Week06_Transport%20Layer%20Attacks.pdf
Transcript
9/24/2024 TCP Protocols and Attacks – Syn flooding attack DDoS attack – TCP RST attack – TCP Session Hijacking attack Hijacking attack 41 SYN FLOODING ATTACK 42...
9/24/2024 TCP Protocols and Attacks – Syn flooding attack DDoS attack – TCP RST attack – TCP Session Hijacking attack Hijacking attack 41 SYN FLOODING ATTACK 42 1 9/24/2024 *SYN queue is different from the window size, and is used only during the TCP handshake Establishing Connections *When the Application runs the accept() function, it goes to the Application *When ACK arrives, the connection info in SYN queue moves to the Accept queue 43 SYN Flooding Attack Countermeasure: SYN Cookie Attack target *Server retransmits SYN/ACK if the ACK is not arriving. If the SYN is not coming, it finally expires the connection info in SYN queue 44 2 9/24/2024 TCP connection parameters /proc/sys/net/ipv4 How many times the server sends the SYN/ACK before dropping the half-open How many half-open connection * To change the values: can be stored in SYN queue sudo sysctl –w net.ipv4.tcp_synack_retries = 10 45 Before the Attack Netstat - t: tcp connection - n: don’t resolve - a: all connections There is no SYN_RECV 47 3 9/24/2024 Attack In Progress Bunch of SYN_RECVs 48 Launching SYN Flooding Attacks Using Scapy 49 4 9/24/2024 What Makes SYN Flooding Attack Fail (1) *In our environment, it’ll “usually” work well. VirtualBox (if we use VMs, instead of containers) VM NAT is dropping by responding with RST because SYN/ACK has no SYN record 50 What Makes SYN Flooding Attack Fail (2) TCP retransmission (On Server) If # of transmission reaches ‘5’, # sysctl net.ipv4.tcp_synack_retries the half-open connection is expired net.ipv4.tcp_synack_retries = 5 => Multiple python program needs to be sending SYN flooding to outspeed this speed The size of the SYN queue # sysctl net.ipv4.tcp_max_syn_backlog net.ipv4.tcp_max_syn_backlog = 512 Reducing this number helps your attack 51 5 9/24/2024 What Makes SYN Flooding Attack Fail (3) TCP cache Round trop time : # ip tcp_metrics show 79micro second 10.0.2.68 age 140.552sec cwnd 10 rtt 79us... source 10.0.2.69 Destination IP address Age of the connection Congestion window Source IP address : how many segments can be # ip tcp_metrics flush sent (throughout the connection) *When SYN Cookie is disabled, TCP reserves ¼ of its queue as a “proven destination” and caches proven connection (TCP Cache): once connected, always connected 52 The SYN Cookie Countermeasure *You’ll use this in the lab *It is triggered when the OS sees a certain number of half-open connections 1) SYN packet is not stored in SYN queue (no resource is reserved) 2) It could cause bigger DDoS attack because when ACK comes back, it needs to reserve a resource for that. (OS will try to match seq#) 3) Therefore, a hash is computed by IP address, port #, etc. , and sent as a seq# y (ISN) in SYN/ACK. Only when the Seq# y+1 arrives, resource is reserved 53 6 9/24/2024 Terminating Active Legitimate TCP connections, DDoS attack TCP RESET ATTACK 54 How to Close TCP Connections? How Do We Finish a Phone Call? I want to finish this connection Bye, Bye!! I got it! I’m ready to finish this connection ?! Yes, let’s terminate the connection! Gracefully Suddenly 56 7 9/24/2024 TCP Reset Packet From previous Ack # Ack # is not treated as important part in Calculated by RST packet Scapy : RST pkt is not a normal data flow : if Seq # is right, this is not checked 57 Spoofing Reset Packet Target connection (ex. Telnet) A ---------------- B IF Ack# is moving fast (video streaming), it needs to guess that fits into the receiver window 59 8 9/24/2024 Constructing Reset Packet 60 TCP Rest Attack: Sample Code 1) Sniffing a TCP packet coming from the telnet server 2) Spoofing RST packet to the src machine using ack # (seq# should be exactly matching) [Q] Does this work for encrypted TCP connection, SSH connection? 61 9 9/24/2024 TCP SESSION HIJACKING ATTACK 63 1) Sniffing TCP Session Hijacking 2) 3) Guessing seq # Packet injection 4) Session takeover Session Hijacking – An attacker takes over an active TCP session between two parties, typically a client and a server. The attacker could insert malicious data into the session or gain unauthorized access – Once a TCP session is established, the only thing protecting it is the Seq# in the packets Packet injection 64 10 9/24/2024 Constructing Spoofed Packets Target connection (ex. Telnet) A ---------------- B server client 23 In the pkt We need to find out or guess the Seq # 65 Finding Sequence Number When we can get the next seq # This can be used for attack When we cannot get the next seq # This can be used for atta (segment length = 0) 66 11 9/24/2024 About Sequence Number Seq # used in the pkt *For TCP RST attack, we need to provide x+1 as a Seq # - For the Session Hijacking attack, we may provide Seq # within the buffer boundary : If δ is too big, it will be dropped 67 Session Hijacking: Manual Spoofing “ACK bit = 1” is needed to include Ack# : It’s safe to use “\r” not to make wrong command, like “lscat” 68 12 9/24/2024 Session Hijacking: Automatic Spoofing No need to necessarily provide this information. If you’re providing accurate seq#, you’ll need it From old values 69 What Happens to The Session? Both sides keep sending pkts, client freezes 70 13 9/24/2024 Reverse Shell If the attacker is sitting outside of the local network, firewall will not let the attacker connect to the victim though usual connection If the Session Hijacking attacks works, we can have the bash shell in attacker’s machine (Don’t try this against unallowed target) 71 Reverse Shell Unix - Std input dev: ‘0’ /dev/tcp// 0&1 Redirects standard input (stdin) from the same place as standard output (stdout), allowing the remote machine to send input to the bash shell Redirects standard error (stderr) to the same place as standard output (stdout), meaning error messages are also sent to the remote machine 72 14
