tcp analysis based on flags
TRANSCRIPT
-
8/8/2019 Tcp Analysis Based on Flags
1/29
TCP Analysis Based on FlagsCheng Guang
College of Computer Science & Engineering
Southeast University, Nanjing, P.R.China
-
8/8/2019 Tcp Analysis Based on Flags
2/29
Introduction
We have known that, some TCP segments carrydata while others are simple acknowledgements forpreviously received data. Such as, the popular 3-way handshake utilises the SYNs and ACKs
available in the TCP to help complete theconnection before data is transferred.
So we can get a conclusion that each TCP segmenthas a purpose, and this is determined with the help
of the TCP flag options, allowing the sender orreceiver to specify which flags should be used sothe segment is handled correctly by the other end.
-
8/8/2019 Tcp Analysis Based on Flags
3/29
Flags
Six Flags Urgent Pointer
ACKnowledgement
PUSH
Reset (RST) Flag
SYNchronisation Flag
FIN Flag
All flags, a value of '1' means that a particular flag is
'set. Each flag is one bit long, and since there are 6 flags,
this makes the Flags section 6 bits in total.
-
8/8/2019 Tcp Analysis Based on Flags
4/29
1st Flag - Urgent Pointer
This flag is used to identify incoming data as 'urgent
incoming segments are sent directly and processedimmediately.
An Urgent Pointer could be used during a stream ofdata transfer where a host is sending data to anapplication running on a remote machine.
By setting the abort signal's segment Urgent Pointer
flag to '1', the remote machine will give that specificsegment priority, processing it immediately andstopping all further data processing.
-
8/8/2019 Tcp Analysis Based on Flags
5/29
The Urgent Pointer
The urgent pointer flag allows us to mark a segment of data as'urgent', while this urgent pointer field specifies where exactly theurgent data ends.
Urgent Pointer can also be used when attacking remote hosts.
-
8/8/2019 Tcp Analysis Based on Flags
6/29
2nd Flag - ACKnowledgement
The ACKnowledgement flag is used toacknowledge the successful receipt ofpackets.
-
8/8/2019 Tcp Analysis Based on Flags
7/29
3rd Flag - PUSH
The Push flag ensures that the data is giventhe priority and is processed at the sending orreceiving end.
This particular flag is used quite frequently atthe beginning and end of a data transfer,affecting the way the data is handled at both
ends. Push flag is usually set on the last segment
of a file to prevent buffer deadlocks.
-
8/8/2019 Tcp Analysis Based on Flags
8/29
4th Flag - Reset (RST) Flag
The reset flag is used when a segmentarrives that is not intended for the currentconnection.
This 'feature' is used by most hackers inorder to scan hosts for 'open' ports.
All modern port scanners are able to detect
'open' or 'listening' ports thanks to the 'reset'function.
-
8/8/2019 Tcp Analysis Based on Flags
9/29
5th Flag - SYNchronisation Flag
The SYN flag is initialy sent whenestablishing the classical 3-way handshakebetween two hosts
During the 3-way handshake we are able tocount a total of 2 SYN flags transmitted, oneby each host.
As files are exchanged and new connectionscreated, we will see more SYN flags beingsent and received.
-
8/8/2019 Tcp Analysis Based on Flags
10/29
6th Flag - FIN Flag
This flag is used to tear down the virtualconnections created using the previous flag(SYN).
FIN flag always appears when the lastpackets are exchanged between aconnection.
-
8/8/2019 Tcp Analysis Based on Flags
11/29
Analysis worm's SYN scan
If a worm was designed to spread via TCP, during itspropagation there will be a lot of corresponding TCP SYNpackets sent out as it seeks vulnerable services in other hosts.
the destination host is alive,
the destination host it attempts to connect to is not living
the destination is alive but connection attempts from the wormare not functional
when worm tries to propagate, the destination addresses aretypically generated at random, and normally there will be a largenumber of destination hosts that are not living or functional.
Therefore we should expect to see a large number of SYN bitsset in the flow records associated with the worm-infected host.
-
8/8/2019 Tcp Analysis Based on Flags
12/29
Analysis RST/ACK
a closed port will send back a RST/ACK to aTCP request,
If a worm is scanning a large block of living
hosts, those hosts with closed ports wouldsend back a RST/ACK.
if a destination host receives too many
RST/ACK responses, this destination IP isvery likely infected with a worm.
-
8/8/2019 Tcp Analysis Based on Flags
13/29
SYN flood attack
attacker creates a random source address
SYN flag set in each packet is a request toopen a new connection
victim responds to spoofed IP address, thenwaits for confirmation that never arrives
victim's connection table fills up waiting forreplies
after table fills up, all new connections areignored
-
8/8/2019 Tcp Analysis Based on Flags
14/29
SYN
SYN+ACK Packet SA_SYN
RST+ACK packet RA_SYN
Non Response Non_SYN
SYN#=SA_SYN#+RA_SYN#+Non_SYN#
-
8/8/2019 Tcp Analysis Based on Flags
15/29
SYN+ACK
FIN+ACK FA_SA
RESET+ACK FIN+ACK RA_SA
RESET RT
Non Response Non_SA
SYN_ACK# =FA_SA#+FA_RA_SA#+RT#+Non_SA#
-
8/8/2019 Tcp Analysis Based on Flags
16/29
Related Model
SYN#=SA_SYN#+RA_SYN#+Non_SYN# SYN_ACK# = FA_SA# / 2+RA_SA#+RT#+Non_SA#
SA_SYN# = SYN_ACK#
RESET_ACK# = RA_SYN#+RA_SA# RESET# = RT#
FIN+ACK # = FA_SA#
Have 7 variables, but only 6 equations ? Non_SYN#, RA_SYN#, RA_SA#, Non_sa#
-
8/8/2019 Tcp Analysis Based on Flags
17/29
Hypothesis
We only consider the SYN attacks.
Let Non_sa# = 0;
SYN#=SA_SYN#+RA_SYN#+Non_SYN#
SYN_ACK# = FA_SA# / 2+RA_SA#+RT#
SA_SYN# = SYN_ACK#
RESET_ACK# = RA_SYN#+RA_SA#
RESET# = RT#
FIN+ACK # = FA_SA#
Have 6 variables, but only 6 equations
? Non_SYN#, RA_SYN#, RA_SA#
-
8/8/2019 Tcp Analysis Based on Flags
18/29
EXAMPLES
SYN SYN+ACK FIN RST (1) 27390 6739 1837 17983
(2) 30387 7736 1998 14607
(3) 29644 5411 2336 17129
So we can compute the SYN # which donthave any response. (1) Non_SYN# = 8488
(2) Non_SYN# = 14780
(3) Non_SYN# = 11347
-
8/8/2019 Tcp Analysis Based on Flags
19/29
Problems
In this example, we only consider the SYNflood and scan security, and our aim is tocompute the number of SYN which is
abnormal SYN packets. In the future, we will consider more conditions,
so that, we can estimate more variables.
-
8/8/2019 Tcp Analysis Based on Flags
20/29
Timestamps = 10s SYN/SYN+ACK
0
5
10
15
20
25
30
35
40
45
50
1 9 17 25 33 41 49 57 65 73 81 89 97 105 113
-
8/8/2019 Tcp Analysis Based on Flags
21/29
Timestamps = 600s SYN/SYN+ACK
2005
0
10
20
30
40
50
60
70
1 5 9 13 1 7 2 1 25 2 9 3 3 37 41 4 5 49 53 5 7 61 65 69 7 3 77 81
-
8/8/2019 Tcp Analysis Based on Flags
22/29
Timestamps = 600s SYN/SYN+ACK
2004.4.17
0
20
40
60
80
100
120
140
1 3 5 7 9 11 13 15 17 19 21 23
-
8/8/2019 Tcp Analysis Based on Flags
23/29
Timestamps = 10s ACK/PUSH
0
1
2
3
4
5
6
1 9 17 25 33 41 49 57 65 73 81 89 97 105 113
-
8/8/2019 Tcp Analysis Based on Flags
24/29
Timestamps = 600s ACK/PUSH
2005
0
1
2
3
4
5
6
1 5 9 13 17 21 2 5 29 3 3 37 41 4 5 49 53 5 7 61 65 69 7 3 77 81
-
8/8/2019 Tcp Analysis Based on Flags
25/29
Timestamps = 600s ACK/PUSH
2004.4.17
0
1
2
3
4
5
6
7
8
1 3 5 7 9 11 1 3 1 5 1 7 19 2 1 23
-
8/8/2019 Tcp Analysis Based on Flags
26/29
ACK+SYN+PUSH/SUM
2005
0.90.91
0.92
0.93
0.94
0.95
0.96
0.97
0.98
0.99
1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81
-
8/8/2019 Tcp Analysis Based on Flags
27/29
ACK+SYN+PUSH/SUM
2004.4.17
0.968
0.97
0.972
0.974
0.976
0.978
0.98
0.982
0.984
0.986
0.988
1 3 5 7 9 11 13 15 17 19 21 23
-
8/8/2019 Tcp Analysis Based on Flags
28/29
Time Series
0
200000
400000
600000
800000
1000000
1200000
1400000
1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91
SYN+ACK
FIN+ACK
RST
-
8/8/2019 Tcp Analysis Based on Flags
29/29