Information Technology Reference
In-Depth Information
Fig. 4.
Illustration of TCP ISN sample acquisition process
where
G
isn
(
t
) is the function responsible for generating the initial number of
sequence at time
t
,
M
(
t
) is a composite function by its previous value adding
the value of the function
R
(
t
)and
F
(
)to
the identifier of the connection, comprising the addresses and ports of origin and
destination and a optional secret key. To estimate the function
R
(
t
)usingonly
samples of
G
isn
(
t
) is important to note that
F
(
·
), which consists in apply a function
f
(
·
) can be assumed constant for a
same link identifier (
connection id
). Thus, one can obtain from Equations 1, 2
and 3 a estimative,
R
(
t
), of the function
R
(
t
):
R
(
t
)=
G
isn
(
t
)
·
− G
isn
(
t −
1).
(4)
The process of sample acquisition is illustrated in Fig. 4.
One feature to consider is that intervals of sending packets SYN suciently
short, can characterize a SYN flooding attack. Mainly because RST messages
are not sent in response to SYN+ACK message from the target machine [6].
The process of acquisition of TCP ISN samples are performed according to
Fig. 4, that is: (1) the scanner sends a synchronization message (SYN); (2) the
target receives the message confirming the synchronization and acquisition of
the TCP ISN (via SYN+ACK); (3) the scanner sends a RST message to cancel
synchronization to prevent (and thus avoid detection of) SYN flooding.
In our experiments we find that the analyzed versions of the operating sys-
tems Debian, NetBSD, OpenSolaris, Windows 2000 and Windows XP adopt the
recommendation proposed by RFC 1948. In cases where the recommendation
proposed by RFC 1948 is not adopted, will used their own samples of the
G
isn
(
t
)
in place of the estimate
R
(
t
). In Fig. 5 presents sketches of the 100 first samples
of the
R
(
t
) for each operating system and Honeyd. This graphical representation
of each of these series shows how each one is different from others.
A SYN proxy tends to send the same TCP ISN for a quite long period of
time (see FreeBSD sketch). Also, the TCP ISN generator of Honeyd produces
a deterministic signal. These facts imply that both SYN proxies and Honeyd
can be detectable easily. Zion uses intelligent methods to create a signature for
each operating systems and classify them using
R
(
t
) samples. The theoretical
foundation to accomplish this task is already presented in literature [11,12,15].
Search WWH ::
Custom Search