MODELING OF SYN FLOODING ATTACKS Simona Ramanauskaitė Šiauliai University Tel. +370 61437184, e-mail: simram@it.su.lt A great proportion of essential services are moving into internet space making the threat of DoS attacks even more actual. To estimate the real risk of some kind of denial of service (DoS) attack in real world is difficult, but mathematical and software s make this task easier. In this paper we overview the ways of implementing DoS attack s and offer a stochastic of SYN flooding attack. It allows to evaluate the potential threat of SYN flooding attacks, taking into account both the legitimate system flow as well as the possible attack power. At the same time we can assess the effect of such parameters as buffer capacity or open connection storage in the buffer on the success of different SYN flooding attacks. Keywords: DDoS, Denial of Service, TCP SYN, flooding, ing. Introduction Internet is becoming more and more used for providing all kinds of services. This provides a wider applicability of a service and its broader possibilities of mobility. However, providers of such a service must take attention not only to the quality and safety of their service but to its accessibility problems as well. Attacks meant to make certain service unavailable for at least some time, but not damage the very system, are called DoS Denial of Service attacks. Very often a DoS attack is developed into DDoS, where one attacker can use a large amount of computers (called agents or zombies) to make the attack more efficient. All these agents are spread all over the world and do not have to be a property of the attacker. It is enough to send any data to the victim from as many computers as possible to make a bandwidth depletion attack. Resource depilation attack is based on sending less flow of selective data. In such a case there can be just a few agent computers or just one, but attack can be successful any way. TCP SYN attack is one of the most known and used resource depilation attacks. A SYN flood attack occurs during the three-way handshake that marks the onset of a TCP connection. In the three-way handshake, a client requests a new connection by sending a TCP SYN packet to a server. After that, the server sends a SYN/ACK packet back to the client and places the connection request in a queue. Finally, the client acknowledges the SYN/ACK packet. If an attack occurs, however, the attacker sends an abundance of TCP SYN packets to the victim, obliging it both to open a lot of TCP connections and to respond to them. Then the attacker does not execute the third step of the three-way handshake that follows, rendering the victim unable to accept any new incoming connections, because its queue is full of half-open TCP connections. [1] It is a difficult task to estimate the possible threat of different size of DoS attacks in real life. It is caused by huge agents spread area and unpredictable way from the agent to the victim as well as inescapable influence to other systems during the experiments which can lead to conflicts with other system owners or even law enforcements. Mathematical/Programmable s are the only solution, which allow us to and predict attack success without any impact on others. The aim of this work is to overview possible types of DoS attack s and consequentially to propose a thorough and easily applicable designed for ing TCP SYN attacks. Suitable types for DoS ing Model means a systematic description of an object or phenomenon that shares important characteristics with the object or phenomenon [2]. Using s we can to understand easier the analyzed object. M. Heidari [3] distinguishes for types: Deterministic, Stochastic, Rule-Based and Multi Agent. Deterministic s: The processes of this are often described by differential equations, with a unique input leading to unique output for well-defined linear s and with multiple outputs possible for non-linear s; in these s, equations can be solved by different numerical methods. Stochastic s: This type is used to temporal behavior phenomena with random components. In this, unique input leads to different output for each run, due to the random component of the ed process, single simulation gives only one possible result. All of the major s in the IS are Stochastic s Rule based s: In this, processes governed by local rules using cellular automata. In this type of s we encounter with non-linear dynamic mathematical systems based on discrete time and space. 331
Multi-agent s: For ing complex systems (including multi role, multi platform and multi system aspects) we can use Multi-agent s. In these s we must develop group of interacting agents. Agent is any actor in a system that can generate events that affect itself and other agents, a typical agent is ed as a set of rules. If we try to use these s in internet flow and similar situations, all these s have their own advantages and disadvantages, shortly listed in Table 1. Table 1. Advantages and disadvantages of different usage for ing of internet flow Advantages Disadvantages Deterministic Result is always ambivalence. It is hard to implement for big networks, where actions are hard to predict. Stochastic Take into account the variable nature of some kind of network characteristics. To get the correct result, we should know the character of stochastic variable (how it changes). Can be used to non-linear It is difficult to represent all rules for a big network, Rule-Base situations, which are based on certain which would represent all possible network situations rules. and their solutions. Multi Agent If we know all information about all agents actions, we can use such a for very deep situation analysis. All components must be described in very detail, so the by itself can be very massive and slow. Taking into account the variability of data flow in the internet we suggest to use stochastic or hybrid (then stochastic is used together with other kind of s) s for computer network and its safety ing. This choice is also confirmed by other authors, who use stochastic s to TCP SYN attacks: Q. Huang and et. in paper Analysis of a New Form of Distributed Denial of Service Attack [4] applies simplified Engest loss G(N)/G/m(0). This enables us to estimate the success of SYN flooding attack when we know average attack flow, average time storage time of open-state connections and buffer size. But these authors do not consider the legitimate users, so there are no characteristics of legitimate users in this, just attack by itself; Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial [5] authors Rocky K. C. Chang and et. uses G/D/ /N to calculate the minimal attach flow, which is necessary to make a successful TCP SYN attack. However in this work they do not describe the in detail, they just represent the experiments results. Therefore this do not allow us to judge how detailed this is. Y. Wang and et. uses two-dimensional embedded Markov chain in paper A queueing analysis for the denial of service (DoS) attacks in computer networks [6]. This takes into account legitimate and attack flows characteristics as well as buffers size. But this is difficult to use because of complex calculations. All these TCP SYN s can be used for predicting the success of SYN flooding attack. But all of them have some kind of disadvantages and none of them combines both full representation attack s characteristics and easy application. Our suggested TCP SYN attack The main reason why TCP SYN attacks are successful if the finite buffer size, which is meant to save all open state connections. In the system, which is attacked, in one time moment can be saved just K connection information. If all the space is used then new connection (no matter if it is a legitimate or attacks query) cannot be served and placed for storing their information. That is why some connections are just blocked, so users do not get the desired service. The average time, which legitimate users connection is stored in the buffer is t t, it means that after the legitimate users query reacted the server it needs t t seconds to finish the connection. Meanwhile spoofed queries stay in the buffer for t p seconds. This is the time which indicates for how long the system waits to finish the connection. After this time the open connection is just removed from the buffer, making place for other connections. Normally the system has to serve about λ n queries per second. But one agent can generate an additional flow of λ a queries per second. So if the attacker uses n agents, then the overall attacks flow λ A is 332
equal to λ A = λ a n. In this case the system has to store λ = λ a n + λ n open connections per second, there λ a and λ n are undependable variables. The probability of attacks success can be set by estimating how many legitimate users queries have been dropped. Our does not use any countermeasures, which can rank the legitimate and spoofed queries, so the distribution of legitimate and spoofed queries is even. This allows us to get the attacks success probability by judging how much overall flow was dropped. Figure 1. Conceptual of TCP SYN attack According to M. Zukerman [7] the internet traffic should be ed with Poisson Pareto Burst Process, because long range dependent and represent Internet traffic more realistic than other s (Poisson Process, Markov Modulated Poisson Process, Autoregressive Gaussian Process or Exponential Autoregressive Process). So we use M/M/K/K system for TCP SYN attacks ing, which enables us to take into account the intensity of incoming flow, the average serve time of queries and the systems buffer size. All queries are served in parallel, so there can be served as many queries in the system, as the buffer can hold. According to S. K. Bose [8] the query lost probability can be obtained with formula, where ρ is proportion of incoming flows and processing speed or multiplication of incoming flows speed and time, needed to process one query. We know the overall incoming flow λ speed. The average processing speed can be obtained from one s query average processing time t. While the average processing time should be estimated according to the quantity proportion of legitimate and spoofed queries and their processing time: (1) When we have the overall incoming flow λ speed and the expression of average processing time, we can get the expression of proportion of incoming flows and processing speed: Results of ing (2) Using the suggested, we created ing software. It allows everyone to judge the influence of different characteristics of TCP SYN attacks on the query lost probability and at the same time the success of desired TCP flood attack. 333
Figure 2. The view of created ing tool If a user does not use any countermeasures for TCP SYN attack mitigation, there are two basic characteristics which can influence the success of SYN flooding attack. It is the maximum allowed time for finishing the tree hand shake connection and the size of buffer, meant to save all open connection information. We used the created ing tool and made the following observations: The impact on attacks success by increasing the buffers size by one is equal to decreasing the maximum time of holding spoofed queries in the system by ~10 ms; If we would assume, that buffer size is 5 (just 5 open connections can be in the system at one time moment), legal connections are finished averagely after 10 ms and the normal flow is about 500 queries per second, then the connections lost probability would be ~28%, but not 0% like we could guess. This is related to the fact, that all queries do not reach the system uniformly; If the power of attack is increasing linearly, then its success will be increasing exponentially. Conclusions 1. The analysis of usage of different type s in the internet flow ing has showed that stochastic s are closer to it, because of internet flow variance. Therefore this type of is suitable for DoS attack ing too; 2. Existing TCP SYN attacks s are not full or are difficult to apply. Our proposed SYN flooding eliminates all these disadvantages and was successfully realized in TCP SYN attack ing tool; 3. Modeling results showed, that TCP SYN attacks cannot be described using linear equations, because usually by changing some kind of attacks characteristics uniformly, the attacks success changes exponentially; 4. The suggested takes into account basic attacks characteristics, but ignores the usage of additional countermeasures for SYN flooding attack. References 1. C. Patrikakis, M. Masikos, O. Zouraraki Distributed Denial of Service Attacks, National Technical University of Athens: 2004. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html> [2010-03-11]; 2. Model definition of į, Free Online Dictionary, Thesaurus and Encyclopedia. Interactive <http://www.thefreedictionary.com/> [2010-03-11]; 3. M. Heidari The Role of Modeling and Simulation in Information Security The Lost Ring, 2006; Interactive <http://www.megasecurity.org/papers/the_role_of_modeling_and_simulation_in_information_security.pdf> [2010-03-11]; 334
4. Q. Huang, H. Kobayashi, B. Liu. Analysis of a New Form of Distributed Denial of Service Attack Conference on Informatyion Science and Systems, The Johns Hopkins University, 2003. Interactive <http://www.hisashikobayashi.com/papers/network%20security%20protocols/analysis%20of%20a%20new%20f orm%20of%20distributed%20denial%20of%20service%20attack.pdf> [2010-03-11]; 5. R. K. C. Chang. Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial IEEE Communications Magazine 2002. Interactive <http://www.docstoc.com/docs/12333600/defending-against- Flooding-Based-DDOS> [2010-03-11]; 6. Y. Wang, C. Lin, Q.-L. Li, Y. Fang. A queueing analysis for the denial of service (DoS) attacks in computer networks Computer Networks 2007. <http://www.fang.ece.ufl.edu/mypaper/comnet07wang.pdf> [2010-03-11]; 7. M. Zukerman. Introduction to Queueing Theory and Stochastic Teletraffic Models 2008; 8. M/G/m/m Loss System. <http://www3.ntu.edu.sg/home/eskbose/qbook/mgmm_queue.pdf> [2010-03-11]. 335