QUISHING

a cybersecurity threat in which attackers use QR codes to redirect victims to

malicious websites or prompt them to download harmful content. The goal of
this attack is to steal sensitive information, such as passwords, financial data,
or personally identifiable information (PII), and use that information for other
purposes, such as identity theft, financial fraud, or ransomware
• Why do you have to precede a ./ to a program in a
current working directory when you want to execute it?
– PATH env variable
– absolute/relative path
– Demo: create an executable in the current working directory
with the same name as a system command, say pwd
 Readings
Stallings: Chapter 7
Pfleeger: Chapter 6.4-6.5
 Outline
• Denial of Service Attacks
– Definition
• Point-to-point network denial of service
– Smurf
• Distributed denial of service attacks
– Trin00, TFN, Stacheldraht, TFN2K
– World record 3.8 TBps DdoS
https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/

– DDoS on Internet Archive (web.archive.org) + data breach

OCTOBER 9-10, 2024

• TCP SYN Flooding and Detection

 Denial of Service Attack Definition

• An explicit attempt by attackers to prevent legitimate

users of a service from using that service
• Threat model – taxonomy from CERT
– Consumption of network connectivity or bandwidth
– Consumption of other resources, e.g. queue, CPU
– Destruction or alternation of configuration information
• Malformed packets confusing an application, cause it to freeze

– Physical destruction or alternation of network components

 Slashdot Effect

occurs when a popular website links to a smaller website,

causing a massive increase in traffic. This overloads the
smaller site, causing it to slow down or even temporarily
become unavailable
 Status
• DoS attacks increasing in frequency, severity and
sophistication
– 32% respondents detected DoS attacks (1999 CSI/FBI survey)
– Yahoo, Amazon, eBay and MicroSoft DDoS attacked
– About 4,000 attacks per week in 2000
– Internet's root DNS servers (9 out of 13) attacked on Oct 2002
 Curent Status
https://www.f5.com/labs/articles/threat-intelligence/2024-ddos-attack-trends

• Attacks more than doubled in 2023 compared with 2022, growing almost 112%.

• The biggest attack of 2023 was in March and peaked at 1Tbps, targeting an
organization in the Support Services sector.

• That same organization also suffered the most attacks across the year, 187 in
total.

• The mean number of attacks withstood was 11, meaning each organization
dealt with a denial-of-service incident almost once month.

• Overall, DNS QUERY attacks were responsible for the vast majority of overall
DDoS attacks being seen in 26% of events through 2023.

• Individual industries saw some differences, with banking, financial services, and
insurance (BFSI) in particular seeing more TCP SYN floods that anything else
 Curent Status
https://www.f5.com/labs/articles/threat-intelligence/2024-ddos-attack-trends

• Software and Computer Services was the most attacked industry in

2023 comprising 36% of all attacks. Telecommunications took
second place, followed up Support Services, BFSI, and Media.

• Telecoms saw the biggest jump in the number of attacks it faced.

• Attack sizes remained high throughout the year with attacks

consistently above 100Gbps, and many over 500Gbps. February
was the outlier with the biggest attack of that month reaching less
than 10Gbps.

• Recent activity seen in the first half of 2024 points to continued

growth with threat actors increasing their efforts to compromise
IoT devices and subsume them into their botnets.
 Two General Classes of Attacks
• Flooding Attacks
– Point-to-point attacks
• TCP/UDP/ICMP flooding
• Smurf attacks

– Distributed attacks: hierarchical structures

• Corruption Attacks
– Application/service specific
 Smurf DoS Attack

• Analogy: Somebody ordered thousands worth of food

deliveries using your name and address
• Happens at the Network layer of the OSI model
• Need to spoof IP addresses to the victim to hide the actual
source address of the attacker
• Spoofs a valid host, send an echo request to several
(thousands) of hosts
• The hosts will send replies to a valid host, overwhelming
its resources
 Smurf DoS Attack
1 ICMP Echo Req 3 ICMP Echo Reply
Src: Dos Target Dest: Dos Target
Dest: brdct addr

DoS
gateway DoS
Source Target

• Send ping request to brdcst addr (ICMP Echo Req)

• Lots of responses:
– Every host on target network generates a ping reply (ICMP Echo
Reply) to victim
– Ping reply stream can overload victim

Prevention: reject external packets to brdcst address.

 DDoS
BadGuy
Unidirectional commands

Handler Handler Handler Coordinating

communication

Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent

Attack traffic

Victim
 Attack using Trin00
• In August 1999, network of > 2,200 systems took
University of Minnesota offline for 3 days
– scan for known vulnerabilities, then attack with UDP traffic
– once host compromised, script the installation of the DDoS
master agents
• According to the incident report
– Took about 3 seconds to get root access
– In 4 hours, set up > 2,200 agents
 Can you find source of attack?
• Hard to find BadGuy
– Originator of attack compromised the handlers
– Originator not active when DDOS attack occurs
• Can try to find agents
– Source IP address in packets is not reliable
– Need to examine traffic at many points, modify traffic, or
modify routers
 Source Address Validity
• Spoofed Source Address
– random source addresses in attack packets
– Subnet Spoofed Source Address
- random address from address space assigned to the agent machine’s
subnet
– En Route Spoofed Source Address
- address spoofed en route from agent machine to victim

• Valid Source Address

- used when attack strategy requires several request/reply
exchanges between an agent and the victim machine
- target specific applications or protocol features
 Attack Rate Dynamics
Agent machine sends a stream of packets to the victim
• Constant Rate
- Attack packets generated at constant rate, usually as
many as resources allow
• Variable Rate
– Delay or avoid detection and response
– Increasing Rate
- gradually increasing rate causes a slow exhaustion of the victim’s
resources
– Fluctuating Rate
- occasionally relieving the effect
- victim can experience periodic service disruptions
 SYN Flooding Attack

• 90% of DoS attacks use TCP SYN floods

• Streaming spoofed TCP SYNs
• Takes advantage of three way handshake
• Server start “half-open” connections
• These build up… until queue is full and all additional
requests are blocked
 TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581
• point-to-point: • full duplex data:
– one sender, one receiver – bi-directional data flow in same
connection
• reliable, in-order byte
– MSS: maximum segment size
steam:
• connection-oriented:
– no “message boundaries”
– handshaking (exchange of
• pipelined: control msgs) init’s sender,
receiver state before data
– TCP congestion and flow exchange
control set window size
• flow controlled:
• send & receive buffers
– sender will not overwhelm
sock et
applica tion
w rites data
application
reads data receiver
sock et
door doo r
TCP TCP
send b uffer re ce ive buffer
s eg m e n t
 TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement number (not segments!)
head not
PSH: push data now len used
UA P R S F Receive window
(generally not used) # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
 TCP Connection Management
Three way handshake:
Recall: TCP sender, receiver Step 1: client host sends TCP SYN
establish “connection” before segment to server
exchanging data segments
– specifies initial seq #
• initialize TCP variables:
– no data
– seq. #s
Step 2: server host receives SYN, replies
– buffers, flow control info with SYNACK segment
(e.g. RcvWindow)
– server allocates buffers
• client: connection initiator
– specifies server initial seq. #
• server: contacted by client Step 3: client receives SYNACK, replies
with ACK segment, which may
contain data
 TCP Handshake

C S

SYNC Listening

Store data
SYNS, ACKC

Wait
ACKS

Connected
 SYN Flooding

C S

SYNC1 Listening
SYNC2
Store data
SYNC3

SYNC4

SYNC5
 TCP Connection Management: Closing
Step 1: client end system sends
TCP FIN control segment to
client server
server
closing
FIN
Step 2: server receives FIN,
replies with ACK. Closes
connection, sends FIN. ACK
closing
FIN
Step 3: client receives FIN, replies
with ACK.

timed wait
ACK

– Enters “timed wait” - will closed

respond with ACK to
received FINs
closed
Step 4: server, receives ACK.
Connection closed.
Flood Detection System on
Router/Gateway
• Can we maintain states for each connection flow?
• Stateless, simple detection system on edge (leaf) routers desired
• Placement: First/last mile leaf routers
– First mile – detect large DoS attacker
– Last mile – detect DDoS attacks that first mile would miss
 Detection Methods (I)
• Utilize SYN-FIN pair behavior
• Or SYNACK – FIN
• Can be both on client or server side
• However, RST violates SYN-FIN behavior
– Passive RST: transmitted upon arrival of a packet at a closed
port (usually by servers)
– Active RST: initiated by the client to abort a TCP connection
(e.g., Ctrl-D during a telnet session)
• Often queued data are thrown away

– So SYN-RSTactive pair is also normal

SYN – FIN Behavior
SYN – FIN Behavior
• Generally every SYN has a FIN
• We can’t tell if RST is active or passive
• Consider 75% active
 Vulnerability of SYN-FIN Detection

• Send out extra FIN or RST with different IP/port as

SYN
• Waste half of its bandwidth
 Detection Method II
• SYN – SYN/ACK pair behavior
• Hard to evade for the attacking source
• Problems
– Need to sniff both incoming and outgoing traffic
– Only becomes obvious when really swamped
False Positive Possibilities
• Many new online users with long-lived TCP sessions
– More SYNs coming in than FINs
• An overloaded server would result in 3 SYNs to a FIN
or SYN-ACK
– Because clients would retransmit the SYN
Survey
• Who is taking ML currently?
• Already took?
Some books:
• Bruce Schneier. A hacker’s mind: how the powerful
bend society’s rules, and how to bend them back
• Kevin Mitnick. Ghost in the Wires