Software Requirements Specification

for
TCP SYN FLOODING ATTACK DETECTION AND PREVENTION

Prepared by D.Deepthi Rani

QIS COLLEGE OF ENGINEERING & TECHNOLOGY

Software Requirements Specification for TCP SYN FLOODING ATTACKS Page ii

Table of Contents
1. Introduction................................................................................................................................1 2. How..............................................................................................................................................3 3. Overall Description....................................................................................................................3 4. External Interface Requirements ........................................................................................ 7 5. System Features .................................................................................................................... 10 6. Other Nonfunctional Requirements....................................................................................... 12

Revision History
Name Date Reason For Changes Version

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 1

1.

Introduction
The rapid growth and increasing utility of the Internet have made Internet security issues

increasingly important. Denial-of-service (DoS) attacks are one of the most serious problems and a means of preventing such attacks must be devised as soon as possible. There are many kinds of DDoS attacks such as Smurf attacks, UDP floods, and SYN flood attacks. These attacks prevent user from communicating with service providers and have damaged many major web sites all over the world. TCP SYN FLOODING ATTACK is easy to execute. Online resources can be doenloaded to launch DoS attacks all it takes is a readily available available software program and a target network. SYN flood attacks exploit the transmission control protocol (TCP) specification. In the TCP, a client node communicates with a remote node (i.e., a server) by way of a virtual connection established through a process called a 3-way handshake. Attackers send SYN packets whose source address fields are spoofed. The server receiving these SYN packets sends the SYN/ACK packets to the spoofed addresses. If a node having one of the spoofed addresses actually exists, it sends a RST packet for the SYN/ACK packet because it did not send the SYN packet. If there is no host having the spoofed address, however, the SYN/ACK packet is discarded by the network and the server waits in vain for an ACK packet acknowledging it. For losses of SYN/ACK packets, the server has a timer in the backlog queue, and half-open states exceeding the timer are removed. When the backlog queue is filled with spoofed SYN packets, however, the server cannot accept SYN packets from users trying to connect to the server.

1.1

Purpose
The SYN flood attacks do not differ from normal TCP SYN packets except in the spoofing

of the source addresses, it is difficult to distinguish them from normal TCP SYN packets at the victim server. This is why SYN flood attacks are hard to block. Many methods to defend servers from these attacks, however, have been proposed. SYN cache [5] and SYN cookie [6] are mechanisms applied in server nodes. In the SYN cache mechanism, the server node has a global hash table to keep half-open states of all applications, while in the original TCP these are stored in the backlog queue provided for each application. As a result, the node can have a larger number of halfopen states and the impact of a SYN flood attack can be reduced. On the other hand, the SYN

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 2

cookie mechanism can remove the backlog queue by using a cookie approach. In the original TCP the server node first allocates the servers resources and sends a SYN/ACK packet. This is done because there is no way to validate whether the ACK packet received after sending the SYN/ACK packet is really the acknowledgment of the SYN/ACK packet (i.e., the final packet of the 3-way handshake). The SYN cookie embeds a magic number encrypted by the header of the SYN packet (e.g., IP addresses, port numbers) into the sequence number of the SYN/ACK packet. The server node then verifies the ACK packet of the SYN/ACK packet by decrypting the sequence number of the ACK packet. The server node then allocates the server resources only when the ACK packet is valid. This mechanism can remove the backlog queue. However, these single-point defense mechanisms have a fundamental problem with respect to scalability. In DDoS attacks, attack nodes are widely distributed all over the world. Attack traffic from attack nodes is aggregated into a very high rate attack at the server. At this point, a DDoS attack is highly scalabile because the amount of attack traffic can increase in proportion to the number of attacker nodes. On the other hand, single-point defense mechanisms lack scalability commensurate with the attack traffic increase. That is, high-rate attacks from widely distributed nodes can overwhelm the firewalls or the servers regardless of the implemented server-side defense mechanism (e.g. SYN Cache or SYN Cookie) is implemented. For this reason, a distributed defense mechanism is needed to defend servers from distributed attacks.

1.2

Intended Audience and Reading Suggestions

The intended audience of this document includes project managers, designers, developers and end users (system/network administrators) of DDOS attacks and DETER lab.

1.3

Product Scope
The product scope is a well-known denial-of-service attack, called TCP SYN flood. And here we

will able to create a real attack using DETER tools, and to observe its effect on legitimate traffic. Afterwards, to apply a known defense against SYN flood known cookies, repeat the attack and observe the protection.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 3

The proposed solution,SYN cookies promises to provide:

2.
2.1

How
References

More information about the project,improvement information and Deter lab working process and SEER information is available at User Manual: http://www.isi.deterlab.net/ Snort, Apache, PHP, MySQL, ACID on Redhat 9.0 Installation Guide:

1. 2.

http://www.snort.org/docs/snort_acid_rh9.pdf 3. Intrusion Detection Using Snort: http://www.linuxsecurity.com/feature_stories/feature_story-49.html

3.
3.1

Overall Description
Product Perspective

The objectives of this project are broken down into smaller categories to make it effective and achievable. The first goal would be to understand the subject in detail by taking into consideration the previous incidents and attacks that happened in the past. IEEE papers and related white papers were carefully chosen to understand this subject matter in depth. The second objective would be set up a test bed environment and choose tools that are required to carry out live implementation. Since carrying out an attack in a real time environment needs extra care when compared to simulation, a dedicated LAN environment was chosen.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 4

3.2

Product Functions
The proposed solution will include prevention mechanisms to network based known

attacks. This task poses several challenges to be met so that the objectives are achieved successfully. The different types of DOS attacks are listed below. 1)SYN Floods: A SYN flood works by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection.However, during a SYN flood, the three-way handshake never completes because the client never responds to the servers SYN-ACK. As a result, these connections remain in the half-open state until they time out. 2)ICMP Floods: While several types of Internet Control Message Protocol (ICMP) floods exist, each exploits the openness of the ICMP protocol itself, and the fact that most systems with IP stacks will respond to most ICMP messages. Large ICMP floods can affect available network bandwidth and impose extra load on the firewall, which must examine and inspect each ICMP packet. These risks can be mitigated by implementing a Juniper Networks firewall with ICMP flood protection, in combination with adjacent routers to rate-limit ICMP traffic and prevent the attack from impacting bandwidth and firewall performance.

3)UDP Floods: A User Datagram Protocol (UDP) flood can cause significant impact on network bandwidth.Additionally, if a UDP flood is directed to an unopened port, the target server will respond to each packet with an ICMP unreachable message, creating an ICMP flood in the opposite direction. To mitigate the impact of UDP floods, a stateful firewall with both UDP and ICMP flood protection should be implemented. To survive a larger UDP flood, rate limits on UDP traffic may need to be implemented on adjacent routers to protect available bandwidth. 4)Illegal TCP Flag Flood: Certain combinations of TCP flags, such as a SYN packet with the FIN bit set, are illegal and shouldnt be seen on any network. While a firewall will clearly detect and drop these anomalies, it will only handle these illegal packets up to a certain rate. Above this rate, these packets

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 5

should be rate-limited by adjacent routers to a rate that the stateful firewall can handle. 5)Distributed DOS Floods: Further compounding the flood problem is the proliferation of zombies, which are actually hosts that are infected with malware. A crafty attacker can infect thousands of machines and direct them all to attack a specific system at once. In this scenario, the attacks originate from several hundred to many thousands of source IPs, making detection and prevention more difficult. While this will mitigate any traffic passing the firewall, the incoming link can still be saturated. If the network under attack is part of a network that is routed with BGP, mitigation can be achieved upstream of the link via BGP Slow Specification commands. This is best accomplished at the service provider level, as it requires a modification to the peering agreement and the provider being willing to accept flow specification information from routers they dont directly control. 6)Spoofed Address Floods: Some DoS attacks use spoofed or illegal IP addresses, which will never be properly routed back to the source. To mitigate these spoofed attacks, one should implement reverse path validation on ingress routers in combination with dropping non-local subnets at egress routers. This combination of ingress and egress filtering will drop these illegal packets before they reach the firewall.

3.3

User Classes and Characteristics

The solution is intended to be used primarily by network managers and system administrators. And this solution shall also work as a useful tool for top level management such that they can have a broader picture of network in terms of security. System administrators will have most direct contact with the solution. System administrators will install, configure and constantly monitor the solution. They will also view and analyze the reports generated from the solution. Fine tuning of the solution of network based attacks is the duty of system administrators. The interest of top level management is restricted to the overall network conditions which can be facilitated by generating detailed report. Therefore, the most privileged user class consists of system administrators.

3.4

Operating Environment

The target operating system of is Linux based Ubuntu and Security Experiment Environment for Deter

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 6

(SEER) provides a GUI interface to control agents like attacks and defends and view data and logs from the experiment. Free to connect to the SEER messaging network with your own GUI; however, may be able to extend the GUI to provide the features also want

3.5

Design and Implementation Constraints

Processing Power: DoS requires data capturing, analysis, and prevention with in negligible. With these features, speed processing machine is required to fulfill all the tasks. Deployment Point: DoS be deployed at the network based router of a network one is trusted network and other one is untrusted network. In any other case, IPS does not work properly. Tcpdump: Tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display. TCP/IP and other packets being transmitted or received over a network to which the computer is attached. [ tcpdump is free software tcpdump is most frequently used for debugging networks and network applications because it gives a simple but comprehensive look into the traffic on an interface and requires no GUI.

Operating Platform: Operating platform is Linux based Ubuntu. Ubuntu a computer operating system based on the Debian Linux distribution and distributed as free and open source software, using its own desktop environment. The solution should be developed such that it can smoothly run on several different distributions of Linux. And Ubuntu is composed of many software packages

3.6

User Documentation
User manual and guide to creating snort preprocessors will be made available for

troubleshooting and help. The user manual will contain detailed information about the usage of the product from snort manual perspective to an expert network/system administrator. The snort manual and summary of snort on Wikipedia shall also be made available online.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 7

3.7

Assumptions and Dependencies

The proposed solution will be designed to work in an enterprise environment.

The target environment may consist of wired and wireless links inside the network. All outbound and incoming traffic is supposed to go through edge routers. The solution has to be self sufficient and free from any unfamiliar dependencies. Well known and widely available libraries, such as tcpdump are however permitted and consider the client, server, nodes, snort, and firewall routers.

4.
4.1

External Interface Requirements

User Interfaces

A graphical user interface is available providing following functionalities: 1. Swap the experiment in using the DETER web interface. 2. Start up the SEER GUI and select Emulab as the testbed interface type 3. Associate your experiment with the SEER GUI by using Emulab Interface->Attach To Experiment 4. The GUI will prompt you for a project and experiment string. Both of these values are case sensitive. If enter the correct values but with incorrect case, the GUI will not be able to connect and will notify so 5. As you now require a connection to DETER, the GUI will prompt you for a username and host. 6. It will now prompt for ssh passphrase or interactive password, based on type of authentication technique supported by the local machine. We recommend setting up ssh keys on DETER for more robust connections. If the key file supplied isnt valid, it will default back to keyboard interactive passwords.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 8

7. The topology will now be displayed under the Topology Tab. 8. Various types of cross traffic can be generated using the Control Tab 9. Traffic on the topology can be observed by right clicking on a node and selecting Open Graph. The graph will will be found in the Graphs Tab.

4.2

Hardware Interfaces

The solution makes extensive use of several hardware devices. These devices include;

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 9

i. Network Interface Cards ii. Ubuntu and Linux(any distribution) client computers iii. Preprocessors iv. Detection Plugins v. Output Plugins

4.3

Software Interfaces

DDOS ATTACKS will allow users to select one of the software interfaces available for capturing incoming traffic. These interfaces will store packet and log the data in their own defined structured format. The interface can have: 1. own defined format 2. Protocols format (ip, tcp, icmp) 3. Base and PHP alerts format 4. SEER MySQL database is used for storing the data. This whole product runs on different distributions of Linux. As an underlying communication mechanism between modules on different systems, TCP is used because of its reliable services.

4.4

Communications Interfaces

Denial-of-service attacks is a large scale project and is needed to deploy on different systems. For storing and retrieving packets and other data, a database of audit data and reported events is stored on another system. Retrieval of data for monitoring and reports is entirely an independent process than detection and prevention. Database server is central and needs to be communicated in a reliable and efficient way, so that real-time results can be generated. For this purpose TCP protocol is used for underlying communication needs.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 10

5.

System Features

The proposed solution shall provide several services to its users. Major services provided by the IPS system are briefly discussed below.

4.1 Active mode

4.1.1 Description and Priority The detection will be done by the active component of the product. As soon as a devisation from the baseline o r any malware is observed, this component raises an alert. The anomaly detector will evaluate existing and new traffic features of incoming and outgoing traffic for real-time attack characterization. These features will be used for attack detection in novel information-theoretic, statistical, and machine learning frameworks. 4.1.2 Stimulus/Response Sequences Stimulus: Real-time traffic reaches detector Response: Compare real-time traffic with baseline profile Stimulus: No considerable deviation from the normal profile is observed. Response: Ignore and continue detection . Stimulus: Considerable deviation from normal profile is observed. Response: Drop and Reject. 4.1.3 Functional Requirements REQ-1: User is asked for username and password REQ-2: User is given three chances to enter his login name and password failing which the screen is locked and alert is generated in the form of a popup box and beep at the backend (main server) of a security breach. REQ-3: After verifying the login, the user is granted access to the front end of the Inline Prevention system REQ-4: The interface has pushbutton for starting/stopping the detector, pushbutton for logging out and grid for viewing session /packet details. The interface also displays the number of packets/sessions, graphically, arriving in the adopted

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 11

timeframe and locked text box to show current statistics of normal and incoming profile. REQ-5: If an malicious attacks occurs the pop-up box appears along with a alert to the administrators of a network. REQ-6: If the user presses the start button the detector starts executing and looking for misdirected traffic. REQ-7: If the user presses stop, the detector stops working. REQ-8: Once a user logs out he is asked to provide the login information again to access the application.

4.2 Capturing Data

4.2.1 Description and Priority: Collection of audit data is the basic prerequisite of anomaly detection. Captured data shall consist of information at network initially, complete packets shall be captured. Session level information will be filtered from this data for detection purposes. This is a high priority feature of the solution. 4.2.2 Stimulus/Response Sequences Stimulus: Real-time traffic reaches detector Response: traffic is captured as it is and stored in the database. 4.2.3 Functional Requirements

REQ-1: All the data reaching any of the hardware interfaces of the solution is captured. REQ-2: Captured data is initially stored completely. REQ-3: Incase of extra-ordinary incoming traffic, it is permissible to miss few packets.

4.3 Alert Reporting

4.3.1 Description and Priority

The output of anomaly detection process is the generation of alerts in case of any event. These alerts are reported to relevant people using different methods and also stored for further investigation. The alerts are reported using pop ups and e-mail. Pop ups are displayed on the screen of network administrator whenever a critical event is detected.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 12

4.3.2 Stimulus/Response Sequences Stimulus: Enough data is captured so that the SEER can operate. Response: SEER is operated over collected data. Stimulus: An malicious attack is detected by base. Response(s): i. An alert is generated and pop up appears on network administrators screen. ii. The Intrusion detection results are stored in a database for further Investigation

4.3.3

Functional Requirements REQ-1: Alerts should be concise and brief; however they must not miss any critical information. REQ-2: log data list must contain the addresses of relevant people only. REQ-3: Alert report for management must not be very technical.

6.
6.1

Other Nonfunctional Requirements

Performance Requirements

The solution has to exhibit very stringent performance requirements. The system has very high detection rate (i.e., no less than 99%) in any circumstances. Similarly the system has very low false alert rate (i.e., no more than 1%) in any circumstances. These requirements shall be achieved by using snort org. Another performance requirement is the prevention of malicious attacks in real time. The active prevention module is proposed for the same purpose

6.2

Safety Requirements

There are no specific safety requirements associated with the proposed system.It composed of well known and commonly used hardware which does not cause any safety hazards.

Software Requirements Specification for TCP SYN FLOODING ATTACKS

Page 13

6.3

Security Requirements

Only authorized personnel are allowed to use the product and go through selection procedures. In case of forgotten passwords contact the developers. Similarly, changing the features of the solutions at runtime also requires password based authentication.

6.4

Software Quality Attributes

Reliability DoS should provide reliability to the user that the product will run stably with all the features mentioned above available and executing perfectly. It should be tested and debugged completely. All exceptions should be well handled. Accuracy DoS should be able to reach the desired prevention level. It should generate minimum alerts with maximum prevention rate. And also providing security without modifying the existing network Resources DoS should use minimal resources in terms of memory, time and CPU. User Friendliness DoS should have a graphical user interface with user friendly menu with SEER.

6.5

Business Rules

DDOS attacks is most suitable for network administrators of large enterprises. The product should be used with precaution to avoid loss of data. Major advantage is without modify the old data or network providing security.