Chapter 2-- SelfMade

Question 1

TCP Header format: How does it look like?

Answer 1

6 layers and data
1st layer: Source Port, Destination Port
2nd layer: Sequence Number
3rd layer: Acknowledgement number
4th layer: Data offset| Reserved
5th: Checksum, Urgent Pointer
6th: Options, Padding

Question 2

How does the TCP 3 way handshake look like?

Answer 2

Alice sends to BOB-> SEQ=x, ACK=0, SYN
BOB reflects to Alice-> SEQ=y, ACK=x+1, SYN, ACK
Alice reflects to BOB-> SEQ=x+1, ACK=y+1, ACK
Alice sends to BOB-> SEQ=x+1, ACK=y+1, ACK, DATA

Question 3

• Can an attacker successfully complete a TCP 3-way handshake?
• Can an attacker with spoofed source address successfully complete a TCP 3-way handshake?
• Can an attacker with spoofed source address, limited by position such that she does not receive answers to spoofed packets successfully complete a TCP 3-way handshake?

Answer 3

• Yes!
• Yes! Recall our default attacker model.
• No

-> BOB needs to track sequence numbers (memory)

Question 4

What’s a SYN flood attack? Issues arising from it?

Answer 4

SYN Flood Attack: TCP SYN packets with forged source addresses are sent use to overwhelm the victim.
Legitimate users cannot establish new TCP connection.
Bob’s connection tables fill up with many half-opened connections.

Question 5

TCP SYN Cookies: How can we protect ourselves against SYN Floods?

Answer 5

SYN Cookies: Particular choice of initial sequence number by BOB

Bob generates sequence number α = h(K,Ssyn)
Ssyn= source address of SYN packet
K= Secret Key

If ACK number is correct==> normal behaviour is assumed. The client has sent a SYN message recently.

Question 6

Advantages of SYN Cookies
* Server …
* Client …
* SYN cookies don’t …

Answer 6

does not need to allocate resources after the first SYN packet.

does not need to be aware that the server is using SYN cookies.

requires changes in the specification of the TCP protocol.

Question 7

Disadvantages of SYN Cookies:

• … CPU consuming.; Moved the vulnerability from…
• TCP options cannot be …, in all implementations: Use only when an attack is assumed.
• …
• Efficient implementation (fast but insecure crypto) may be vulnerable to …. The secret needs to be …

Answer 7

Calculating α may be; memory overhead to CPU overhead.

regularly negotiated (e.g. large window option) using cookies

ACK/SEQ number are only 32 Bit long.

cryptoanalysis after receiving a sufficient number of cookies; changed regularly, e.g. by including a timestamp.

Question 8

TCP SYN Cookies in Linux Kernel: Calculating cookie helper

Answer 8

Question 9

TCP SYN Cookies in Linux Kernel: Calculating cookie(Hacking additional information)

Answer 9

Question 10

TCP SYN Cookies in Linux Kernel: Verifying received cookie

Answer 10

Question 11

TCP SYN Cookies in the Linux Kernel Disadvantages Revisited (Linux kernel)

• Calculating α may be CPU consuming?
  …
• TCP options cannot be negotiated?
  …
• Efficient implementation vulnerable to cryptoanalysis?
  …

Answer 11

• Highly efficient. CPU-local, barely any cache misses.
• Window size (here MSS) up a certain value hacked into cookie. SYN Cookies are only dynamically enabled if net.ipv4.tcp_max_syn_backlog is exceeded.
• SipHash is a proper one-way function
  (non-cryptographic, keyed hash function). A counter is updated every minute.