Professional Documents
Culture Documents
• Types of attacks
• Solutions
• Conclusion
What is Denial of Service
Attack?
Main aim to stop the victim’s machine
from doing it’s required job
SYN
LISTEN
Client requests for connection
ACK + SYN
SYN_RCVD
Server agrees for connection request
ACK CONNECTED
Client finishes handshake
S D
Three-way Handshake
SYN x LISTEN
Resources allocated
SYN y +ACK x+1 SYN_RCVD
ACK y+1
CONNECTED
S D
How SYN Flooding Attack Works?
Uses spoofed
addresses SYN
SYN + ACK
Resources allocated
for every half open SYN
connection SYN + ACK
I have ACKed
SYN
these connections
Limit on number SYN + ACK but I have not
of half open received an ACK
connections back!
Attacker Victim
Attack Modes
• Different parameters by which SYN flood attack can vary:
1. Batch-size : Number of packets sent from source address
in a batch
2. Delay : Time interval between two batches of packets
sent
3. Source address allocation
– Single Address: Single forged address
Using firewall
SYN cache
Using Firewalls
SYN+ACK
SYN
SYN+ACK
A FIREWALL D
Firewall as a Relay (cont’d)
Legitimate connection with relay firewall
SYN
SYN+ACK
SYN
ACK
SYN+ACK
Data ACK
Data
Data
Data
SYN
SYN+ACK
ACK
Timeout
RST
S D
Firewall
System Configuration Improvements
Topics
– Logical Address
– Physical Address
– Mapping
– ARP
– ARP Cache Table
– ARP Poisoning
– Prevent ARP Poisoning
Logical address
Internetwork address
Unique universally
In TCP/IP its called IP Address
32 bits long
Physical Address
Local address
Unique locally
Mapping
ARP request
– Computer A asks the network, "Who has this IP address?“
ARP(2)
ARP reply
– Computer B tells Computer A, "I have that IP. My Physical Address
is [whatever it is].“
Cache Table
P 14 5 201.11.56.7
R 9 60 19.1.7.82 4573E3242ACA
P 18 3 188.11.8.71
ARP Poisoning
www.watchguard.com/infocenter/editorial/135324.asp
www.l0t3k.org/security/docs/arp/