hell of a handshake abusing tcp for amplification ddos...3 tcp and reflection tcp 3-way handshake...

Report

Post on 29-Aug-2020

2 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Hell of a Handshake –

Abusing TCP for Amplification DDoS

Marc Kührer1

Thomas Hupperich1

Christian Rossow2

Thorsten Holz1

1 Ruhr-University Bochum2 Saarland University

USENIX WOOT, August 2014

2

Amplification DDoS Attacks

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

VictimAttacker Amplifiers

3

TCP and Reflection

TCP 3-Way Handshake

• Reflection

• No amplification

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

4

TCP and Reflection

SYN/ACK Amplifiers

• Keep repeatingSYN/ACK until ACK

• Default, e.g., in *nix

• Against packet loss

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

5

TCP and Reflection

PSH Amplifiers

• Send data beforehandshake finishes

• e.g., FTP serverbanner info

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

6

TCP and Reflection

TCP Closed Port

• Reflection

• No amplification

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

7

TCP and Reflection

RST Amplification

• Hosts persistsending RST

• No rationale?

C S

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

8

Methodology

• IPv4 Address Range

• TCP SYN PacketsScan

• Amplification >20

• Prevalent ProtocolsFilter

• Amplifier Classification

• Evaluate CountermeasuresStats

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

9

Amplification Statistics

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

10

Attack Frequency

Response packets per X seconds

11

Amplifier Classification

Networking Equipment

Misc embedded

Unknown

DEVICE TYPE

Linux

ZyNOS

Unknown

OS

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

12

Active Defense

SYN/ACK storms: send RST segments Stops about 99.9% of the SYN/ACK streams

RST storm: send ICMP port unreachable messages Stops about 80% of the RST streams

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks

13

Conclusion

Also TCP suffers from amplification vulnerabilities RST, PSH and SYN/ACK storms

We notified vendors, but fixes will take time

Use active countermeasures to mitigate attacks

Hell of a Handshake –

Abusing TCP for Amplification DDoS

Marc Kührer1

Thomas Hupperich1

Christian Rossow2

Thorsten Holz1

1 Ruhr-University Bochum2 Saarland University

USENIX WOOT, August 2014

top related

l ing wireshark to observe the tcp 3-way handshake...tcp...
Documents
golden handshake
Documents
handshake - business etiquette
Documents
guitar and bass amplification · guitar amplification bass...
Documents
good handshake
Education
tcp - courses.physics.illinois.edu · tcp usage model n...
Documents
情報ネットワーク論i tcp 1/2 · establishing a tcp...
Documents
7.2.1.8 lab - using 77777to observe the tcp 3-way handshake...
Documents
7.2.1.8 lab - using wireshark to observe the tcp 3-way...
Documents
cup.edu.incup.edu.in/syllabi/cst/syllabi_2017_18/cst (cbs)...
Documents
handshake - cpp.edu
Documents
handshake protocols
Documents
protocol basics. outline objective osi model tcp/ip model...
Documents
l ing wireshark to observe the tcp 3-way handshake -...
Documents
handshake issues
Documents
tcp¡ 3-way handshake n data transport ¡ sender writes data...
Documents
beowulf clusters6. presentation data representation : ascii...
Documents
the tcp split handshake: practical effects on modern ... ·...
Documents
aggie handshake on-campus employer guide handshake... ·...
Documents
lab - using wireshark to observe the tcp 3-way...
Documents