TCP-evel attacks SYN-Floods Implementations create state at servers before connection is fully established Session hijack o Pretend to be a trusted host Sequence number guessing Session resets Close a legitimate connection 15-411: F08 security
TCP-level attacks • SYN-Floods Implementations create state at servers before connection is fully established • Session hijack Pretend to be a trusted host Sequence number guessing • Session resets Close a legitimate connection 15-411: F08 security 11
Session Hijack Server Trusted D) 历 翮- First send a legitimate6翮 sYn to server Malicious(M) 15-411: F08 security 12
Session Hijack Trusted (T) Malicious (M) Server First send a legitimate SYN to server 15-411: F08 security 12
Session Hijack Server Trusted D) 历 Using IsN S1 from earlier白啦 connection guess ISN S2 Malicious(M) 15-411: F08 security
Session Hijack Trusted (T) Malicious (M) Server Using ISN_S1 from earlier connection guess ISN_S2! 15-411: F08 security 13
TCP Layer Attacks TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a syn and dont reply with ACK Server will wait for 51 1 seconds for ack o Finite queue size for incomplete connections (1024) o Once the queue is full it doesnt accept requests 15-411: F08 security 14
TCP Layer Attacks • TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it doesn’t accept requests 15-411: F08 security 14
TCP Layer Attacks TCP Session Poisoning ◆ Send RsT packet Will tear down connection Do you have to guess the exact sequence number? Anywhere in window is fine For 64k window it takes 64k packets to reset about 15 seconds for a t1 15-411: F08 security 15
TCP Layer Attacks • TCP Session Poisoning Send RST packet ▪ Will tear down connection Do you have to guess the exact sequence number? ▪ Anywhere in window is fine ▪ For 64k window it takes 64k packets to reset ▪ About 15 seconds for a T1 15-411: F08 security 15