TCP DoS Attacks Overview

Questions and Answers

What is the first action a client takes during Phase 3 of the SSL process?

The client issues a change cipher spec message.

The client sends its certificate upon server request. (correct)

The client sends a mandatory client key exchange message.

The client verifies its certificate with the server.

What must be included in the change cipher spec message according to the protocol?

Both a client and server verification message.

A single byte with a value of 1. (correct)

A complex string describing the cipher.

A single byte with a value of 0.

How does the Heartbeat Extension Protocol help in distinguishing between a temporary lull and termination of a secure connection?

By requiring secure key exchanges.

By sending periodic HeartbeatResponse messages.

By closing the connection if no data is transmitted.

By utilizing a retransmit timer after a HeartbeatRequest. (correct)

What happens to an SSL/TLS session in the absence of a HeartbeatResponse?

It is considered terminated.

What role does the Alert Protocol play in SSL?

It conveys SSL-related alerts to the peer entity.

What is included in a HeartbeatRequest packet to prevent replay attacks?

The original payload to be returned.

During which phase does the client send a finished message to the server?

Phase 4: Finish.

Which message marks the end of Phase 3 in the SSL handshake process?

The client sends a certificate verify message.

What mechanism does a Shrew DoS attack exploit to reduce TCP throughput?

Abuse of the retransmission timeout (RTO) process

In a TCP SYN flooding attack, what happens to the connections that are left half-open?

They consume server resources and can lead to service denial

How does IP source address spoofing aid in a SYN flooding attack?

By disguising the location of the attacker

What is the primary purpose of the handshake protocol in SSL/TLS?

To establish a secure connection and negotiate parameters

What is a characteristic of the Slowloris attack?

It maintains many simultaneous connections by keeping them alive

What is the main effect of a TCP SYN flood attack on a server?

It results in temporary denial of service as resources are consumed

Which protocol is primarily responsible for the secure transmission of application data in SSL/TLS?

Record protocol

What is the risk associated with the heartbeat protocol in SSL/TLS?

It may allow data leakage through memory exposure

What is the primary purpose of rate limiting incoming SYN packets on a server?

To protect server resources from flooding attacks

What could happen if legitimate IP addresses are blocked during an IP spoofing attack?

The network may face a Denial of Service for legitimate users

What is a key characteristic of the vulnerability associated with a poor quality PRNG in TCP?

It allows attackers to construct a spoofing set of ISNs

Which of the following practices makes it more difficult to perform IP spoofing attacks?

Ingress filtering at ISP edge routers

What outcome results from an attacker mounting a SYN flood attack on a server?

The server’s resources may become overwhelmed

What role do Certificate Authorities (CAs) play in SSL/TLS?

They issue certificates which ensure authenticity

During IP spoofing, why does an attacker need to guess the sequence number used by the victim host?

To successfully receive responses from the victim host

What security measure can be employed to overwrite suspect IP source addresses before they leave a private network?

Network Address Translation (NAT)

What happens when X impersonates A and sends SYN packets to B in an IP spoofing scenario?

B will send SYN/ACK packets to A

What was the original name of TLS when it was developed by Netscape?

Secure Socket Layer

Which attack is facilitated by the ability to construct a small-sized spoofing set of initial sequence numbers?

IP spoofing attack

What is the main aim of SYN flooding attacks?

To exhaust server resources

What is meant by 'server-only authentication' in the context of SSL/TLS?

Only the server authenticates itself to the client

How can an attacker simulate a SYN flood attack without directly targeting the server?

By operating on the same LAN and misusing a source address

What is the primary purpose of the SSL Handshake Protocol?

To authenticate the server and client and establish encryption keys.

Which of the following best describes an SSL session?

An enduring association that can consist of multiple connections.

Which parameter is NOT part of the SSL connection state?

Master Secret

What role does the Heartbeat Extension serve in SSL?

To keep a session open for anticipated data exchanges.

Which of the following is NOT a step in the operation of the SSL Record Protocol?

Key Negotiation

In the Cipher Suite of the server hello message, what does the key exchange method refer to?

The method for negotiating encryption keys.

Which encryption algorithm is considered the most secure among the key exchange methods?

Ephemeral Diffie–Hellman

What is a common feature of SSL Record Protocol blocks?

They do not exceed 2^14 bytes in length.

Which component is NOT a characteristic of an SSL session state?

Client Write MAC Secret

Which algorithm is utilized for message authentication in the SSL Record Protocol?

MD5

What does the IsResumable flag in an SSL session state indicate?

The session can be resumed after a brief disconnection.

Which of the following best describes the Phase 1 of the SSL Handshake Protocol?

Establishment of security capabilities through hello messages.

Which of the following parameters in the SSL session state relates to cryptographic attributes?

Cipher Spec

Study Notes

Shrew DoS Attack

• A TCP denial-of-service (DoS) attack described in a 2003 publication.
• Exploits TCP's retransmission timeout mechanism.
• Operates at two timescales: RTT (round-trip time) for low congestion, and RTO (retransmission timeout) for high congestion.
• An attacker sends high-rate, short-duration bursts at RTT timescale, repeated periodically at RTO timescale.
• This throttles the victim's throughput to near zero, while the attacker's average rate is low, making detection difficult.

SYN Flooding

• A TCP DoS attack where a hostile client repeatedly sends SYN requests to every server port using fake IP addresses (SYN scanning).
• The server responds with SYN/ACK for open ports and RST for closed ports.
• The hostile client never sends the expected ACK packet.
• This creates "half-open" connections, consuming server resources.
• The server waits for the ACK packet for 75 seconds.
• The server can mitigate this by dropping SYN packets from malicious sources, or rate limiting incoming SYN packets.

IP Address Spoofing

• An intruder using forged source IP addresses to launch attacks (e.g., SYN flood).
• Admins block spoofed IP addresses.
• Spoofing legitimate addresses can cause DoS to legitimate users/systems.
• The attacker can also SYN/ACK flood the victim.
• A 1994 case involved Kevin Mitnick attacking Tsutomu Shimomura's computers.
• Spoofing allows a one-way connection with a remote host, potentially executing malicious code.
• Success depends on guessing initial sequence numbers (ISNs).
• Poorly designed pseudo-random number generators (PRNGs) and the birthday paradox make spoofing easier.
• Spoofing often requires constructing a spoofing set of a few thousand entries.

BCP (Best Current Practices)

• Internet Service Providers (ISPs) often employ ingress filtering, making IP spoofing harder.
• ISP edge routers check source IP addresses against their network addresses.
• Spoofed packets are dropped or logged.
• NAT (Network Address Translation) setup can further hinder attackers, as ISP routers might overwrite spoofed source IP addresses.

Demonstrating DoS Attacks

• Attacks are easier when attacker and victim are on the same local area network (LAN).
• Tools like port_scan.py (port scanner) and DoS5.py (attack script) have been used.
• Scapy is a Python tool useful for creating and manipulating network packets across different TCP/IP layers.

SSL/TLS Session/Connection

• SSL/TLS (Secure Socket Layer/Transport Layer Security) provides secure and authenticated connections.
• SSL was developed by Netscape, TLS is an IETF open standard version 3 of SSL.
• Implements security for browsers/servers, email, remote login, and VPNs.
• Uses OpenSSL library.
• Supports server-only or server-client authentication.
• Certificates from Certificate Authorities (CAs) are fundamental.

SSL Record Protocol

• A protocol above TCP, providing confidentiality and integrity.
• Fragmented data into blocks of 16384 bytes.
• Optional compression (lossless).
• Encryption (e.g., 3DES, RC4-128).
• Adds authentication code (MAC).
• Appends SSL record header: Content type (8 bits); major version (8 bits); minor version (8 bits); length (16 bits).

SSL Handshake Protocol

• Establishes security parameters for client-server communication.
• Authenticates server (and optionally client).
• Generates crypto keys.
• Four phases: Client hello; Server hello; Server authentication and key exchange; Client authentication and key exchange; Finish phase

Key Exchange Methods

• RSA: Secret key encrypted with server's public key.
• Diffie-Hellman: Secure key exchange but variation impacts on security (fixed, ephemeral, anonymous types).

CipherSpecs

• CipherAlgorithm
• MACAlgorithm
• CipherType
• IsExportable
• HashSize
• Key Material
• IV Size

Heartbeat Protocol

• Used to detect potential data exchange termination.
• Provides a mechanism to avoid closing the connection when there's a brief pause.
• The protocol uses HeartbeatRequest and HeartbeatResponse messages.
• Has potential to be used in attacks without an appropriate security measure.

Description

This quiz covers TCP denial-of-service (DoS) attacks, including the Shrew DoS attack and SYN Flooding techniques. You'll explore how these attacks exploit TCP mechanisms and impact network resources. Test your knowledge of these concepts and how to mitigate such vulnerabilities.