ud432 ยป

TCP 3-Way Handshake Review

So as a quick quiz, what are some of the advantages of TCP Syn cookies? Is it that they can be applied to filter traffic in the network core? Is it that they can prevent the server from exhausting state by setting up socket buffers after receiving a TCP Syn? Or is it that they can defend against UDP flooding attacks?

TCP SYN cookies can prevent a server from exhausting state after receiving the initial TCP SYN packet.

Inferring Denial of Service using Backscatter

Let's talk about how to infer denial of service activity using a technique called backscatter. The idea behind backscatter is that when an attacker spoofs a source IP address, say on a TCP SYN flood attack, that the replies to that initial TCP SYN from the victim will go to the location of the source IP address. This replies to forged attack messages are called" backscatter". Now the interesting thing about backscatter is that if we can assume that the source IP addresses are selected by the attacker at random, and we could set up a portion of the network where we could monitor this back scatter traffic, coming back as SYN-ACK replies to forged source IP addresses. If we assume that these source IP addresses are picked uniformly at random, then the amount of traffic that we see as back scatter. Represents exactly a fraction that's proportional to the size of the overall attack. So for example, if we monitor N IP addresses and we see M attack packets, then we expect to see here N over two to the 32 of the total back scatter packets and hence of the total attack rate. If we want to compute the total attack rate, we simply invert this fraction. So for example, in this case, if our telescope were a slash eight, or two to the 24th IP addresses, we would simply multiply our observed attack rate x by two to the 32 divided by two to the 24 or 255.

Backscatter Quiz

As a quick quiz, let's suppose that our telescope is monitoring two to the 16th IP addresses. And let's suppose that in that telescope, we see a

Since we're monitoring one 2 to the 16th of the entire internet, or 1 over 65,535 of the total internet, we simply need to take the rate that we've observed and invert that. In this case, that rate would be roughly 6.5 billion packets per second.

Automated Denial of Service Attack Mitigation

In the assignment you will use a Pyretic controller to mitigate a DOS attack. We will use an extension of Pyretic called Py Resonance, which allows for composition of finite state machines that run various programs depending on the state of the network. Your network will start in a normal state, but will use an sFlow-based Denial of Service detector to indicate that the network has come under attack. Your sFlow event will cause the controller to change states, and hence it will install specific flow-table entries that mitigate the effects of the Denial of Service attack. The assignment that is spelled out on the home page has links to some more in-depth descriptions of this particular assignment and your task in writing a Py Resonance application to mitigate the DOS attack.