2004 SYN/ACK SYN Flood 2005 2 2 1G01P014-6
1 5 1.1...................................... 5 1.2...................................... 5 1.3..................................... 6 2 7 2.1.................................. 7 2.2................................. 7 2.3................................. 8 2.4.................................. 10 2.5.................................. 11 2.5.1 HIDS ( IDS).......................... 11 2.5.2 NIDS ( IDS)...................... 11 2.5.3 MID..................................... 11 2.5.4 AID..................................... 11 3 DoS 13 3.1 TCP.................................... 13 3.1.1 SYN/ACK............................ 13 3.2 DoS.................................... 14 3.2.1 DoS............................... 14 3.3 SYN Flood.............................. 15 3.3.1 SYN Flood........................... 15 3.3.2 SYN Flood............................ 16 4 19 4.1....................................... 19 1
4.2................................... 20 4.3............................. 20 4.3.1....................... 20 4.3.2.................. 21 4.4.................................. 22 4.5................................... 26 4.5.1.......................... 26 4.5.2................................ 26 4.5.3..................................... 26 5 28 2
2.1 JPCERT/CC................ 8 3.1 TCP..................................... 14 3.2 SYN Flood.............. 16 3.3 synk4 SYN Flood......................... 18 4.1....................................... 19 4.2 A SYN SYN/ACK.. 22 4.3 B SYN SYN/ACK.. 23 4.4 C SYN SYN/ACK.. 23 4.5 7 SYNs/sec SYN SYN/ACK. 24 4.6 20 SYNs/sec SYN SYN/ACK 24 4.7 50 SYNs/sec SYN SYN/ACK 25 3
2.1............................. 9 4.1............................. 21 4.2............................ 26 4
1 1.1 1.2 (DDoS) TCP SYN Flood DoS SYN Flood 5
1 SYN SYN/ACK SYN Flood 1.3 1 2 3 DoS DoS SYN Flood 4 5 6
2 2.1 JPCERT/CC ( ) 2.2 JPCERT/CC JPCERT/CC 2005 1 25 2004 10 1 2004 12 31 1904 Web 2.1 1996 JPCERT/CC 7
2 2.1: JPCERT/CC 2004 10 1 2004 12 31 2.1 2.3 DoS (Denial of Service) DDoS (Distributed Denial of Service) sendmail sendmail : : : 8
2 2.1: 445 microsoft-ds 1156 135 epmap 664 80 http 382 1023 215 139 netbios-ssn 150 22 ssh 99 1433 ms-sql-s 95 1434 89 4899 79 6129 68 9898 monkeycom 42 23 telnet 37 5554 sgi-esphttp 31 21 ftp 28 901 swat 15 9
2 ID IP Spoofing IP IP IP IP DoS ( ) root Administrator 2.4 OS IP 10
2 2.5 IDS NIDS HIDS IDS NIDS MID AID 2.5.1 HIDS ( IDS) IDS 2.5.2 NIDS ( IDS) IDS DoS (Denial of Service) CPU 2.5.3 MID MID (Missue Intrusion Detection) MID 2.5.4 AID AID (Anomaly Intrusion Detection) 11
2 AID 12
3 DoS 3.1 TCP TCP 3.1 TCP UDP TCP TCP TCP ( 3.1 ) URG (Urgent Flag) ACK (Acknowledgement Flag) PSH (Push Flag) RST (Reset Flag) SYN (Synchronize Flag) FIN (Fin Flag) 3.1.1 SYN/ACK SYN/ACK SYN, ACK SYN/ACK SYN SYN SYN/ACK TCP SYN SYN SYN/ACK SYN ACK TCP SYN/ACK 13
3 DOS 0 Data Offset 15 16 31 Source Port Destination Port Sequence Number Acknowledgement Number U A P R S F Reserved R C S S Y I Window G K H T N N Check Sum Options Data Urgent Pointer 3.1: TCP TCP SYN/ACK DoS SYN Flood 3.2 DoS DoS (Denial Of Service) 2 DDoS (Distributed Denial of Services) DoS ( ) 3.2.1 DoS mail bomb CPU Octopus SYN Flood TCP SYN Flood 14
3 DOS Land/Latierra SYN SYN/ACK ping flood ping ICMP Echo Request ICMP Echo Request smurf Attacker IP IP ICMP ICMP Ping smurf IP 2 IP DoS 3.3 SYN Flood 3.3.1 SYN Flood SYN Flood TCP 1. SYN 2. SYN +1 ACK 3. SYN +1 ACK 15
3 DOS 2 3 Half-Open Half-Open Half-Open SYN SYN Flood 3.2 SYN/ACK RST (SYN ) Client Server Attacker Target Spoofed Host SYN SYN SYN/ACK SYN/ACK ACK 3-way handshake Syn Flood Attack 3.2: SYN Flood 3.3.2 SYN Flood 3.3 SYN Flood synk4 (Target) 80 TCPdump 0 synk4 SRC 16
3 DOS Host1 Target 80 (Target) OS FreeBSD 5.3-RELEASE (Target) SYN SYN/ACK SYN/ACK 17
3 DOS >synk4 0 Target 80 80 03:46:17.093598 IP Host1.1840 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.093608 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:17.113587 IP Host2.1873 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.113599 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:17.133575 IP Host3.1841 > Target.80: S 674719801:674719801(0) win 65535 03:46:17.133585 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:20.088908 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:20.108914 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:20.128908 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:26.088999 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:26.109006 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:26.129000 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460>.. 03:46:38.089184 IP Target.80 > Host1.1840: S 972692213:972692213(0) ack 67471 9802 win 65535 <mss 1460> 03:46:38.109195 IP Target.80 > Host2.1873: S 2228831093:2228831093(0) ack 674 719802 win 65535 <mss 1460> 03:46:38.129185 IP Target.80 > Host3.1841: S 792186101:792186101(0) ack 67471 9802 win 65535 <mss 1460> 3.3: synk4 SYN Flood 18
4 4.1 SINET 4Gbps PC TCPdump 2005 1 16 17 4.1 Internet SINET 4Gbps Waseda University Waseda Network Router Router PC Capturing Machine 4.1: 19
4 4.2 SYN Flood SYN SYN Flood TCP TCP SYN SYN/ACK ACK SYN TCP TCP (SYN) (FIN RST) TCP 4.3 4.3.1 SYN N FIN RST Rs SYN RST 20
4 Ra SYN/ACK RST SYN/ACK Ta SYN/ACK ACK SYN/ACK SYN Ts SYN/ACK SYN/ACK SYN 4.1 SYN 6,541,426 SYN/ACK 5,291,034 4.1: N 4,891,033 Rs 472,710 Ra 94,561 Ta 73,284 Ts 578,819 6,110,407 4.3.2 4.2 4.3 4.3 N SYN SYN SYN/ACK SYN SYN SYN/ACK SYN/ACK 4.5 4.6 4.7 50SYNs/sec 7SYNs/sec 20SYNs/sec 50SYNs/sec SYN Flood SYN SYN/ACK 21
4 4.2: A SYN SYN/ACK SYN/ACK 7SYNs/sec SYN Flood 1 20 SYN/ACK 20 4.4 SYN/ACK SYN TCP 22
4 4.3: B SYN SYN/ACK 4.4: C SYN SYN/ACK 23
4 4.5: 7 SYNs/sec SYN SYN/ACK 4.6: 20 SYNs/sec SYN SYN/ACK 24
4 4.7: 50 SYNs/sec SYN SYN/ACK SYN Flood 1. SYN/ACK 2. SYN/ACK +1 3. 10 4. SYN/ACK -1 5. SYN Flood 3 SYN/ACK SYN/ACK 3 SYN/ACK 6 9 1 10 25
4 4.5 4.5.1 OS 4.2 Linux 180 1,024 Half-Open 3 OS 4.2: (sec) Windows 2000 server 200 40 Linux 1,024 180 Solaris 1,024 240 4.5.2 = = Linux 180 100SYNs/sec SYN Flood 700 Syn Flood 4.5.3 3 SYN 26
4 Flood SYN/ACK SYN SYN/ACK Half-Open SYN SYN/ACK SYN Flood 27
5 SYN/ACK Syn Flood SYN/ACK 28
29
[1] Security Akademeia http://akademeia.info/ [2] W.Richard Stevens,, TCP/IP Vol.1, 2003. [3] W.Richard Stevens,, TCP/IP Vol.2, 2003. [4] IPUSIRON,,, 2001. 30