2004 SYN/ACK SYN Flood G01P014-6

Similar documents
2 1: OSI OSI,,,,,,,,, 4 TCP/IP TCP/IP, TCP, IP 2,, IP, IP. IP, ICMP, TCP, UDP, TELNET, FTP, HTTP TCP IP

橡c03tcp詳説(3/24修正版).PDF

I TCP 1/2 1

Contents Part1: TCP Part2: TCP Part3: TCP Part4: Part5: TCP Part6:

集中講義 インターネットテクノロジー 第5回

第1回 ネットワークとは

ヤマハ ルーター ファイアウォール機能~説明資料~

Si-R30取扱説明書

ヤマハ ルーター ファイアウォール機能~説明資料~

橡Ⅲ検証実験編.PDF


2/11 ANNEX HATS HATS

内閣官房情報セキュリティセンター(NISC)

3. LISP B EID RLOC ETR B 4. ETR B ITR A 1: LISP 5. ITR A B EID RLOC 6. A SYN 7. ITR A ITR A B EID RLOC SYN ITR A RLOC ETR B RLOC 8. ETR B SYN ETR B B

PowerPoint プレゼンテーション

PDF

TCP T ransmission Control Protocol TCP TCP TCP TCP TCP TCP TCP TCP c /(18)

1 IPv6 WG OS SWG PCOSIPv6 Windows Vista 2 3 KAMEUSAGIMacOSX IPv6 2

1 Linux UNIX-PC LAN. UNIX. LAN. UNIX. 1.1 UNIX LAN. 1.2 Linux PC Linux. 1.3 studenta odd kumabari studentb even kumabari studentc odd kumabari student

IPv6 トラブルシューティング ホームネットワーク/SOHO編

shibasaki(印刷用)

ネットワーク監視による不正アクセス発見手法

NATディスクリプタ機能

untitled

snortの機能を使い尽くす & hogwashも使ってみる

LAN

untitled

untitled

tutorial.dvi

FirePass Edge Client TM Edge Client LAN Edge Client 7.0 Edge Client Edge Client Edge Client Edge Client Edge Client Edge Client LAN Edge Client VPN Wi

Si-R180 ご利用にあたって

2011 TOSHIBA TEC CORPORATION All rights reserved

1 OS OS OS Macintosh

ウイルスバスター ビジネスセキュリティ インストールガイド

Express5800/53Xg, Y53Xg インストレーションガイド(Windows編)

UsersGuide_INR-HG5497c_.doc

2008, 2009 TOSHIBA TEC CORPORATION All rights reserved

Microsoft Windows, Windows CE, Microsoft Corporation Citrix ICA Citrix Presentation Server Citrix Systems, Inc IBM IBM Corporation

KASPERSKY ENDPOINT SECURITY FOR BUSINESS IT IT IT IT IT Kaspersky Endpoint Security for Business IT IT IT IT 2013 NAC Advanced 2013 Select Select Work

スライド 1

設定手順

VNSTProductDes3.0-1_jp.pdf

tcp/ip.key

shio_ PDF

侵入技術の紹介

¥¤¥ó¥¿¡¼¥Í¥Ã¥È·×¬¤È¥Ç¡¼¥¿²òÀÏ Âè1²ó

untitled


Packet Tracer: 拡張 ACL の設定 : シナリオ 1 トポロジ アドレステーブル R1 デバイスインターフェイス IP アドレスサブネットマスクデフォルトゲートウェイ G0/ N/A G0/

Systemwalker IT Service Management Systemwalker IT Service Management V11.0L10 IT Service Management - Centric Manager Windows

第1回 ネットワークとは

INR-HG5290b_users_Linux-RHEL4_.doc

TCP/IP再認識〜忘れちゃいけないUDP、ICMP~

RouteMagic Controller( RMC ) 3.6 RMC RouteMagic RouteMagic Controller RouteMagic Controller MP1200 / MP200 Version 3.6 RouteMagic Controller Version 3

IPv4aaSを実現する技術の紹介

TCP/IP Internet Week 2002 [2002/12/17] Japan Registry Service Co., Ltd. No.3 Internet Week 2002 [2002/12/17] Japan Registry Service Co., Ltd. No.4 2

MSSGuideline ver. 1.0

$ cal ) ( cal $ cal cal cal 1. () ( clear) 2. ( cal) 3. ( man) \() ( ) --() +()


RouteMagic Controller RMC-MP200 / MP Version

IP IP DHCP..

IP.dvi

Transcription:

2004 SYN/ACK SYN Flood 2005 2 2 1G01P014-6

1 5 1.1...................................... 5 1.2...................................... 5 1.3..................................... 6 2 7 2.1.................................. 7 2.2................................. 7 2.3................................. 8 2.4.................................. 10 2.5.................................. 11 2.5.1 HIDS ( IDS).......................... 11 2.5.2 NIDS ( IDS)...................... 11 2.5.3 MID..................................... 11 2.5.4 AID..................................... 11 3 DoS 13 3.1 TCP.................................... 13 3.1.1 SYN/ACK............................ 13 3.2 DoS.................................... 14 3.2.1 DoS............................... 14 3.3 SYN Flood.............................. 15 3.3.1 SYN Flood........................... 15 3.3.2 SYN Flood............................ 16 4 19 4.1....................................... 19 1

4.2................................... 20 4.3............................. 20 4.3.1....................... 20 4.3.2.................. 21 4.4.................................. 22 4.5................................... 26 4.5.1.......................... 26 4.5.2................................ 26 4.5.3..................................... 26 5 28 2

2.1 JPCERT/CC................ 8 3.1 TCP..................................... 14 3.2 SYN Flood.............. 16 3.3 synk4 SYN Flood......................... 18 4.1....................................... 19 4.2 A SYN SYN/ACK.. 22 4.3 B SYN SYN/ACK.. 23 4.4 C SYN SYN/ACK.. 23 4.5 7 SYNs/sec SYN SYN/ACK. 24 4.6 20 SYNs/sec SYN SYN/ACK 24 4.7 50 SYNs/sec SYN SYN/ACK 25 3

2.1............................. 9 4.1............................. 21 4.2............................ 26 4

1 1.1 1.2 (DDoS) TCP SYN Flood DoS SYN Flood 5

1 SYN SYN/ACK SYN Flood 1.3 1 2 3 DoS DoS SYN Flood 4 5 6

2 2.1 JPCERT/CC ( ) 2.2 JPCERT/CC JPCERT/CC 2005 1 25 2004 10 1 2004 12 31 1904 Web 2.1 1996 JPCERT/CC 7

2 2.1: JPCERT/CC 2004 10 1 2004 12 31 2.1 2.3 DoS (Denial of Service) DDoS (Distributed Denial of Service) sendmail sendmail : : : 8

2 2.1: 445 microsoft-ds 1156 135 epmap 664 80 http 382 1023 215 139 netbios-ssn 150 22 ssh 99 1433 ms-sql-s 95 1434 89 4899 79 6129 68 9898 monkeycom 42 23 telnet 37 5554 sgi-esphttp 31 21 ftp 28 901 swat 15 9

2 ID IP Spoofing IP IP IP IP DoS ( ) root Administrator 2.4 OS IP 10

2 2.5 IDS NIDS HIDS IDS NIDS MID AID 2.5.1 HIDS ( IDS) IDS 2.5.2 NIDS ( IDS) IDS DoS (Denial of Service) CPU 2.5.3 MID MID (Missue Intrusion Detection) MID 2.5.4 AID AID (Anomaly Intrusion Detection) 11

2 AID 12

3 DoS 3.1 TCP TCP 3.1 TCP UDP TCP TCP TCP ( 3.1 ) URG (Urgent Flag) ACK (Acknowledgement Flag) PSH (Push Flag) RST (Reset Flag) SYN (Synchronize Flag) FIN (Fin Flag) 3.1.1 SYN/ACK SYN/ACK SYN, ACK SYN/ACK SYN SYN SYN/ACK TCP SYN SYN SYN/ACK SYN ACK TCP SYN/ACK 13

3 DOS 0 Data Offset 15 16 31 Source Port Destination Port Sequence Number Acknowledgement Number U A P R S F Reserved R C S S Y I Window G K H T N N Check Sum Options Data Urgent Pointer 3.1: TCP TCP SYN/ACK DoS SYN Flood 3.2 DoS DoS (Denial Of Service) 2 DDoS (Distributed Denial of Services) DoS ( ) 3.2.1 DoS mail bomb CPU Octopus SYN Flood TCP SYN Flood 14

3 DOS Land/Latierra SYN SYN/ACK ping flood ping ICMP Echo Request ICMP Echo Request smurf Attacker IP IP ICMP ICMP Ping smurf IP 2 IP DoS 3.3 SYN Flood 3.3.1 SYN Flood SYN Flood TCP 1. SYN 2. SYN +1 ACK 3. SYN +1 ACK 15

3 DOS 2 3 Half-Open Half-Open Half-Open SYN SYN Flood 3.2 SYN/ACK RST (SYN ) Client Server Attacker Target Spoofed Host SYN SYN SYN/ACK SYN/ACK ACK 3-way handshake Syn Flood Attack 3.2: SYN Flood 3.3.2 SYN Flood 3.3 SYN Flood synk4 (Target) 80 TCPdump 0 synk4 SRC 16

3 DOS Host1 Target 80 (Target) OS FreeBSD 5.3-RELEASE (Target) SYN SYN/ACK SYN/ACK 17

3 DOS >synk4 0 Target 80 80 03:46:17.093598 IP Host1.1840 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.093608 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:17.113587 IP Host2.1873 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.113599 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:17.133575 IP Host3.1841 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.133585 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:20.088908 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:20.108914 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:20.128908 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:26.088999 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:26.109006 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:26.129000 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:38.089184 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:38.109195 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:38.129185 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460> 3.3: synk4 SYN Flood 18

4 4.1 SINET 4Gbps PC TCPdump 2005 1 16 17 4.1 Internet SINET 4Gbps Waseda University Waseda Network Router Router PC Capturing Machine 4.1: 19

4 4.2 SYN Flood SYN SYN Flood TCP TCP SYN SYN/ACK ACK SYN TCP TCP (SYN) (FIN RST) TCP 4.3 4.3.1 SYN N FIN RST Rs SYN RST 20

4 Ra SYN/ACK RST SYN/ACK Ta SYN/ACK ACK SYN/ACK SYN Ts SYN/ACK SYN/ACK SYN 4.1 SYN 6,541,426 SYN/ACK 5,291,034 4.1: N 4,891,033 Rs 472,710 Ra 94,561 Ta 73,284 Ts 578,819 6,110,407 4.3.2 4.2 4.3 4.3 N SYN SYN SYN/ACK SYN SYN SYN/ACK SYN/ACK 4.5 4.6 4.7 50SYNs/sec 7SYNs/sec 20SYNs/sec 50SYNs/sec SYN Flood SYN SYN/ACK 21

4 4.2: A SYN SYN/ACK SYN/ACK 7SYNs/sec SYN Flood 1 20 SYN/ACK 20 4.4 SYN/ACK SYN TCP 22

4 4.3: B SYN SYN/ACK 4.4: C SYN SYN/ACK 23

4 4.5: 7 SYNs/sec SYN SYN/ACK 4.6: 20 SYNs/sec SYN SYN/ACK 24

4 4.7: 50 SYNs/sec SYN SYN/ACK SYN Flood 1. SYN/ACK 2. SYN/ACK +1 3. 10 4. SYN/ACK -1 5. SYN Flood 3 SYN/ACK SYN/ACK 3 SYN/ACK 6 9 1 10 25

4 4.5 4.5.1 OS 4.2 Linux 180 1,024 Half-Open 3 OS 4.2: (sec) Windows 2000 server 200 40 Linux 1,024 180 Solaris 1,024 240 4.5.2 = = Linux 180 100SYNs/sec SYN Flood 700 Syn Flood 4.5.3 3 SYN 26

4 Flood SYN/ACK SYN SYN/ACK Half-Open SYN SYN/ACK SYN Flood 27

5 SYN/ACK Syn Flood SYN/ACK 28

29

[1] Security Akademeia http://akademeia.info/ [2] W.Richard Stevens,, TCP/IP Vol.1, 2003. [3] W.Richard Stevens,, TCP/IP Vol.2, 2003. [4] IPUSIRON,,, 2001. 30

2026 © docsplayer.net プライバシー | 利用規約 | フィードバック