Packet Flooding

Loading...

From the course by New York University Tandon School of Engineering

Real-Time Cyber Threat Detection and Mitigation

200 ratings

New York University Tandon School of Engineering

Real-Time Cyber Threat Detection and Mitigation

200 ratings

Course 3 of 4 in the Specialization Introduction to Cyber Security

This course introduces real-time cyber security techniques and methods in the context of the TCP/IP protocol suites. Explanation of some basic TCP/IP security hacks is used to introduce the need for network security solutions such as stateless and stateful firewalls. Learners will be introduced to the techniques used to design and configure firewall solutions such as packet filters and proxies to protect enterprise assets. Perimeter solutions such as firewalls and intrusion prevention systems are shown to have significant drawbacks in common enterprise environments. The result of such weakness is shown to often exist as advanced persistent threats (APTs) from nation-state actors. Such attacks, as well as DDOS and third-party attacks, are shown to have potential solutions for modern enterprise.

From the lesson

Basic Network Security

This module introduces the basics of TCP/IP for security, including firewall design and use.

Introduction: What You Will Learn from This Course on Cyber Security1:51

Assignments and Reading2:23

Security Through Obscurity4:54

TCP/IP Evolution and Security6:06

TCP/IP Overview8:17

IP Spoofing5:57

TCP Sequence Number Attack5:36

Packet Flooding5:04

Packet Sniffing5:54

SYN Packets for Access Control5:13

Definition of a Firewall5:51

Firewall: Stateful versus Stateless5:28

Interview: John Viega8:36

Meet the Instructors

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Hi everybody.

Ed Emaroso.

And I want to talk to you today about something called a SYN flood.

SYN, S-Y-N being the first packet in the TCP three step sequence.

Now, in the context of distributed denial of service attacks, there is so

much misconception, particularly in the popular media and

even amongst technologists about where Denial-of-Service attacks come from.

And we all know for the most part there's bot nets involved, we get that.

But there's really two cases for any type of entity trying to flood another,

and in the context of TCP/IP, let me tell you what those two cases are.

The first case is where you're not willing to give up who you are.

You're not going to say it's really coming from me.

You're going to lie about your source IP address, and

in the second case, you're going to be perfectly comfortable saying yep,

it's me, this is where I'm going to set up a session.

Now let's think about the pros and cons of those two.

Now if I'm only willing to just send a packet as somebody else,

then that's as far as I'm going to get.

I'll put a diagram here up of a bunch of SYNs.

A's source IP address is 10.1.2.3 but

uses the source IP address and some other thing 192.1.2.3.4.

So what happens is I send a SYN, I send another SYN,

I send another SYN that's the essence of a flood or Denial-of-Service attack.

I keep sending them.

Think of it as like a gun boom, boom, boom, boom.

I'm sending the SYN packets where the response is going.

They've not coming to you, they're going to somebody else.

Now the irony is sometimes that is the ultimate victim.

Sometimes you think, I'm going to hit you, you're going to respond to him, and

that's what I'm trying to DDAS like if you're a DNS Server.

And I want the DNS response to come back that's sometimes the purpose.

Other times you're the one I'm trying to attack with a SYN Flood and

maybe I'm changing up my source IP so

you're spraying out all the responses all over the place.

You the Internet attacker, I hope you're not an Internet attacker, but

you get the idea.

Whoever's designing these things has to think through what do you want to do?

So the first case is you're lying, we call that a SYN Flood.

The second case is much more powerful.

Because, if I send a SYN, you send SYN ACK, I send ACK, we have a session set up.

I can now do application level things.

I can login to you, I can send commands, I can ask

to download stuff, whatever depending on what it is your on to your web server.

I get on now.

I start downloading things to try to create a very busy condition for

your website or whatever but I'm doing it, I'm exposing the source site IP.

So generally, when that's the case, it's always preceded by

first breaking in to someone else's machine and that's how Botnets are set up.

But as we've discussed and as I'm sure many of you are already familiar with,

a whole botnet that's designed and

created and recruited and I can have all my box do that.

I really don't care that they expose who they are.

It's not my computer.

Scattered the world probably.

So you know that it's somebody's mom's PC connected to broadband.

It's attacking you.

What are you going to do?

Again in popular media there is this misconception that when you see these

attacks coming that are exposing source IPs, we'll just hack them back.

But in a bot net who are you hacking?

You're hacking somebody who's already been hacked and is probably innocent,

probably unaware that it happened, and in many cases you're just making it worse.

Suppose it's a children's hospital that's been infected with bot software and

is not attacking you, what are you going to do?

Attack them back?

It's a symptom of great ignorance that I hope as you study cyber security,

as we go through these lectures we can help to rectify, so keep that in mind.

Now got a little quiz that'll test our understanding of this.

So think about those three.

I think you'll come to the conclusion that it's the middle answer, it's B, right?

So the response in SYN packets for flood are going to go somewhere else.

So it gives you a nice a comfortable if you lie about your source IP,

you're now getting all these pesky SYN ACKs coming back.

You can [INAUDIBLE] the result of maybe making your own connection a little busy.

Better to make somebody else's connections busy as part of the attack.

So I hope you don't do these things, but it's important for us as we learn cyber

security to know the difference between the different elements of these attacks.

I'll see you in the next video.

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2019 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play