06a - Transport Layer Security - TCP and UDP attacks

Question 1

Why do amplification DoS attacks prefer UDP services?

Answer 1

Because UDP is “connectionless”, there is no need for authentication. This allows for faster transmission of packets to and from hosts, which means that packets can be sent very rapidly.
Without authentication, packets can be spoofed easily, so reflection attacks are very easy to perform.

Question 2

Five components needed to spoof an RST Packet?

Answer 2

1. Source IP address
2. Source Port
3. Destination IP Address
4. Destination Port
5. Sequence Number (within the receiver’s window)

Question 3

Which is the most important part of mounting TCP reset and TCP session hijacking attacks?

Answer 3

Getting the Sequence number correct.

Question 4

Enumerate some general mitigations against TCP attacks.

Answer 4

• Avoid endpoint identification, like source IP, source port.
• Use NAT via a firewall or router
• Prevent unauthorized Internet access, via routers and ACL

Question 5

Explain what a SYN cookie is and how it protects against SYN flooding attacks.

Answer 5

After the server receives the initial SYN packet, A keyed hash(H) is calculated from the information in the packet using a secret key that is only known to the server.
The hash(H) is sent to the client as the initial sequence number from the server.
H is called the SYN cookie.
The server does not store half-open connections.
The server only stores a connection once the hash(H+1) is returned from the client.

Question 6

Define TCP

Answer 6

Transmission Control Protocol.
- Connection Oriented
- Considered reliable
- Consists of a Three-Way Handshake to establish a communication connection.
Client --SYN--> Server
Client  Server
- Three way handshake to close, (FIN/FIN-ACK/ACK).
- Runs on top of IP.

Question 7

Define UDP

Answer 7

User Datagram Protocol

• “Connectionless” Protocol, meaning that no connection needs to be established in order for communication to occur
• Considered unreliable
• Low overhead means faster transmission / Low latency.
• Runs on top of IP.

Question 8

List 4 TCP attacks

Answer 8

1. SYN Flooding Attack
2. Shrew TCP Attack
3. TCP Session Hijacking Attack
4. TCP Reset Attack

Question 9

List and describe some UDP attacks

Answer 9

1. UDP Flood
   Targets UDP ports, spoofed IP source. Sends packets to random ports. Packet gets processed if open, replies are sent if closed.
2. UDP Amplification Attack
   Spoofed UDP packet sent to “reflective” host, who then sends large packet to victim.
   Rate is the ratio of [answer sent to victim] to [request sent by attacker]

Question 10

List the mitigations involving NAT

Answer 10

• use Firewall or Router to filter out malicious packets.

Question 11

List the mitigations involving ACL

Answer 11

• ACL is Access Control List
• With Routers and ACL you can mitigate the attacks.
• Prevents unauthorized internet access.

Question 12

What is SYN Flooding?

Answer 12

• TCP Attack.
• Continuously send SYN packets to the server, fills the TCP connection queue with half-open connections. Do not finish the last ACK response to server. TCP services get DoS’d.

Question 13

What is Shrew Attack?

Answer 13

• TCP Attack.
• Low rate DoS attack, send a burst of TCP packets equal to link capacity at short intervals, every second or so. Creates congestion, reduces TCP flow. Average rate of attack flow is small thus hard to detect.

Question 14

What is TCP Session Hijacking?

Answer 14

• Inject data in an established connection so that the connection gets redirected to your machine.
• Use Spoofed TCP packet.
• Requires:
• Source IP, Source Port
• Destination IP, Destination Port
• Sequence Number (hard to get, it’s the previous sequence+1)

Question 15

What is a TCP Reset Attack?

Answer 15

Break up a TCP connection between A and B.

- Accomplished using Spoofed TCP RESET packet.