN packet to server• waits for SYN-ACK from server
– server • responds with SYN-ACK packet• waits for ACK packet from client
– client• sends ACK to server
SYN
SYN-ACK
ACK
SYN Flood Attack
• Attacker causes TCP buffer to be exhausted with half-open connections
• No reply from target needed, so source may be spoofed.
• Claimed source must not be an active host.
169.237.5.23168.150.241.155
169.237.7.114
TCP Buffers
Half-open connection; Waiting for
ACK
Completed handshake; connection
open
emptybuffer
SYN Flood Attack
• Attacker causes TCP buffer to be exhausted with half-open connections
• No reply from target needed, so source may be spoofed.
• Claimed source must not be an active host.
128.120.254.1128.120.254.2128.120.254.3128.120.254.4128.120.254.5128.120.254.6128.120.254.7128.120.254.8128.120.254.9128.120.254.10128.120.254.11128.120.254.12128.120.254.13128.120.254.14169.237.7.114128.120.254.15
TCP Buffers
Half-open connection; Waiting for
ACK
Completed handshake; connection
open
emptybuffer
Summary of attack methods
Attack packets Reply packets
Smurf ICMP echo queries to broadcast address
ICMP echo replies
SYN flooding TCP SYN packets TCP SYN ACK packets
RST flooding TCP packets to closed ports TCP RST packets
ICMP flooding •ICMP queries•UDP packets to closed ports•IP packets with low TTL
•ICMP replies•Port unreachable•Time exceeded
DNS reply flooding
DNS queries (recursive) to DNS servers
DNS replies
Detection Methods
• Routing-based
• Active– Proactive– Reactive
• Passive
Routing-based Method
• For a given network topology certain source IP addresses should never be seen– Internal addresses arriving on
external interface
– External addresses arriving on internal interface
– IANA non-routable addresses on external interface
– Other special addresses
Internal NIC
External NIC
Special Addresses
• 0.0.0.0/8 - Historical Broadcast• 10.0.0.0/8 - RFC 1918 Private Network• 127.0.0.0/8 - Loopback• 169.254.0.0/16 - Link Local Networks• 172.16.0.0/12 - RFC 1918 Private Network• 192.0.2.0/24 - TEST-NET• 192.168.0.0/16 - RFC 1918 Private Network• 240.0.0.0/5 - Class E Reserved• 248.0.0.0/5 - Unallocated• 255.255.255.255/32 - Broadcast
Routing-based Methods
• Most commonly used method– firewalls, filtering routers
• Relies on knowledge of network topology and routing specs.
• Primarily used at organizational border.
• Cannot detect many examples of spoofing– Externally spoofed external addresses– Internally spoofed internal addresses
Proactive methods
• Looks for behavior that would not occur if client actually processed packet from client.
• Method: change in IP stack behavior
• Can observe suspicious activity
• Examples –– TCP window games– SYN-Cookies (block with out detection)
TCP Window Games• Modified TCP Handshake
– client • sends SYN packet and ACK number to server • waits for SYN-ACK from server w/ matching
ACK number
– server • responds with SYN-ACK packet w/ initial
“random” sequence number• Sets window size to zero• waits for ACK packet from client with
matching sequence number
– client• sends ACK to server with matching sequence
number, but no data • Waits for ACK with window > 0• After receiving larger window, client sends
data.
Spoofer will not see 0-len window and will send data without waiting.
SYN
ack-number
SYN-ACK
seq-number, ack-numberwindow = 0
ACK
seq_number, ack-number(no data)
ACK
seq-number, ack-numberwindow = 4096
ACK
seq_number, ack-numberw/ data
SYN-Cookies• Modified TCP Handshake
• Example of “stateless” handshake– client
• sends SYN packet and ACK number to server • waits for SYN-ACK from server with matching ACK
number
– server • responds with SYN-ACK packet with initial SYN-cookie
sequence number• Sequence number is cryptographically generated value
based on client address, port, and time.• No TCP buffers are allocated
– client• sends ACK to server with matching sequence number
– server• If ACK is to an unopened socket, server validates
returned sequence number as SYN-cookie• If value is reasonable, a buffer is allocated and socket
is opened.
.
Spoofed packets will not consume TCP buffers
SYN
ack-number
SYN-ACK
seq-number as SYN-cookie,ack-number
NO BUFFER ALLOCATED
ACK
seq_numberack-number+data
SYN-ACK
seq-number, ack-number
TCP BUFFER ALLOCATED
Reactive methods
• When a suspicious packet is received, a probe of the source is conducted to verify if the packet was spoofed
• May use same techniques as proactive methods • Example probes
– Is TTL appropriate?– Is ID appropriate?– Is host up?– Change window size
Passive Methods
• Learn expected values for observed packets
• When an anomalous packet is received, treat it as suspicious
• Example values –– Expected TTL– Expected client port– Expected client OS idiosyncrasies
Experiments
• Determine the validity of various spoofed-packet detection methods
• Predictability of TTL
• Predictability of TTL (active)
• Predictability of ID (active)
Experiment Description - Passive
• Monitor network traffic• Record
– Source IP address– TTL– Protocol
• Count occurrences of all unique combinations• Statistically analyze predictability of the data
Results - Passive
• Data collected over 2 week periods at University of California, Davis
• 23,000,000 IP packets observed– 23461 source IP addresses
• 110 internal• 23351 external
Results - Passive
• Predictability measure– Conditional Entropy (unpredictability)
• Values closer to zero indicate higher predictability
yx
yxPyxPXYH,
)|(log),()|(
Results - Passive
All packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.055759 0.029728 23461 22999999
ICMP 0.027458 0.023726 801 223341
IGMP 0 0 23 297
TCP 0.046149 0.023114 15891 20925893
UDP 0.065164 0.040655 7397 1850468
Results - Passive
External addresses only
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.055505 0.029731 23351 9229608
ICMP 0.026159 0.023271 780 88371
IGMP 0 0 3 26
TCP 0.046324 0.023201 15825 8857983
UDP 0.065537 0.041015 7306 283228
Results - Passive
Internal Addresses Only
Protocol H mean H varianceNumber Addresses
Number Packets
All0.109633 0.026097 110 13770391
ICMP0.075714 0.03822 21 134970
IGMP0 0 20 271
TCP0.004189 0.000321 66 12067910
UDP0.035207 0.010859 91 1567240
Results - Passive
Only Addresses with more than 250 packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.060041 0.035521 2876 22338795
ICMP 0.035778 0.020212 33 219605
IGMP 0 0 1 0
TCP 0.051132 0.027288 2713 20332940
UDP 0.165818 0.175238 148 1779896
Results - Passive
Only Addresses with more than 500 packets
Protocol H mean H varianceNumber Addresses
Number Packets
All 0.050635 0.031506 2306 22140140
ICMP 0.022401 0.014516 30 218560
IGMP 0 0 1 0
TCP 0.042716 0.022273 2190 20150197
UDP 0.164326 0.209436 104 1764716
Results - Passive
• TTL differs by protocol
• UDP most unreliable– traceroute is major contributor (can be
filtered)– certain programs set TTL anomalously– ToS may be useful in reducing
inconsistencies
• TTL on local network highly regular– must filter traceroute traffic
Experiment Description - Reactive
• Monitor network traffic• Record IP address, Protocol, TTL and ID • Send probe packet(s)
– ICMP echo reply packet– TCP syn packet– UDP packet
• Note the differences between the stored TTL/ID to that of the returning probes.
Results - Reactive
• Evaluate – – initial vs. probe reply TTL– Initial vs. probe reply ID (delta from original)
• Predictability measure– Conditional Entropy (unpredictability)
• Values closer to zero indicate higher predictability
Results - Reactive
• Preliminary only– Ran for 18 hours– 8058 probes sent– 218 unique addresses
• 173 external• 45 internal
Results - Reactive
• TTL off by:– Total # probes 8058 1591– +/- 2 or less 6467 371 80%– +/-1 or less 6096 986 75%– 0 5110 63%
Results - Reactive
• ID off by:– Total # probes 8058
– Offset Count– 1 601– 2 57– 4 21– 6 16– 5 14– 7 11– 8 9
– Offset Count– 256 73– 512 5– 768 22– 1280 10
Conclusion
• Spoofed-packets used in many different attacks
• Spoofed-packets can be detected by a number of methods
• High predictability in TTL and ID allow use of passive and active methods
References
• www.google.co.in
• http://seclab.cs.ucdavis.edu/
• www.cert.org
• www.caida.com
• http://www.uspto.gov/
• www.cisco.com
