The detail procedure of SYN-Flooding attack is described as follows:
The intruder forges a non-existed host C or more hosts and it sends a large amount of the connection request to server B. Because the forged host doesn’t exist in fact, for each connection request server B cannot receive any responsive information so that it has to wait for a long time. So a lot of requests with semi-connection state happen in a short time and the relevant resource of server B is used up quickly. In this case some normal
connection requests will not be satisfied. This means that server B refuses to serve for any other normal request and Do S attack happens.
By means of a deterministic finite automaton the attack of SYN-Flooding is described as follows:
M=(Q, Σ,F, s, Z)
Where q∈Q ,q= (Intruder-status, Server-status, System-status). Intruder-status is the state of intruder, Intruder-status {listen, faked,
SYN.SENT,
ACK.SENT, failed,
established} Server-status is the state of the server, Server-status {listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, blocked, established}.System-status represents whether the intrusion has happened or not System-status {false, true}, it represents some intrusions
have
happened
when
System-status is true. is a set of transition functions and it consists of attack functions, communication functions, testing functions and other functions. is defined as follows: {E0: fake ( )
E1: Communication(s-host, d-host,
SYN-ISN, 0)
E2:
Communication(s-host,d-host,SYN-ISN, ACK-ISN)
E3: Tcp resource_used_out( )
}
Where E0 is used to forge a non-existed host
SYN Flooding攻击的详细过程描述如下:
攻击者伪造不存在主机C或者更多的主机,它发送到大量的连接请求到服务器B,因为事实上存在大量的伪造的主机不存在,对每个连接请求,服务器B无法接受任何响应信息,要等待很长的时间。所以很多半连接状态请求发生在一个短时间内服务器B相关资源用得很快。在这种情况下,一些正常的连接请求将不会响应,这意味着服务器B拒绝为任何其他正常的请求和拒绝服务攻击的发生。 一个有限自动机的SYN Flooding攻击被描述为方法如下:
M=(Q, Σ,F, s, Z) 在?q ∈Q =
(Intruder-status, Server-status, System-status)。Server-status是入侵者的状态,入侵者状态{ listen, faked, SYN.SENT, ACK.SENT, failed,
established }。服务器状态是服务器的状态,务器状态{ listen, SYN.RCVD, SYN-ACK.SENT,ACK.RCVD, }。系统状态表示是否发生入侵,系统状态{ false, true },系统状态是真时,它代表了已经被入侵了。Σ是转换函数集,它由攻击功能,通信功能,测试功能和其他功能组成。定义如下:
{ E0:假()
E1通信(s-host,d-host,syn-isn,0) E2:通信(s-host,d-host,syn-isn,ack-isn)
E3:tcp_resource_used_out()}
randomly. E1 is used to send SYN request packet from source host: s-host to destination host: d-host, SYN-ISN is the sending serial number of source host. E2 is used to send SYN-ACK packet from the source host: s-host to the destination host: d-host, SYN-ISN is the sending serial number and ACK-ISN is the ACK serial number. E3 is used to judge whether the resource of the server about TCP connection is used up, if the resource is used up E3 returns true, or E3 returns false.
The state transition diagram which describes the attacking procedure of SYN-Flooding is shown as Fig. 2.
Figure2.The state transition diagram of SYN-Flooding attacks
All states in Fig.2 are described as follows individually:
S0= (listen, listen, false) S1= (faked, listen, false)
S2= (SYN.SENT, SYN.RCVD, false) S3= (failed, SYN-ACK.SENT, false) S4= (listen, blocked, true)
Where S0 is the start state of the system. After the intruder forges a non-existed host the system enters S1 and the intruder is in the state: “faked”. Then the intruder try to set up the connection with server B and the system enters S2. The server gives its response as soon as it receives the connection request and the system enters S3.
But the intruder is in the state “failed” because it forges a non-existed host and it cannot receive the SYN-ACK packet. At last the system judges whether the resource about TCP connection is used up. If the resource is not used up the system returns to the start state, or the system enters the final state: S4. SYN-Flooding attack happens.
E3:tcp_resource_used_out()} 当E0用来伪造不存在主机时。E1用于从源主机发送SYN请求分组:s-host到目的主机:d-host,syn-isn是发送源主机的序列号.e2用于从源主机发送SYN-ACK包:s-host到目标主机:d-host,syn-isn为发送序号和ack-isn是ACK序列号。E3是用来判断是否对TCP连接的服务器资源耗尽,如果资源耗E3尽返回true,或E3返回false。
它描述了SYN泛洪攻击过程的状态转移图如图2所示。
图2。SYN洪水攻击的状态转换图 图2中的所有状态如下单独: S0 =(listen, listen, false) S1 =(faked, listen, false) S2 =(SYN.SENT, SYN.RCVD, false) S3 =(failed, SYN-ACK.SENT, false) S4 =(listen, blocked, true)
当S0是系统的启动状态时。在攻击者伪造不存在主机后系统进入S1,入侵者的状态是“假”。然后入侵者试图与服务器B建立连接,系统进入S2。服务器尽快对其响应它收到连接请求,系统进入S3。但入侵者处于 “失败”状态,因为它塑造了一个非存在的主机它不能接收SYN-ACK包。最后,系统判断是否对TCP连接资源耗尽。如果资源是用之不竭的返回到起始状态的系统,或系统进入最后的状态:S4。SYN泛洪攻击发生了。
B. IP-spoofing Attack
If an intruder wants to hide its true identity or it try to utilize the privilege of the rusted
host in order to attack other hosts it often fakes the IP address of other hosts. It is supposed that host A is a trusted host of
server B. If the intruder wants to forge host
A to communicate with server B it must steal the IP address of host A to spoof server B.
This is called as IP-Spoofing attack [6-7].
IP-Spoofing attack is described in detail as follows: 1. The intruder makes host A blocked by
DoS attack so that host A cannot disturb attacks which will occur. 2. The intruder sends the connection
request to server B at first and it guess the
TCP serial number according to the responsive packet from server B.
3. The intruder uses the IP address of
host A as its source address, then it sends SYN request packet to server B and try to set up the connection with server B. 4. Server B sends SYN-ACK packet to host A. But at this moment host A has been blocked and it cannot receive SYN-ACK
packet from server B.
5. The intruder forges host A again to send ACK packet to server B so that it
The model M which is used to describe the procedure above is shown as follows:
M=(Q, Σ,F, s, Z) Where q∈Q, q=(A-status, B-status, Intruder-status, System-status). A-status is
the state of host A, A-status {listen, blocked, SYN.SENT, SYN-ACK.RCVD, ACK.SENT, failed, established}. B-status is the state of
server B, B-status {listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, failed,
B. IP欺骗攻击
如果入侵者想隐藏自己的真实身
份,或试图利用以可信主机的特权来
攻击其他主机通常假冒其他主机的IP地址。假设,主机A被服务器B信任,
如果入侵者想要冒充A与服务器B交流,它必须伪造主机A的ip欺骗服务
器B。这是被称为IP欺骗攻击[ 7 ]。 IP欺骗攻击的详细描述如下:
1。入侵者使主机A被DoS攻击,
以便主机A不能打扰攻击 2。首先,入侵者给服务器B发送
连接请求,他根据来自B的数据包猜想序列号。
3入侵者使用的主机A的IP地址
作为源地址,然后发送SYN请求数据
包到服务器B,尝试建立与服务器B的连接。 4。服务器B给主机A发送
SYN-ACK,但此时主机已被封锁,无法从服务器B接收. SYN-ACK包
5。攻击者再次伪造主机A发送ACK数据包到服务器B,建立与服务
器连接的三次握手B。 该模型M是用来描述上述步骤如
下:
M=(Q, Σ,F, s, Z)
q∈Q,q =(A-status,B-status,Intruder-status, System-status)。a-status是主机的状态,a-status {isten,
blocked, SYN.SENT, SYN-ACK.RCVD,ACK.SENT, failed,
established }。B-status是B服务器的状态,B-status { listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, failed, established }。Intruder-status是入侵者的状态,
established}. Intruder-status is the state of the intruder, Intruder-status∈{listen, faked-A ? ACK.SENT, SYN-ACK.RCVD, KNOWN-TCP-NO, failed, established}. System-status represents whether the intrusion has happened, System-status∈{false, true}. When System-status is true it represents that the intrusion has happened. ? is the set of the transition functions. It
consists of attack functions, communication functions, serial number guessing function, and so on.
The set of attack functions are defined as:
{A1: Land ( ) A2: SYN_Flooding( ) A3: DoS( )
}
Where A1, A2 and A3 represents Land attack, SYN-Flooding attack and DoS attack respectively. Communication function is defined as follows: Communication(s-host, d-host, Syn-no, Ack-no) Where s-host and d-host are the source IP address and the destination IP address respectively. Syn-no and Ack-no are SYN serial number and ACK serial number respectively.
The set of other functions are defined as follows:
{E1: Communication (faked-A, B, Syn-no, 0)
E2: Communication (B, A, Syn-no, Ack-no)
E3:
Communication
(faked-A,
B,
Syn-no, Ack-no)
E4:Guess_tcp_packet_isn (B)}
Where“faked-A in E1 and E3 represents that the intruder has succeeded in forging host A. E4 is used to guess the initial serial number of TCP packets of server B. If E4 is successful it will return “true”, or it will return “false”.
The state transition diagram of the automaton model to recognize IP-Spoofing
入侵者状态属于{ listen, faked-A ? ACK.SENT, SYN-ACK.RCVD, KNOWN-TCP-NO, failed,
established }。System-status表示该入侵发生时,系统状态属于{ false, true }。当系统的状态是正确的它代表的入侵已经发生了。是过渡函数集。它由攻击功能,通信功能,序列号猜测函数,等等组成。
攻击的功能集合的定义是: {A1: Land( )
A2: SYN_Flooding( ) A3: DoS( ) } 其中A1,A2和A3分别代表Land攻击,SYN泛洪攻击和DoS攻击。
通信功能的定义如下:
通信(s-host, d-host, Syn-no, Ack-no),s-host和d-host的源IP地址和目的IP地址为。Syn-no 和 Ack-no是SYN序列号和确认号。
其他的功能集的定义如下:
{E1: Communication (faked-A, B, Syn-no, 0)
E2: Communication (B, A, Syn-no, Ack-no)
E3: Communication (faked-A, B, Syn-no, Ack-no)
E4:Guess_tcp_packet_isn (B)}
“faked-a”在E1和E3表示入侵者成功伪造主机A。E4类是用来猜测TCP包服务器的初始序列号如果E4成功它将返回“真”,否则将返回“假”。
该自动机模型的状态转移图识别IP欺骗攻击,如图3所示。
attack is shown in Fig.3.
Figure 3. The state transition diagram of IP-Spoofing attack
Some states shown in Fig. 3 are defined as follows:
S0= (listen, listen, listen, false) S1= (blocked, listen, listen, false) S2= (blocked, listen, KNOWN-TCP-NO, false)
S3= (blocked, SYN.RCVD, SYN.SENT, false)
S4= (blocked, SYN-ACK.SENT, listen, false)
S5= (blocked, ACK.RCVD, ACK.SENT, true)
Where S0 is the start state. The system enters S1 after the intruder makes host A blocked by A1, A2 or A3. The intruder repeats to send the connection request to server B, after it guesses the serial number of TCP packet the system enters S2. Then the intruder forges host A to send SYN packets to server B for setting up the connection and the system enters S3. Server B sends the responsive packet with SYN and ACK to host A. But host A has been blocked and it cannot give any response to server B. Then the system enters S4. The intruder forges host A to send ACK packet to server B. After three handshakes have been finished the system enters S5. At this moment the intruder has set up the connection with server B and it forges host A to communicate with server B.
C. IP fragment Attacks
For different physical networks the length of their maximum transfer unit (MTU) is different. When a packet transfers from one network to another and
图3.IP欺骗攻击的状态转换图
一些状态如图3所示的定义如下:
S0= (listen, listen, listen, false)
S1= (blocked, listen, listen, false) S2= (blocked, listen, KNOWN-TCP-NO, false)
S3= (blocked, SYN.RCVD, SYN.SENT, false)
S4= (blocked, SYN-ACK.SENT, listen, false)
S5= (blocked, ACK.RCVD, ACK.SENT, true)
在S0状态的开始。系统进入S1后入侵者使主机A被A1,A2或A3封锁。入侵者重复发送连接请求到服务器B,之后它猜测TCP数据包的序列号,系统进入S2。为建立连接,攻击者伪造主机A发送SYN包到服务器B,系统进入S3。服务器B发送含有SYN和ACK的响应包给主机A,但主机A阻塞,它不能给服务器B任何回应,然后系统进入S4。攻击者伪造主机A发送ACK数据包到服务器B三次握手已完成后系统进入S5。在这一刻,入侵者已经建立与服务器B的连接,且伪造主机和服务器B交流。
C. IP碎片攻击
对于不同物理网络的最大传输单元(MTU)的长度是不同的。当一个数据包从一个网络到另一网络