SlideShare une entreprise Scribd logo

TBD - To Block Connection from Suspicious IP addresses by using "DICE"

Kunio Miyamoto, Ph.D.
Kunio Miyamoto, Ph.D.

Original Title "TBD" is a kind of joke :-)

Technologie
1  sur  20
Télécharger pour lire hors ligne
TBD Kunio Miyamoto a.k.a wakatono @wakatono Copyright by wakatono 1
TBD →To Block connection from suspicious IP addresses by using “DICE” Copyright by wakatono 2
Content. • What is DICE? • DICE for TCP deepdive • Conclusion Copyright by wakatono 3
What is DICE? Copyright by wakatono 4
What is DICE? • Abbrev of: Deception of InterCommunication to Enemies Copyright by wakatono 5 Gartner Security & Risk Management Summit 2016 Important!
DICE concept detail is: • http://hitcon.org/2016/CMT/slide/day1-r2- d-1.pdf Copyright by wakatono 6
DICE presentation in 2016: • Detail about DNS response Deception • Overview of TCP Deception(not detail) Copyright by wakatono 7 Today’s topic: TCP deception detail and effect
DICE for TCP deepdive Copyright by wakatono 8
To block outside TCP access from suspicious (internal) IP address? • Configure Firewall rule or ACL of L3SW – Sometimes with too heavy process • Tell the owner of suspicious IP address – Sometimes with too heavy process Copyright by wakatono 9 • Place and operate DICE for TCP – One time heavy process(to place DICE for TCP)
TCP 3way handshake Response - easily Deceptable Protocol Response • Normal TCP Response of Connection Initiation can be decepted easily – Signed and/or encrypted Packet (e.g. IPsec) is hard to be decepted. • Applicable to various of deception – After Decepted, connection is “hijacked” ☺ – After Connection Decepted, we can decept interaction to enemies by using Hijacked connection ☺ Copyright by wakatono 10
I want to terminate malicious connection to specific “client(s)” • RST packet may be filtered(and connection may be still alive ) – Many IPS have function of sending RST packet(and may be filtered). • ACK, SYN+ACK packet of Connection initiation state to proper port must not be filtered ☺ – If filtered every packet, that computer turned to useless object ☺ Copyright by wakatono 11
Blocking TCP Connection • Very easy – Only send decepted SYN+ACK packet related to Initial SYN packet • To send decepted SYN+ACK packet – DICE for TCP need to know only pair of IP addresses, pair of Port number, sequence number, and ack number Copyright by wakatono 12
TCP Connection Interaction - easily Deceptable Protocol Response Copyright by wakatono 13 Reference: RFC793 TRANSMISSION CONTROL PROTOCOL
Block TCP connection by using Decepted SYN+ACK packet • ACK packet related to ④ is useless for External IP • SYN+ACK Packet ⑤ is useless for Suspicious IP →Connection cannot be established between Suspicious IP and External IP DICE for TCP is placed appropriate place in Network Copyright by wakatono 14 Suspicious IP ①Send SYN packet ②DICE for TCP captures packet of ① ③Check IP address is suspicious or not ④Send Decepted SYN+ACK packet related to ① ⑥ Send ACK packet related to ④ ⑤ Send real SYN+ACK packet External IP
To check IP address is suspicious or not • Use function pointer table ☺ Copyright by wakatono 15 ・Read IP and TCP header ・Get IP address from IP header ・Execute func[IP address] func[IP address] contains a pointer to “Decepted SYN+ACK respond function” or “do nothing function”. void *func[2^32]; func[0] = donothing; … func[suspip] = decepted_response; … func[2^32-1] = donothing; void donothing(){} void decepted_response() { make decepted response function } Ex: pseudo code(like C) of function table
TCP Connction Step Summary Decepted by DICE for TCP • 1. SYN packet is sent • 2. Decepted SYN+ACK packet is sent by DICE for TCP • 3. Real SYN+ACK packet is sent Copyright by wakatono 16 Omitted One SYN for Two SYN+ACK!
Real TCP response too slow? • Slow (most case of oversea) – e.g. Tokyo – San Francisco • Round trip: 18,000km – Speed of Light: 300,000km/s – At least, about 60msec is required as a time between IP packet round trip - Traffic initiated from Tokyo to San Francisco and Response sent from San Francisco to Tokyo reaches to traffic initiator(in Tokyo) Copyright by wakatono 17
Conclusion Copyright by wakatono 18
Conclusion • DICE for TCP is easier than DICE (for DNS) • IP address check can be made faster • DICE for TCP is placed proper point • DICE for DNS and DICE for TCP now work a certain company ☺ • Speed of Light is Slow Copyright by wakatono 19
Copyright by wakatono Thank you! wakatono@gmail.com @wakatono(Twitter) https://www.facebook.com/wakatono If possible, any questions are welcome via email or Twitter. Of course, in banquet or any networking time ☺ Special thanks to: My friends (they are illustrator in Japan) 20

Recommandé

Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
8 congestion-ipv6
8 congestion-ipv68 congestion-ipv6
8 congestion-ipv6Olivier Bonaventure
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
DNS-SD
DNS-SDDNS-SD
DNS-SDnetvis
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routingOlivier Bonaventure
 
LF_OVS_17_OVN and Containers - An update.
LF_OVS_17_OVN and Containers - An update.LF_OVS_17_OVN and Containers - An update.
LF_OVS_17_OVN and Containers - An update.LF_OpenvSwitch
 

Recommandé

Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
8 congestion-ipv6
8 congestion-ipv68 congestion-ipv6
8 congestion-ipv6Olivier Bonaventure
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
DNS-SD
DNS-SDDNS-SD
DNS-SDnetvis
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routingOlivier Bonaventure
 
LF_OVS_17_OVN and Containers - An update.
LF_OVS_17_OVN and Containers - An update.LF_OVS_17_OVN and Containers - An update.
LF_OVS_17_OVN and Containers - An update.LF_OpenvSwitch
 
Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with TeleportFaelix Ltd
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsAnne Nicolas
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeAcademy
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingGiragadurai Vallirajan
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationPriyanka Aash
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Beyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocolsBeyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocolsOlivier Bonaventure
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript DeliveryGrzegorz Kolpuc
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OpenvSwitch
 
Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Anne Nicolas
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 
Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP PacketsSecurity B-Sides
 

Contenu connexe

Tendances

Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with TeleportFaelix Ltd
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsAnne Nicolas
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeAcademy
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationPriyanka Aash
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Beyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocolsBeyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocolsOlivier Bonaventure
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript DeliveryGrzegorz Kolpuc
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OpenvSwitch
 
Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Anne Nicolas
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 

Tendances (20)

Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with Teleport
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocols
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotation
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Beyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocolsBeyond TCP: The evolution of Internet transport protocols
Beyond TCP: The evolution of Internet transport protocols
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript Delivery
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitch
 
Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 

Similaire à TBD - To Block Connection from Suspicious IP addresses by using "DICE"

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
presentationphysicallyer.pdf talked about computer networks
presentationphysicallyer.pdf talked about computer networkspresentationphysicallyer.pdf talked about computer networks
presentationphysicallyer.pdf talked about computer networksHetfieldLee
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)NYversity
 
08 module interconnecting cisco router
08 module interconnecting cisco router08 module interconnecting cisco router
08 module interconnecting cisco routerAsif
 
加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungchengMichael Zhang
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
CS 6390 Project design report
CS 6390 Project design reportCS 6390 Project design report
CS 6390 Project design reportAbhishek Datta
 
CS 6390 Project design report
CS 6390 Project design reportCS 6390 Project design report
CS 6390 Project design reportRaj Gupta
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
Mạng máy tính nâng cao_Chapter01 overview
Mạng máy tính nâng cao_Chapter01 overviewMạng máy tính nâng cao_Chapter01 overview
Mạng máy tính nâng cao_Chapter01 overviewJackie Tran
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA
 
Course on TCP Dynamic Performance
Course on TCP Dynamic PerformanceCourse on TCP Dynamic Performance
Course on TCP Dynamic PerformanceJavier Arauz
 

Similaire à TBD - To Block Connection from Suspicious IP addresses by using "DICE" (20)

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP Packets
 
presentationphysicallyer.pdf talked about computer networks
presentationphysicallyer.pdf talked about computer networkspresentationphysicallyer.pdf talked about computer networks
presentationphysicallyer.pdf talked about computer networks
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
 
08 module interconnecting cisco router
08 module interconnecting cisco router08 module interconnecting cisco router
08 module interconnecting cisco router
 
加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
 
CS 6390 Project design report
CS 6390 Project design reportCS 6390 Project design report
CS 6390 Project design report
 
TCP-IP PROTOCOL
TCP-IP PROTOCOLTCP-IP PROTOCOL
TCP-IP PROTOCOL
 
CS 6390 Project design report
CS 6390 Project design reportCS 6390 Project design report
CS 6390 Project design report
 
Tcpip
TcpipTcpip
Tcpip
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linux
 
7. protocols
7. protocols7. protocols
7. protocols
 
Mạng máy tính nâng cao_Chapter01 overview
Mạng máy tính nâng cao_Chapter01 overviewMạng máy tính nâng cao_Chapter01 overview
Mạng máy tính nâng cao_Chapter01 overview
 
TCP/ IP
TCP/ IP TCP/ IP
TCP/ IP
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
 
Course on TCP Dynamic Performance
Course on TCP Dynamic PerformanceCourse on TCP Dynamic Performance
Course on TCP Dynamic Performance
 

Plus de Kunio Miyamoto, Ph.D.

これからのセキュリティ人財を考える(仮) 2015年版
これからのセキュリティ人財を考える(仮) 2015年版これからのセキュリティ人財を考える(仮) 2015年版
これからのセキュリティ人財を考える(仮) 2015年版Kunio Miyamoto, Ph.D.
 
Joyful assembly language - Assembly Language Tanka
Joyful assembly language - Assembly Language TankaJoyful assembly language - Assembly Language Tanka
Joyful assembly language - Assembly Language TankaKunio Miyamoto, Ph.D.
 

Plus de Kunio Miyamoto, Ph.D. (10)

これからのセキュリティ人財を考える(仮) 2015年版
これからのセキュリティ人財を考える(仮) 2015年版これからのセキュリティ人財を考える(仮) 2015年版
これからのセキュリティ人財を考える(仮) 2015年版
 
Dqb@first ac 2013_lt
Dqb@first ac 2013_ltDqb@first ac 2013_lt
Dqb@first ac 2013_lt
 
Reject con 20180620
Reject con 20180620Reject con 20180620
Reject con 20180620
 
Play_using_Proxy
Play_using_ProxyPlay_using_Proxy
Play_using_Proxy
 
Play_using_Proxy
Play_using_ProxyPlay_using_Proxy
Play_using_Proxy
 
Daimachi
DaimachiDaimachi
Daimachi
 
講義資料(公開用)
講義資料(公開用)講義資料(公開用)
講義資料(公開用)
 
Ssmjp201410 wakatono
Ssmjp201410 wakatonoSsmjp201410 wakatono
Ssmjp201410 wakatono
 
Joyful assembly language - Assembly Language Tanka
Joyful assembly language - Assembly Language TankaJoyful assembly language - Assembly Language Tanka
Joyful assembly language - Assembly Language Tanka
 
LC2005 LT
LC2005 LTLC2005 LT
LC2005 LT
 

Dernier

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

TBD - To Block Connection from Suspicious IP addresses by using "DICE"

  • 1. TBD Kunio Miyamoto a.k.a wakatono @wakatono Copyright by wakatono 1
  • 2. TBD →To Block connection from suspicious IP addresses by using “DICE” Copyright by wakatono 2
  • 3. Content. • What is DICE? • DICE for TCP deepdive • Conclusion Copyright by wakatono 3
  • 4. What is DICE? Copyright by wakatono 4
  • 5. What is DICE? • Abbrev of: Deception of InterCommunication to Enemies Copyright by wakatono 5 Gartner Security & Risk Management Summit 2016 Important!
  • 6. DICE concept detail is: • http://hitcon.org/2016/CMT/slide/day1-r2- d-1.pdf Copyright by wakatono 6
  • 7. DICE presentation in 2016: • Detail about DNS response Deception • Overview of TCP Deception(not detail) Copyright by wakatono 7 Today’s topic: TCP deception detail and effect
  • 8. DICE for TCP deepdive Copyright by wakatono 8
  • 9. To block outside TCP access from suspicious (internal) IP address? • Configure Firewall rule or ACL of L3SW – Sometimes with too heavy process • Tell the owner of suspicious IP address – Sometimes with too heavy process Copyright by wakatono 9 • Place and operate DICE for TCP – One time heavy process(to place DICE for TCP)
  • 10. TCP 3way handshake Response - easily Deceptable Protocol Response • Normal TCP Response of Connection Initiation can be decepted easily – Signed and/or encrypted Packet (e.g. IPsec) is hard to be decepted. • Applicable to various of deception – After Decepted, connection is “hijacked” ☺ – After Connection Decepted, we can decept interaction to enemies by using Hijacked connection ☺ Copyright by wakatono 10
  • 11. I want to terminate malicious connection to specific “client(s)” • RST packet may be filtered(and connection may be still alive ) – Many IPS have function of sending RST packet(and may be filtered). • ACK, SYN+ACK packet of Connection initiation state to proper port must not be filtered ☺ – If filtered every packet, that computer turned to useless object ☺ Copyright by wakatono 11
  • 12. Blocking TCP Connection • Very easy – Only send decepted SYN+ACK packet related to Initial SYN packet • To send decepted SYN+ACK packet – DICE for TCP need to know only pair of IP addresses, pair of Port number, sequence number, and ack number Copyright by wakatono 12
  • 13. TCP Connection Interaction - easily Deceptable Protocol Response Copyright by wakatono 13 Reference: RFC793 TRANSMISSION CONTROL PROTOCOL
  • 14. Block TCP connection by using Decepted SYN+ACK packet • ACK packet related to ④ is useless for External IP • SYN+ACK Packet ⑤ is useless for Suspicious IP →Connection cannot be established between Suspicious IP and External IP DICE for TCP is placed appropriate place in Network Copyright by wakatono 14 Suspicious IP ①Send SYN packet ②DICE for TCP captures packet of ① ③Check IP address is suspicious or not ④Send Decepted SYN+ACK packet related to ① ⑥ Send ACK packet related to ④ ⑤ Send real SYN+ACK packet External IP
  • 15. To check IP address is suspicious or not • Use function pointer table ☺ Copyright by wakatono 15 ・Read IP and TCP header ・Get IP address from IP header ・Execute func[IP address] func[IP address] contains a pointer to “Decepted SYN+ACK respond function” or “do nothing function”. void *func[2^32]; func[0] = donothing; … func[suspip] = decepted_response; … func[2^32-1] = donothing; void donothing(){} void decepted_response() { make decepted response function } Ex: pseudo code(like C) of function table
  • 16. TCP Connction Step Summary Decepted by DICE for TCP • 1. SYN packet is sent • 2. Decepted SYN+ACK packet is sent by DICE for TCP • 3. Real SYN+ACK packet is sent Copyright by wakatono 16 Omitted One SYN for Two SYN+ACK!
  • 17. Real TCP response too slow? • Slow (most case of oversea) – e.g. Tokyo – San Francisco • Round trip: 18,000km – Speed of Light: 300,000km/s – At least, about 60msec is required as a time between IP packet round trip - Traffic initiated from Tokyo to San Francisco and Response sent from San Francisco to Tokyo reaches to traffic initiator(in Tokyo) Copyright by wakatono 17
  • 19. Conclusion • DICE for TCP is easier than DICE (for DNS) • IP address check can be made faster • DICE for TCP is placed proper point • DICE for DNS and DICE for TCP now work a certain company ☺ • Speed of Light is Slow Copyright by wakatono 19
  • 20. Copyright by wakatono Thank you! wakatono@gmail.com @wakatono(Twitter) https://www.facebook.com/wakatono If possible, any questions are welcome via email or Twitter. Of course, in banquet or any networking time ☺ Special thanks to: My friends (they are illustrator in Japan) 20