Detecting SYNFlooding Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Detecting SYNFlooding Attacks

Description:

... monitors the network and if it detects SYNs that are not ... Any other ways to beat it. Large enough AS could spoof in AS. Requires inter-FDS communication ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 12
Provided by: aaron101
Category:

less

Transcript and Presenter's Notes

Title: Detecting SYNFlooding Attacks


1
Detecting SYN-Flooding Attacks
  • Aaron Beach
  • CS 395 Network Security
  • Spring 2004

2
Related WorkSYN flood defense categories
  • 1. Firewall based
  • 2. Server based
  • 3. Agent based
  • 4. Router based

3
Firewall based
  • Examples SYN Defender, SYN proxying
  • Filters packets and requests before router
  • Maintains state for each connection
  • Drawbacks can be overloaded, extra delay for
    processing each packet

4
Server Based
  • Examples SYN Cache , SYN cookies
  • SYN cache receives packets first and then uses a
    hash table, to partially store states, however
    much more streamlined than firewall. If the
    SYN-ACK is acked then the connection is
    established with the server.
  • Removes the need to watch half open connections

5
SYN kill this is kind of cool
  • SYN kill monitors the network and if it detects
    SYNs that are not being acked, it automatically
    generates RST packets to free resources, also it
    classifies addresses as likely to be spoofed or
    legitimate
  • Performance???

6
MULTOPS
  • Monitors the packets going to and from a victim
    and then blocks IPs from outside of network
    limiting IP range of attack.

7
Ingress Filtering
  • If a packet does not have an IP address from
    within the network, the router will not route the
    message.
  • This would restrict attackers to the IPs within
    the network(s) from which they are attacking

8
Route-based Distributed Packet filtering
  • Uses packet information to determine if packet
    arriving at router has a spoofed Source /
    Destination addresses
  • Results show many packets can be filtered and
    those that cant can be traced back easily

9
Future Work
  • Any ideas on how to break the SYN-FIN pair
    scheme??
  • Just send FINs along with the SYNs
  • Will result in more traffic but what about DDoS
    that send FINs and SYNs

10
Alternatives to improve detection
  • Monitoring SYN-ACK packets also
  • SYN-ACKs wont go back through the same router
    that they originally passed through


11
Can it work???
  • Spoofed address must be in different AS
  • Also, if packet does not take same path back and
    forth from server it could possibly result in
    false positives
  • Any other ways to beat it
  • Large enough AS could spoof in AS
  • Requires inter-FDS communication
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Detecting SYNFlooding Attacks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!