DENIAL OF SERVICE (DoS) MEETING
January 20, 1999
3085 ENG II
9:00-10:00 a.m.
In attendance:
Matt Bishop (MB), David OBrien (DOB), Steven Templeton (ST), and Tuomas
Aura (TA)
TOPICS:
Discuss Tuomas Auras Paper "Stateless Connections" (handout)
Questions and Comments
NEXT WEEK:
Discuss the relationship between covert channels and DoS
-
Tuomas Auras Paper "Stateless Connections"
-
In the past, TCP attacks have been in the news. To avoid these attacks,
make all protocols stateless
-
Practical and Impractical can do a lot of things, but its expensive
-
Theory Figure 1
-
A state server can serve a number of clients. Performance goes down with
more clients. There is a sudden drop with a maximum number of clients.
-
With a stateless server/protocol, there is no drop with a maximum number
of clients. Performance gradually goes down. Estimate traffic needed to
decrease performance to a certain level. Run out of memory for storage
connection data fixed limit
-
Make a protocol so that the process is started when there is a message
from the client (Ex. SSL creates a state in a stateless protocol)
-
You can establish connection without storing state
-
Section 3.1: Continue sending state to client
-
Section 3.2: Dont always want to send state data. Protect integrity, encrypt
state data. MAC added not expensive
-
Box #2 MAC faster than encryption
-
MACk(X)=SHA(K, X, K)
-
SHA (K, SHA (K, X))
-
Possible to make both server and client stateless, but not sure why youd
want to make client stateless
-
Section 3.3 Encrypt messages; Encryption key become part of state
-
Section 4.0-4.1 Practice; Handshake
-
In TCP protocol, make the first message exchange stateless
-
Authentication of protocol stateless
-
Ex. X.509 Authorization Protocol principle applied between Message
1 and 3
-
Section 4.2 Idle periods in connection timeout too short. Instead to
breaking the connection, it would pack the state, send a message to the
client, who can restore the session later.
-
Section 4.4 Implement want buffer for caching of state data
-
Security Problems
-
DoS attack, state data could still be valid.
-
Time-stamp valid for 1-2 days, client can resend and old message to the
server
-
DOB What if you assume the packets come in order? The client sends the
message the first time. Change the server key so that if client resends
packet.
-
TA Alternative to time stamping is to change server keys periodically.
-
DOB Use one key, then cant resuse it. TA Server would have to remember
old keys with respect to a particular client.
-
Pekka (co-author) implemented stateless TCP without caching didnt test
how to handle attacks, didnt measure performance
-
Calculate difference in performance
-
Flooding server stop connection or some packets get through. After attack,
timestamp duration longer than the attack, client again sends latest message.
-
Questions and Comments
-
DOB Were the stateless protocols simulated? TA No, its all theory.
-
DOB Space? TA No details MB: NTP (Network Time Protocol)
-
Stateless down to layer 4 (transport)
-
DOB overcome argument about space, size of state
-
ST In Section 3.1 you mention another application that sounds more interesting.
-
ST Bandwidth consideration flooding channels
-
DOB Telnet, what does kernel keep in reference to the EMAC session in
stateless protocols? TA Application receives message from the client
if every process has an identifier
-
DOB Nothing stops from stating 100 EMACs
-
ST What are types of problems at different levels? Maybe using authentication
code as part of handshake MB SYN cookies state as 32 bit number
-
ST TCP connection of SYN ACK
-
TA Stateless protocol appears to make sniffing impossible, because you
need to know state
-
ST SYN Floods at bottom, then Broken Packet problems, Bandwidth saturation,
Audit Bomb fill up disk, overload system, Ping of Death
-
ST Response system human or machine turn server off
3 layers that will relate
-
Overloading a resource
-
Exploiting a vulnerability, an error code, protocol or policy
-
Response locking out accounts
-
Too many false alarms, turn of IDS