Question

DOS, Firewall, IDS

1. Suppose a system uses a buffer of 964 bytes to store TCP connections. Assume that each incomplete TCP connection request needs 2 bytes of buffer. Also, an incomplete connection request is timed out after 5 milliseconds. If TCP connection requests are sent in a constant rate, how many minimum incomplete TCP connection requests must be sent per milliseconds to the system to launch a DoS attack?

2. Suppose the above system is connected to a firewall that can detect the number of incomplete TCP connections in the system at any point in time. Briefly discuss (in one paragraph) a firewall rule that can mitigate the above DoS attack.

3. Can intrusion detection mitigate DDoS attacks? Justify your answer.

Answer 1

Lets us first understand some of the basic terms.

DoS or DDoS attacks stands for Denial of Service attack, where a potential attacker overwhelms a server with illegitimate and incomplete connection requests, which creates an overload on the server resources and results in server breakdown.

A TCP connection is a stateful transmission control protocol that ensures a reliable connection between two remote hosts with the help of a three-way handshake (SYN - SYN ACK - SYN).

The disadvantages of TCP connections are the request needs to stored in the buffer before any authentication and validation procedures are implemented on the data packet. This opens the host to various networking attacks like DoS.

(1)

Size of buffer = 964 bytes.

Buffer size for each incomplete TCP connection request = 2 bytes.

TCP connection timeout after 5 milliseconds.

For successfully mitigating a DoS attack, the attacker needs to send a connection request before the timeout occurs. For this,

No of requests that can be stored in the buffer at any time = 964 / 2 = 482 requests.

This means that 482 requests need to be sent within 5 milliseconds to overwhelm the system.

No, of request to send in 1 millisecond = 482 / 5 = 96.4 requests.

(2)

A firewall is a software that monitors network traffic and enforces certain policies and rules to protect a host from malicious activities over the network.

If a firewall is configured to detect the number of incomplete TCP connections in a system the firewall can apply rules like Connection limiting and TCP normalizing to avoid any SYN attacks on the system. The Connection Limiting works by implementing an upper threshold to the number of incomplete TCP connections, if the number of incomplete connection reaches a max value, the firewall detains it from using any system resources by not passing the SYN packet to the server.

(3)

An Intrusion Detection System is also a network monitoring software that keeps track of the data packets through the network and tracks down any suspicious activity.

But how is an IDS different from a Firewall then, an IDS is a special type of software that not only detects the attack but also responds appropriately. An IDS has an alarm system or a triggering mechanism that is governed by concrete rules to keep such attacks like DoS at bay. The IDS also has a system administrator who keeps track of these rules. There are many types of IDS available like Network Intrusion Detection System(NDIS), Host DIS, Protocol DIS, etc.

For the above-given scenario, the NDIS is the best choice because it monitors traffic over the network and can also identify potential SYN attacks. NDIS implements methods like Signature and Anomaly detection.