2004 SYN/ACK SYN Flood G01P014-6

Size: px

Start display at page:

Download "2004 SYN/ACK SYN Flood G01P014-6"

ひでかにかどり
6 years ago
Views:

1 2004 SYN/ACK SYN Flood G01P014-6

2 HIDS ( IDS) NIDS ( IDS) MID AID DoS TCP SYN/ACK DoS DoS SYN Flood SYN Flood SYN Flood

4 2.1 JPCERT/CC TCP SYN Flood synk4 SYN Flood A SYN SYN/ACK B SYN SYN/ACK C SYN SYN/ACK SYNs/sec SYN SYN/ACK SYNs/sec SYN SYN/ACK SYNs/sec SYN SYN/ACK 25 3

6 (DDoS) TCP SYN Flood DoS SYN Flood 5

7 1 SYN SYN/ACK SYN Flood DoS DoS SYN Flood 4 5 6

8 2 2.1 JPCERT/CC ( ) 2.2 JPCERT/CC JPCERT/CC Web JPCERT/CC 7

9 2 2.1: JPCERT/CC DoS (Denial of Service) DDoS (Distributed Denial of Service) sendmail sendmail : : : 8

10 2 2.1: 445 microsoft-ds epmap http netbios-ssn ssh ms-sql-s monkeycom telnet sgi-esphttp ftp swat 15 9

11 2 ID IP Spoofing IP IP IP IP DoS ( ) root Administrator 2.4 OS IP 10

12 2 2.5 IDS NIDS HIDS IDS NIDS MID AID HIDS ( IDS) IDS NIDS ( IDS) IDS DoS (Denial of Service) CPU MID MID (Missue Intrusion Detection) MID AID AID (Anomaly Intrusion Detection) 11

13 2 AID 12

14 3 DoS 3.1 TCP TCP 3.1 TCP UDP TCP TCP TCP ( 3.1 ) URG (Urgent Flag) ACK (Acknowledgement Flag) PSH (Push Flag) RST (Reset Flag) SYN (Synchronize Flag) FIN (Fin Flag) SYN/ACK SYN/ACK SYN, ACK SYN/ACK SYN SYN SYN/ACK TCP SYN SYN SYN/ACK SYN ACK TCP SYN/ACK 13

15 3 DOS 0 Data Offset Source Port Destination Port Sequence Number Acknowledgement Number U A P R S F Reserved R C S S Y I Window G K H T N N Check Sum Options Data Urgent Pointer 3.1: TCP TCP SYN/ACK DoS SYN Flood 3.2 DoS DoS (Denial Of Service) 2 DDoS (Distributed Denial of Services) DoS ( ) DoS mail bomb CPU Octopus SYN Flood TCP SYN Flood 14

16 3 DOS Land/Latierra SYN SYN/ACK ping flood ping ICMP Echo Request ICMP Echo Request smurf Attacker IP IP ICMP ICMP Ping smurf IP 2 IP DoS 3.3 SYN Flood SYN Flood SYN Flood TCP 1. SYN 2. SYN +1 ACK 3. SYN +1 ACK 15

17 3 DOS 2 3 Half-Open Half-Open Half-Open SYN SYN Flood 3.2 SYN/ACK RST (SYN ) Client Server Attacker Target Spoofed Host SYN SYN SYN/ACK SYN/ACK ACK 3-way handshake Syn Flood Attack 3.2: SYN Flood SYN Flood 3.3 SYN Flood synk4 (Target) 80 TCPdump 0 synk4 SRC 16

18 3 DOS Host1 Target 80 (Target) OS FreeBSD 5.3-RELEASE (Target) SYN SYN/ACK SYN/ACK 17

19 3 DOS >synk4 0 Target :46: IP Host > Target.80: S : (0) win :46: IP Target.80 > Host1.1840: S : (0) ack win <mss 1460> 03:46: IP Host > Target.80: S : (0) win :46: IP Target.80 > Host2.1873: S : (0) ack win <mss 1460> 03:46: IP Host > Target.80: S : (0) win :46: IP Target.80 > Host3.1841: S : (0) ack win <mss 1460>.. 03:46: IP Target.80 > Host1.1840: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host2.1873: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host3.1841: S : (0) ack win <mss 1460>.. 03:46: IP Target.80 > Host1.1840: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host2.1873: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host3.1841: S : (0) ack win <mss 1460>.. 03:46: IP Target.80 > Host1.1840: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host2.1873: S : (0) ack win <mss 1460> 03:46: IP Target.80 > Host3.1841: S : (0) ack win <mss 1460> 3.3: synk4 SYN Flood 18

20 4 4.1 SINET 4Gbps PC TCPdump Internet SINET 4Gbps Waseda University Waseda Network Router Router PC Capturing Machine 4.1: 19

21 4 4.2 SYN Flood SYN SYN Flood TCP TCP SYN SYN/ACK ACK SYN TCP TCP (SYN) (FIN RST) TCP SYN N FIN RST Rs SYN RST 20

22 4 Ra SYN/ACK RST SYN/ACK Ta SYN/ACK ACK SYN/ACK SYN Ts SYN/ACK SYN/ACK SYN 4.1 SYN 6,541,426 SYN/ACK 5,291, : N 4,891,033 Rs 472,710 Ra 94,561 Ta 73,284 Ts 578,819 6,110, N SYN SYN SYN/ACK SYN SYN SYN/ACK SYN/ACK SYNs/sec 7SYNs/sec 20SYNs/sec 50SYNs/sec SYN Flood SYN SYN/ACK 21

23 4 4.2: A SYN SYN/ACK SYN/ACK 7SYNs/sec SYN Flood 1 20 SYN/ACK SYN/ACK SYN TCP 22

24 4 4.3: B SYN SYN/ACK 4.4: C SYN SYN/ACK 23

25 4 4.5: 7 SYNs/sec SYN SYN/ACK 4.6: 20 SYNs/sec SYN SYN/ACK 24

26 4 4.7: 50 SYNs/sec SYN SYN/ACK SYN Flood 1. SYN/ACK 2. SYN/ACK SYN/ACK SYN Flood 3 SYN/ACK SYN/ACK 3 SYN/ACK

27 OS 4.2 Linux 180 1,024 Half-Open 3 OS 4.2: (sec) Windows 2000 server Linux 1, Solaris 1, = = Linux SYNs/sec SYN Flood 700 Syn Flood SYN 26

28 4 Flood SYN/ACK SYN SYN/ACK Half-Open SYN SYN/ACK SYN Flood 27

29 5 SYN/ACK Syn Flood SYN/ACK 28

30 29

31 [1] Security Akademeia [2] W.Richard Stevens,, TCP/IP Vol.1, [3] W.Richard Stevens,, TCP/IP Vol.2, [4] IPUSIRON,,,

2 1: OSI OSI,,,,,,,,, 4 TCP/IP TCP/IP, TCP, IP 2,, IP, IP. IP, ICMP, TCP, UDP, TELNET, FTP, HTTP TCP IP

1.,.. 2 OSI,,,,,,,,, TCP/IP,, IP, ICMP, ARP, TCP, UDP, FTP, TELNET, ssh,,,,,,,, IP,,, 3 OSI OSI(Open Systems Interconnection: ). 1 OSI 7. ( 1) 4 ( 4),,,,.,.,..,,... 1 2 1: OSI OSI,,,,,,,,, 4 TCP/IP TCP/IP,