Velo

Defending against a Denial-of-Service Attack on TCP
Pars Mutaf Izmir Institute of Technology pars@likya.iyte.edu.tr Abstract In this paper we propose a method for detecting TCP SYN-flooding attacks. This is an anomaly detection method based on intensities of SYN segments which are measured on a network monitoring machine in real-time. We note that current solutions suffer from several importantflaws such as the possibility of denying access to legitimate clients and/or causing service degradation at protected machines, therefore we aim to minimize such unwanted effects by acting only when it is necessary: during an attack. In order to force the attackers to fall in a detectable region (hence, avoid false negatives) and determine the actual level of threat we are facing, we also profitfrom a series of host based measures such as tuning TCP backlog queue lengths of our servers. Experience showed that complete avoidance from false positives is not possible with this method, however a significant decrease can be reasonably expected. Nevertheless, this requires an acceptable model for the legitimate use of services. We first explain why the Poisson model would fail in modelingTCP connection arrivals in our case and show that analyzing daily maximum arrival rates can be suitable for minimizing false positive probabilities. This method can allow ISPs to determine their correct requirements to cope with this particular attack and provide more secure services to their clients. 1 Introduction The Internet has undergone a phenomenal growth in the recent past. However, duringthis period the vulnerabilities found in the TCP/IP protocol suite have been subjected to significant revelation as well. Particularly, the details of a simple denial-of-service attack popularly known as “SYN-flooding” were published in two underground magazines and this attack still continues to pose a serious threat against the availability of TCP services[11]. The SYN-flooding attack exploitsa common TCP implementation issue and a well-known authentication weakness found in IP, which do not seem correctable in the near future since they require the modification of the standards. Preventive approaches such access control are not applicable to SYN-flooding attacks since the general target is public services. Therefore, we propose a method for detecting these attacks in real-time andrecovering from the damage as soon as possible and in a convenient way. Network monitors are known to be able to detect such low-level network based attacks, therefore we implement this method on a network monitoring machine. The method that we propose falls in the anomaly detection category of intrusion detection systems. However, we also profit from a series of host based measures in order toforce an attacker to fall in a detectable region. The rest of this paper is organized as follows: Section 2 describes background material such as the IP and TCP protocols as well as the vulnerabilities found in these protocols which are exploited by the SYN-flooding attack, Section 3 overviews its current solutions, Section 4 explains our objectives, Sections 5-10 give the details of our approach,Section 11 proposes future work and Section 12 presents several conclusions.
1

2 Background The Internet is a worldwide network that uses the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite for communications. IP[6] is the standard internet layer protocol of TCP/IP, which provides for transmitting blocks of data called datagrams from sources to destinations, wheresources and destinations are hosts identified by fixed length addresses. IP is a connectionless protocol. Therefore, IP datagrams may get delivered out of order and there is no guarantee that a datagram successfully gets its destination. IP does not either provide address authentication. Actually, any host can send datagrams with any source IP address[2]. Therein lies most of the threat against the...