ddos attacks

Syn Flood & Smurf

Denial Of Service Attacks

Syn Flood & Smurf

Rashmi Naveen

1

References Probabilistic drop scheme using syn flood attacks.

Yu Ming ,School of Electronic and Information EngineeringDalian University of Technology Dalian, China

A more accurate scheme to detect SYN FLOOD attacksChanghua Sun, Chengchen Hu, Yachao Zhou, Xin Xiao and Bin Liu, Department of Computer Science and Technology, Tsinghua University, Beijing, China

DiDDeM: A System for Early Detection of TCP SYN Flood AttacksJ. Haggerty, T. Berry, Q. Shi and M. Merabti School of Computing and Mathematical Sciences, Liverpool John moores University, Liverpool, UK, L3 3AF, UK

A Detective Method for SYN Flood AttacksTakuo Nakashima† and Shunsuke Oshima‡ † Department of Information Science Kyushu Tokai University 9-1-1 Toroku, Kumamoto, Japan

Syn Flood & Smurf 2

A Robust Scheme to Detect SYN Flooding Attacks.

Changhua Sun, Jindou Fan, Bin Liu Department of Computer Science and Technology, Tsinghua University, China

Identification of Effective Network Features to Detect Smurf Attacks.

Gholam Reza Zargar1, Peyman.kabiri2 1,2 Faculty of computer Engineering, Iran University of Science and Technology of Iran, 16846-13114, Tehran, Iran

Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet .

Sanjeev Kumar, Senior Member, IEEE Network Research Lab, Department of electrical /Computer Engineering University of Texas -Edinburg, Texas-78541, USA

A Novel Traceback Approach for Direct and Reflected ICMP Attacks. Hachem Guerid*†, Ahmed Serhrouchni, Mohammed Achemlal† and Karel Mittig† †Orange Labs –France

Syn Flood & Smurf 3

What is SYN Flood Attack? A SYN flood is a form of denial-of-service attack in which an

attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Client Server Client Server

Syn Syn

Syn/Ack

Ack

Ack

Fig.1 Normal Connection SYN Flood

Syn Flood & Smurf 4

What is SMURF Attack? The Smurf attack is a way of generating significant

computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

This attack which is based on the Internet Control Message Protocol (ICMP) where a sequence of ICMP Echo Request PDUs are issued with a fictitious or spoofed IP source addresses. Each host receiving one of these PDUs is required to respond with an ICMP Echo Reply PDU hence generating excessive traffic that can ultimately overload network resources and greatly impair the throughput available to legitimate network traffic.

Syn Flood & Smurf 5

Overview This paper proposes the different methods to detect

and prevent the SMURF and SYN-Flood attacks. A probabilistic drop scheme is presented for

implementation in a host server to mitigate SYN flooding attacks.

Next a more accurate SYN flood detection scheme which leverages the SYN/ACK-CliACK pair’s behavior is illustrated.

Distributed Denial of service Detection Mechanism System states the early detection of denial of service attacks.

Detective method for SYN Flood attack is presented. In this method, we implemented a program to send the SYN packet and collected the SYN+ACK response packet from the server. We detect the slight fluctuations in relation to the packet response rate and the average response delay.

Syn Flood & Smurf 6

They proposed a more robust scheme to detect SYN flooding attacks. To make the detection scheme more robust, we record the flow information of SYN packets in a counting Bloom Filter, and count the FIN (RST) packets according to the Bloom Filter.

Principal component analysis method is used for feature selection and dimension reduction. 32 basic features are extracted for the selection of effective features in TCP/IP header to detect Smurf attacks. They investigated the factors that contribute to the amplification of the smurf attack traffic and understand the relation among the original attack traffic, intermediate unprotected network and the final amplified attack traffic.

They proposed a new approach based on the behavior of the ICMP protocol. This approach locates the source of a direct and a reflective ICMP denial of service attacks, using few attack packet.

Syn Flood & Smurf 7

A Probabilistic Drop Scheme for Mitigating SYN Flooding Attacks

Random drop scheme:

A host server always accepts a new connection

request and the queue of pending requests is used

as a cache, which adopts a random substitution

policy to get space for the new request. For each

discarded request, the host server sends a RST

message to its source host, enabling the legitimate

client to react to this action.

Probabilistic Drop Scheme:

Analytical Model- Assume the size of the backlog

queue configured in a host server

is q.

Syn Flood & Smurf 8

Probabilistic Drop Scheme cntd…

The probabilistic drop scheme works as follows. When the backlog queue is full and a new SYN request arrives, the host server will generate a random integer ‘I’ between 0 and kq (k≥1). If ‘I’ is greater than q, the incoming request is discarded; otherwise, some entry selected randomly from the backlog queue will be dropped to make room for the new request. For each dropped entry, the server may send a RST message to the related client.

According to the probabilistic drop scheme, a new request will be accepted with a probability of 1/k, and each entry in the backlog queue will be dropped with a probability of 1/kq when the backlog queue is full. Therefore, the probabilistic drop scheme can be modeled by the following expression:

P = (1−1/ kq) N / k, k ≥ 1. ---------------(1)Syn Flood & Smurf 9


Where, P- Probability that a normal connection request is fulfilled, N- Total number of SYN requests arrived at server In order to determine the optimal value for k, we set ∂P/∂k to zero. Solving it for k, we get

k = (N +1) / q. ---------------(2) Equation (1) and (2) suggest the probabilistic drop

scheme is essentially a simple filtering technique, which may be used to maximize (or minimize if expressing a minimum) the probability that a connection request could be fulfilled when the backlog queue is full.

If we set k=1 when N≤q, the probabilistic drop scheme becomes the random drop scheme.

Syn Flood & Smurf 10


According to (2), we get the following expression when k=1.

P = (1−1/ q) N ----------------- (3)

Therefore, the random drop scheme may be considered a particular case of the probabilistic drop scheme.

Probabilistic drop scheme (k>1) is strictly better than random drop scheme (k=1); even for extremely adverse conditions, the probabilistic drop scheme can still guarantee some limited amount of service.


A More Accurate Scheme to Detect SYN FLOOD Attacks.

We have already seen the Three-Way-Handshake Protocol. It works as follows-

1. A client sends a SYN packet to a server to perform an active open request;

2. The server reserves connection resources (backlog queue) to track the TCP state on receiving a SYN packet and replies with a SYN/ACK packet in response;

3. Finally, the client sends an ACK back to the server as an acknowledgement, and the connection is established when receiving this ACK on the server side. We call the ACK packet in the third step as CliACK.


A More Accurate Scheme to Detect SYN FLOOD Attacks cntd…

Outgoing SYN/ACK

Incoming ACK

h1 h2 …….hk

CLiACK

Fig. 2 Counting Bloom FilterSyn Flood & Smurf 13

Extract 6-tuples

K-hash function


As shown in Fig.2, we use a counting Bloom filter (CBF) to recognize the CliACK packets. For each outgoing SYN/ACK packet, we extract its source and destination IP addresses, ports, sequence number and ACK sequence number and use the 6-tuple <srcIP, dstIP, srcport, dstport, seq, ACKseq>, denoted as a, as the input for the k hash functions h1, h2, ..., hk, hash value of each with range {0, 1, ...,m−1}.

We increase the value by one for each bucket location hi (a). If the value of any hi (a) bucket would be overflowed to zero, we do not increase it and simply keep its maximal value. For each incoming ACK packet, we extract and use its 6-tuple <dstIP, srcIP, dstport, srcport, ACKseq −1, seq>, denoted as b, as the input for the k hash functions of CBF.



If the value of all the bucket is greater than zero, i.e., hi (b) > 0 for 1 ≤ i ≤ k, this ACK is recognized as the CliACK packet with some wrong probability, referred to as the false positive rate pfp, since some buckets of hi(b) may be set to be greater than zero by other elements. For the recognized CliACK packet, we decrease the value by one for each bucket location hi (b). pfp is approximately (1 − e−kn/m) k. By optimizing the number of hash functions with minimized false positive rate, we get k = ln2 · (m/n).

We choose k = 4, and then m = 6n, pfp = 0.0561. The memory needed (denoted as M) is M = 4m = 24n bits. If n = 700000, M is about 2MB. Syn Flood & Smurf 15

DiDDeM: A System for Early Detection of TCP SYN Flood Attacks

Distributed Denial of service Detection Mechanism (DiDDeM) utilizes the two types of signature to meet the requirements for early detection of TCP SYN flood attacks. The three key elements of DiDDeM are: the DiDDeM domain, the pre-filter (PF) detection node, and the command and control (C2) server.

A PF is responsible for attack detection through stateful and stateless signatures and is located within the routing infrastructure.

The objective of a PF is to identify the stateful signatures of denial-of-service attacks in stateless way, which indicates the possibility that an attack is under way against a particular host, domain, or network.


DiDDeM: A System for Early Detection of TCP SYN Flood Attacks cntd…

If an attack is detected, the alert is then confirmed or discarded by applying stateless signatures to the packets in question.

Within the stateful signature detection module, congestion algorithms are adapted for use in the detection of denial-of service attacks. During these attacks, large volumes of traffic are observed. Rather than purely dropping packets when the router threshold is met, packets that are to be dropped from the queue are inspected by the PF.

If two (or more) sampled dropped packets are heading to one destination, they are passed for stateless signature inspection as it indicates the possibility of a large flow of traffic in one direction.

To illustrate this, First In First Out Queue is used.



Packets are dropped from queue. Before dropping, packet is checked with previous packet. If IP address is matched then that address is stored for future use and packet is passed to the stateless signature analysis.

The stateless signature detection module String-matching techniques are used to match the attack signatures.

The signature detection jumps from one element of interest to the next within the stream to ensure that only the relevant parts of a packet header are read and compared.

For TCP SYN flood detection, the stateless signature detection module searches for instances of SYN flags within the TCP header, which are indicative of an attack. If a flag is found, it is compared with other packets in the stream to ascertain whether its neighboring packets also have the same flag set.

This approach is efficient to meet the demands of high volume detection.



- c2

Attack traffic

rout

- PF

- other node

Fig.3 C0-0perative process of domain during attack.

D1 D3

D4D2

A

B

E

D

F

G

H

C



Figure 3 demonstrates the co-operative process among domains during a denial-of-service attack.1. Nodes A and B in DiDDeM domain 1 launch a TCP

SYN flood as part of a distributed denial-of-service attack against node C in DiDDeM domain 4. Due to the network topology, traffic passes through DiDDeM domain 2 undetected as congestion does not occur.

2. As traffic passes into DiDDeM domain 3, a PF, D, detects the upsurge in network traffic against one destination.

3. The PF issues an alert to the domain c2, E. E determines the attack and issues a message alerting adjacent DiDDeM domains 2 and 4. A response is also passed to the reporting PF, D.



4. The message is received by the c2 in DiDDeM domain 2, F. F compares this information with that received from its own PFs. If an attack is detected within the domain, F issues a response to PFs, G and H, and alerts its adjacent domains. If an attack is not de-tected, , the alert times out after a set time period. Thus, the attack is traced back to the originating do-main of the attack, DiDDeM domain 1, and the attack is contained. It should be noted that trace back is not the aim of DiDDeM; however, it remains a benefit of the inter-domain cooperation.

A Detective Method for SYN Flood Attacks

Client Server SYN 1r

SYN/ACK 1s

SYN/ACK 2s

SYN/ACK 3s

Fig. 4 Packet Sequence of Responses.


A Detective Method for SYN Flood Attacks cntd… Figure 4 illustrates the sequence of response packet for

one SYN packet from a client. First the measuring host, client, sends one SYN packet,

then the measured host, server, receives the packet at the time (t1r). The server firstly responses this SYN packet as SYN+ACK packet at the time (t1s).

If the measuring host is a normal client, this client replies back ACK packet to the server.

And if the measuring host is an attacking host, the spoofed source IP address will be set on the first SYN packet, and SYN+ACK packet can not reach the client. Thus, the server remains at the half-open state and repeats to send three SYN+ACK packets with different time intervals.


A Detective Method for SYN Flood Attacks cntd…

They implemented packet generating program and set up this program on the client. The client send packet sequentially to the specific port on TCP on the server.

They prepared another measuring host to observe the timing data on the server to reduce the processing time. This measuring host captures all SYN+ACK packets and reserves sending times.

Detective Method: They defined two thresholds, i.e. the packet response rate

and the average response delay. The proposed detective method works as follows.

1. They set the detective system in front of the observed server. This system can be a packet forwarding machine or a packet observing machine.


A Detective Method for SYN Flood Attacks cntd…

2. They captured packet flows on TCP establishing phase, and then keep flows causing the half-open state on the server.

3. They observed packet flows whether a packet flow decay under the threshold of the packet response rate and/or exceed over the threshold of the average response delay.

4. If the packet flows exceed through these thresholds, then detective system sends the RST packet to the server. As the result, the server can escape the half-open state on TCP quickly.


A Robust Scheme to detect SYN Flood Attacks

This scheme uses counting bloom filter to store 4-tuples (source and destination IP, source and destination Port) of counted SYN packets. Then a FIN or RST packet is counted only if Its 4-tuple is in the Bloom Filter.

To make the detection scheme generally applicable, the Change Point Detection method based on a non-parametric Cumulative Sum (CUSUM) algorithm is applied.

Detection Scheme: They mainly used a counting Bloom filter to record the

TCP connection information for valid SYN packets. Then they classified whether a FIN or RST packet is a valid FIN packet according to the Bloom filter.


A Robust Scheme to detect SYN Flood Attacks cntd…

Bloom Filter:

A Bloom filter for representing a set S = {x1, x2, xn} of n elements is composed by an array of m bits, initially all set to 0. We use k independent hash functions h1, h2... hk, each with range {0, 1, …., m-1}. For each element x C S, the bits hi(x) are set to 1 for 1 < i < k.

Then they checked whether all hi (y) are set to 1. If all hi(y) are set to 1, they assumed that y is in S, although it is wrong with some probability (false positive rate, where it suggests that an element x is in S even though it is not). We use Pf to indicate the false positive rate, which is approximately (1e-kn/m) k, when m > kn. If the number of hash functions is optimized with minimized false positive rate, then:

Pf = (1/2) k = (1/2)1n2 (m/n) ---------------(1)Syn Flood & Smurf 27


When SYN or SYN/ACK packet is received, the counter of valid SYN packets is increased. They extracted 4-tuple (source and destination IP, source and destination Port) of this packet as an item, and insert this item to a counting Bloom filter. When they received a FIN or RST packet, the item of its 4-tuple is extracted and queried from the counting Bloom filter. If this item is in the Bloom filter, the counter of valid FIN packets is increased, and this item is deleted from the counting Bloom filter. If not, this packet is not a valid FIN packet, and nothing is needed.

Change-Point Detection Method: td is so chosen that a significant portion of

connections requested during the SYN sampling period end in the corresponding FIN sampling period.



In this experiments, they have chosen td as 10 seconds, and tp as 20 seconds. They assumed {6, n = 0, 1 ...} are the number of valid SYN packets minus that of valid FIN packets within one sampling period. The average number of {Fn}, F, can be estimated in real time and updated periodically.

F (n) = al F (n -1) + (1) - F, (2) Where n is the time index and a is a constant, 0 < a < 1,

representing the memory in the estimation of the average. They have chosen F (O) = Fo and a = 0.5 in the experiments. Let Xn = 6nlF {X, n = 0, 1 ...} is independent on the network size or time-of-day.

The nonparametric version of the CUSUM statistic can be expressed:

Yo = 0, Yk = (Yk- 1 +Xk) +. ------------(3)



Where x+ is equal to x if x > 0, and 0 otherwise. The corresponding decision rule is

dN (.) = d (yk) = I (Yk > N). -------------(4) Where I (.) is the indicator function and N is the

threshold. The function dN represents the decision at time k, which give a value of 1 to indicate a change point and 0 to indicate a normal condition. When an attack takes place, xn will suddenly become large positive. Therefore, under normal condition, yn is 0. Under SYN flooding attacks, yn becomes positive. If yn > N, they reported an attack.



Identification of Effective Network Features To Detect Smurf Attacks.

• In this paper, 32 basic features are extracted from TCP,

IP, UDP and ICMP protocols.

• These features include Type of Protocol, Length of

Frame, Type of Ethernet Protocol, IP Version, IP Header

length, IP total length, Identification IP, Source

Port, Destination port, Sequence number, Acknowledg-

ment number, TCP and IP flags and so on that are ex-

tracted from TCP/IP

• In the reported work, TCP dump from the DARPA’98

dataset is used as the input dataset.


Identification of Effective Network Features To Detect Smurf Attacks cntd…

• Training data from the DARPA dataset includes “list

files” that identify the timestamp, source host and port,

destination host and port, and the name of each attack.

• This information is used to select intrusion data for the

purpose of pattern mining and feature construction, and

to label each connection record with “normal” or

“attack” label types.

• The final labeled training data is used for training the

classifiers. Due to the large volume of audit data, con-

nection records are stored in several data files.


Smurf-based Distributed Denial of Service (DDoS)Attack Amplification in Internet

Packets Used In SMURF Attack:

Fig. 5 shows the packet format used by the ICMP echo request and reply messages. The ICMP echo re-quest and reply messages are identified by the value of the type field.

Fig.5 ICMP Echo Req/Reply Packet Format

The OPTIONAL DATA field holds data that are re-turned to the sender by the receiver of the ping mes-sages.


Smurf-based Distributed Denial of Service (DDoS)Attack Amplification in Internet cntd… Architecture Of SMURF Attack Infrastructure:

The network configuration used in an actual Smurf attack is shown in Fig.6. In smurf based DDoS attack, a large amount of ICMP echo messages i.e. Ping messages are sent to broadcast addresses which contain the spoofed source address of the victim computer.

Attacking Computer

Echo Request

Router Broadcast Domain Echo Replies

Fig.6 Architecture of SMURF Attack


Smurf-based Distributed Denial of Service (DDoS)Attack Amplification in Internet cntd…

The broadcast domain helps amplify the DDoS attack

traffic moving towards the victim computer.

Attack Amplification:If the bandwidth used by the perpetrator is Bp in

bits per second then the maximum number of ICMP echo request messages sent towards the intermediary broadcast domain

=B p/M1+M2Where M1 is the size of ICMP echo request mes-

sage in bits and M2 is the associated overhead bits for transmission of the ICMP echo request messages over physical layer in bits. Since in this attack, multiple computers in the broadcast domain generate an ICMP echo reply, hence echo request


=Min [(Bi/M1+M2), (N* Bp/M1+M2)] Where, Bi is the outgoing bandwidth of the intermediary

broadcast domain towards the victim computer, and ‘Min’ indicates minimum of the two entities enclosed inside the

parenthesis. If Q broadcast domains, each with N hosts are used for

amplification in the smurf attack against a computer, then the umber of ICMP echo reply message received by the victim computer

Q

=Σ Min [(Bj/ (M1+M2)), (Nj* Bp/(M1+M2))]

J=1



In this equation above, Bj is the outgoing bandwidth of the jth Intermediate broadcast domain, and Bp is the bandwidth used by the perpetrator of the smurf attack, respectively.

Nj is the number of hosts in jth broadcast domain, and Q is the total number of broadcast domain used by the perpetrator to amplify the smurf attack.

Here, they defined a new term called Attack Amplification factor (AAF) which is the ratio of the amount of bandwidth generated by the intermediary systems and the amount of the bandwidth used by the perpetrator to send Ping messages to the unprotected intermediary networks.

For a simpler case of Q intermediary broadcast domains with N hosts each, the amplified attack bandwidth generated by the intermediary systems, Q

Ta = (M1+M2) * Σ (N*Bp/ (M1+M2)) = Q x N x Bp.

J=1



Hence, the Attack Amplification Factor (AAF) = Amplified Attack Traffic / Original Attack Traffic = Ta/Bp = Q x N, where Q is the number of broadcast domains being used for attack amplification, and N is the number of hosts per broadcast domain.

Prevention of SMURF Attacks: The smurf attack can be prevented by a firewall or a

router which filters ICMP attack packets In the above mentioned case, the attacker’s network

should not allow the attackers to spoof their IP addresses.

The other option is-the intermediary system/networks must not allow its network to be exploited by an attacker for amplifying the attack traffic. One way to reduce risk of this is to disable IP-directed broadcast,


A Novel Trace back Approach for Direct andReflected ICMP Attacks

A. Packet Logging :• In this approach, the routers save information about

treated packets. The information allows routers to check afterward if a packet went through it. Once an attack is detected, the victim sends trace back requests to its upstream routers to reconstruct the attack path.

• The advantage of this approach is the ability to reconstruct the attack path with only one attack packet.

B. Packet Marking:• Packet marking is the most studied approach. The

routers insert information in the packets in order to locate the source of a flow.

• The victim computes the received marking and reconstructs the attack path, which are the addresses of the routers between the attacker and the victim.


A Novel Trace back Approach for Direct andReflected ICMP Attacks cntd…

C. ICMP Trace back :• In this approach, routers send out-of-band traceback

information to the destination of the flow to reconstruct the attack path.

• Routers send ICMP packets along with the attack path, to other destination. The ICMP packets contain information about the marking router.

• The victim collects the ICMP packets during the attack and extracts trace back information. The victim will be able to reconstruct the attack path.



D. Trace back ICMP Attacks:• The data structure(optional data field) used is

presented in the figure 8. The first marking router will initialize the flag field. The next routers will know that the packet has been marked. The marking routers will increment the distance field at each marking. The routers and the victims will know how many routers marked the packet.


Flag Distance

Router’s IP Adr

Echo bit

TTL

Router’s IP Adr Echo bit

TTL

Router’s IP Adr Echo bit

TTL


• Virtual Platform:They implemented the trace back system in a private network, using virtual machines. In this scenario, there is one attacker, five routers, three reflectors and a victim, see figure 8. A packet from the attacker to the reflectors must traverse all the routers.

Attacker Echo Request

Echo Replies Intermediate

network

Victim

Fig. 7 Implementation Scenario



The attack packets pass through the reflectors before arriving to the victim. All the routers mark the forwarded ICMP echo packets, with their IP addresses and the current TTL of the packet.

The victim receives all the markings, whether performed before or after the reflection. The victim analyses the received markings to reconstruct the attack path. The victim uses the TTL to order the routers.

The algorithm is performed by every router while forwarding an ICMP echo packet. When an ICMP packet (P) is forwarded, the router decides whether he should mark or not the packet.

If the packet has not been marked before, the router will initialize the flag field and the distance field.



The routers will copy its IP address and the TTL of the packet, and he will mark the echo bit.

If the packet has already been marked, the router will calculate the location of the marking. The router will mark the packet and increment the distance.

If there is not enough space to mark, the router will overwrite an old marking chosen randomly.


Contributions:

For Probabilistic Drop Scheme, inspection method can be implemented. As soon as packet comes to the router, that can be inspected. Before the process of enqueue, we can perform the early detection of Syn flood attack. So that only legitimate packets can be survived in the queue.

In more accurate scheme to detect Syn flood attack, for bloom filter they have used 6-tuples. With those 6-tuples we can use trace-back scheme to trace the attacker’s path.

In Distributed Denial of Service Detection Mechanism, they have done stateful signature and stateless signature analysis to detect Syn flood attacks. We can implement this method for Smurf attack. In Smurf attack, before broadcasting the request, stateful and stateless signature analysis can be done.


Contributions cntd…

In smurf attack amplification, they investigated the factors that contribute to the amplification of the smurf attack traffic and understand the relation among the original attack traffic, intermediate unprotected network and the final amplified attack traffic. In this method we can extend the capability of the router. Router can extract the header. Before broadcasting the request to the intermediate network, router can implement the trace-back mechanism. Router can also implement distributed denial of service detection mechanism by using stateful and stateless signature analysis. We can implement early detection of attack at the source end. We can observe the intensity of traffic from a specific source to a specific destination.


Contributions cntd…

In robust scheme, they have detected Syn flood attack by recording flow information in counting bloom filter. After detection of Syn flood, we can implement proactive technique called logging to prevent Syn. Router can maintain the log file in which attack pattern is stored. When packet comes, that packet can be inspected with the log file. If match is found then that packet can be dropped confirming the attack packet. We can also implement trace-back method here.


ddos attacks

Documents

1syn flood

syn flood

probabilistic

random drop

false positive

stateless

counting bloom

valid syn