Class 8
Class 8
Class 8
• Definition
• Point-to-point network denial of service
– Smurf
• Distributed denial of service attacks
– Trin00, TFN, Stacheldraht, TFN2K
• TCP SYN Flooding and Detection
Denial of Service Attack Definition
DoS
gateway DoS
Source Target
Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent
Attack traffic
Victim
Attack using Trin00
• In August 1999, network of > 2,200 systems
took University of Minnesota offline for 3 days
– scan for known vulnerabilities, then attack with UDP
traffic
– once host compromised, script the installation of the
DDoS master agents
• According to the incident report
– Took about 3 seconds to get root access
– In 4 hours, set up > 2,200 agents
Can you find source of attack?
• Hard to find BadGuy
– Originator of attack compromised the handlers
– Originator not active when DDOS attack occurs
• Can try to find agents
– Source IP address in packets is not reliable
– Need to examine traffic at many points, modify
traffic, or modify routers
Source Address Validity
• Spoofed Source Address
– random source addresses in attack packets
– Subnet Spoofed Source Address
- random address from address space assigned to the agent
machine’s subnet
– En Route Spoofed Source Address
- address spoofed en route from agent machine to victim
C S
SYNC Listening
Store data
SYNS, ACKC
Wait
ACKS
Connected
SYN Flooding
C S
SYNC1 Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
TCP Connection Management: Closing
Step 1: client end system
sends TCP FIN control
client server
segment to server
closing
Step 2: server receives FIN,
FIN
timed wait
ACK