Protecting Mobile Devices From TCP Flooding Attacks



Similar documents
Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

CS 356 Lecture 16 Denial of Service. Spring 2013

Distributed Denial of Service Attacks & Defenses

Secure Software Programming and Vulnerability Analysis

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

1 Introduction. Agenda Item: Work Item:

Security vulnerabilities in the Internet and possible solutions

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Acquia Cloud Edge Protect Powered by CloudFlare

Denial of Service Attacks

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

CloudFlare advanced DDoS protection

Firewalls and Intrusion Detection

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Chapter 8 Security Pt 2

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Distributed Denial of Service (DDoS)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network reconnaissance and IDS

Denial of Service Attacks

Secure SCTP against DoS Attacks in Wireless Internet

Network/Internet Forensic and Intrusion Log Analysis

FIREWALL AND NAT Lecture 7a

Using SYN Flood Protection in SonicOS Enhanced

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

Ignoring the Great Firewall of China

1 Introduction. Agenda Item: Work Item:

Solution of Exercise Sheet 5

Denial of Service Attacks and Resilient Overlay Networks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

TDC s perspective on DDoS threats

How To Protect A Dns Authority Server From A Flood Attack

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Announcements. No question session this week

Low-rate TCP-targeted Denial of Service Attack Defense

Introduction of Intrusion Detection Systems

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

DoS: Attack and Defense

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Introduction to Wireless Sensor Network Security

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

A Study of Technology in Firewall System

Security of IPv6 and DNSSEC for penetration testers

Seminar Computer Security

Guidance Regarding Skype and Other P2P VoIP Solutions

Attack Lab: Attacks on TCP/IP Protocols

Denial of Service in Sensor Networks

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Stateful Firewalls. Hank and Foo

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Safeguards Against Denial of Service Attacks for IP Phones

Firewalls. Chapter 3

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

CMS Operational Policy for Firewall Administration

Security: Attack and Defense

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

DDoS Protection Technology White Paper

A S B

How Cisco IT Protects Against Distributed Denial of Service Attacks

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

SECURING APACHE : DOS & DDOS ATTACKS - I

Peer-to-peer networking. Jupiter Research

Network Security Using Hybrid Port Knocking

How To Block A Ddos Attack On A Network With A Firewall

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

CIT 480: Securing Computer Systems. Firewalls

Analysis of Network Packets. C DAC Bangalore Electronics City

Client Server Registration Protocol

VALIDATING DDoS THREAT PROTECTION

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

ATTACKS ON CLOUD COMPUTING. Nadra Waheed

Survey on DDoS Attack Detection and Prevention in Cloud

Denial Of Service. Types of attacks

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Security in Structured P2P Systems

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Project 4: (E)DoS Attacks

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Network support for TCP Fast Open. Christoph Paasch

Wireless VPN White Paper. WIALAN Technologies, Inc.

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Transcription:

Protecting Mobile Devices From TCP Flooding Attacks Yogesh Swami % and Hannes Tschofenig* % Nokia Research Center, Palo Alto, CA, USA. * Siemens Corporate Technology, Munich, DE. 1

Motivation Anatomy of a DoS Attack: Identify a resource constraint, then find a means to exhaust it! TCP SYN flooding attack is well understood for wire-line networks Memory is the resource constraint SYN Cookies or personal firewalls work reasonably well Wireless networks have new resource constraints Battery life -- Depends upon radio off time periods during idle periods Wireless Spectrum -- Cellular network spectrum is expensive to end user SYN Cookies and other solutions co-located on the mobile device cannot defend against these kinds of attack Waking up the device by sending random SYN packets will exhaust the battery, even if the SYN packet is ultimately dropped by personal firewall on mobile A SYN flood will take radio bandwidth someone needs to pay for it in cellular networks. 2

Problem Statement Firewalls deployed at the wireless-wired network boundary a popular choice for defense 3 Firewall blocks almost all incoming unsolicited packets Assumption is that mobile devices cannot run as servers/peer nodes in P2P networks (no longer true with Apache running on Symbian phones) Dedicated pin-holes for server ports doesn t prevent against battery exhaustion and spectrum waste Some P2P applications (e.g., Skype) have mechanism built into protocol to traverse such firewalls, but not all of them do. Our Goal: Can we design a system that Woks with any P2P application or any server application running on mobile phone Does not require changes to existing protocols (e.g., IP or TCP tweaking out of picture) Does not require massive change to the Internet routing infrastructure (e.g., no firmware/ios upgrades) Treasure end to end nature of TCP

Prior Art SYN Cookies -- of course! Mechanisms to determine the attack source (e.g., IP Traceback, IP pushback). Requires changes to internet infrastructure -- beyond our solution realm Might help in detection, but not always in prevention Intrusion and Misuse Detection Schemes (e.g., Snort, Bro, DOMINO) Work mainly in detection, not in prevention Many other proposals on architectural changes to the Internet (e.g., i3, Hi3) Possibly clean, long-term solutions, but cannot be immediately deployed Split TCP solutions where firewall splits the connection across wired and wireless networks Requires massive state in the firewall and creates performance bottlenecks Breaks the end-to-end semantics of TCP 4

Server Friendly Firewalls Goal is to exploit the TCP connection setup procedure TCP sends RST messages to packets it did not expect to receive (I.e., packets that are outside the window) Basic Idea Let the firewall send a wrong sequence number to the incoming SYN packet If the SYN packet was not spoofed, the client will respond with an RST message. Use this RST response as a return routability test. If no RST received ==> the SYN was spoofed Firewall reconstructs the SYN packet and forwards it to the mobile server application Beyond this point, connection setup proceeds normally. 5

Stateless Server Friendly Firewall Previous approach works but requires firewall to keep state about the TCP connection so that it can reconstruct the SYN packet Opens firewall itself for DoS attacks Stateless Server Friendly firewalls send two wrong packet Send SYN ACK with ack sequence as a cookie Send a Data packet with right sequence number as the packet sequence First RST returns the cookie information (verify based on HMAC computation) Second RST returns the sequence number that was sent in the data packet SYN seq= 10 1 6

Implementation Status Implemented as a standalone user-space application using netmon on Linux. Uses libpcap for packet capture Used Komodia PacketCrafter tool for attack traffic generation running in parallel with legitimate application to very usage. More details, for example about timers, in paper 7

Conclusion, Future Work, and Limitations Limitations Essentially a hack, driven by short term needs Connection Setup time increased by 1 RTT Sending wrong packet in response to SYN requests could be exploited for reflection attacks Future Work Integrate netmon in Linux iptables/netfilter code Conclusion Works well for TCP; could be extended for other connection oriented protocols which have an RST equivalent of TCP (e.g., SCTP, etc.) Doesn t break the end to end semantics of TCP Require minor changes to existing firewalls 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information