Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Similar documents
Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Security With slides from: Debabrata Dash, Nick Feamster, Vyas Sekar, and others

Network Security. Thierry Sans

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Chapter 10: Denial-of-Services

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Configuring attack detection and prevention 1

Computer Security and Privacy

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

CSC Network Security

Internet Security: Firewall

20-CS Cyber Defense Overview Fall, Network Basics

EE 122: Network Security

CSC 574 Computer and Network Security. TCP/IP Security

CTS2134 Introduction to Networking. Module 08: Network Security

Configuring attack detection and prevention 1

Denial of Service (DoS)

The Protocols that run the Internet

Network Security. Tadayoshi Kohno

Distributed Denial of Service (DDoS)

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Denial of Service (DoS) attacks and countermeasures

Unit 4: Firewalls (I)

Configuring Access Rules

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

NETWORK SECURITY. Ch. 3: Network Attacks

Internet Protocol and Transmission Control Protocol

COSC 301 Network Management

DDoS Testing with XM-2G. Step by Step Guide

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

CSE 565 Computer Security Fall 2018

Network Control, Con t

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

ELEC5616 COMPUTER & NETWORK SECURITY

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Chapter 7. Denial of Service Attacks

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Computer and Network Security

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Attack Prevention Technology White Paper

Basic Concepts in Intrusion Detection

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Routing and router security in an operator environment

Network Security. Chapter 0. Attacks and Attack Detection

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

CSc 466/566. Computer Security. 18 : Network Security Introduction

HP High-End Firewalls

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

HP High-End Firewalls

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Networking Security SPRING 2018: GANG WANG

Security in inter-domain routing

COMPUTER NETWORK SECURITY

CSCI 680: Computer & Network Security

ECE 435 Network Engineering Lecture 23

Chapter 8 roadmap. Network Security

CS244a: An Introduction to Computer Networks

Implementing Firewall Technologies

History Page. Barracuda NextGen Firewall F

Chapter 9. Firewalls

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Computer Network Vulnerabilities

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

Firewalls, Tunnels, and Network Intrusion Detection

2. INTRUDER DETECTION SYSTEMS

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

COMPUTER NETWORK SECURITY

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

Configuring Firewall Access Rules

Lecture 12. Application Layer. Application Layer 1

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Three interface Router without NAT Cisco IOS Firewall Configuration

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

network security s642 computer security adam everspaugh

Application Firewalls

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Detecting Specific Threats

Denial of Service. EJ Jung 11/08/10

Transcription:

Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6. Cost-effective 7. Low entry-cost 8. Accountability for resources Where is security? 15-411: F08 security 2 Why did they leave it out? Designed for connectivity Network designed with implicit trust No bad guys Can t security be provided at the edge? Encryption, Authentication ti ti etc End-to-end arguments in system design 15-411: F08 security 3 Security Vulnerabilities At every layer in the protocol stack! Network-layer attacks IP-level vulnerabilities Routing attacks Transport-layer attacks TCP vulnerabilities Application-layer attacks 15-411: F08 security 4

IP-level vulnerabilities IP addresses are provided by the source Spoofing attacks Using IP address for authentication e.g., login with.rhosts Some features that have been exploited Fragmentation Broadcast for traffic amplification 15-411: F08 security 5 Security Flaws in IP The IP addresses are filled in by the originating host Address spoofing Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..) Internet A 2.1.1.1 C Can A claim it is B to the server S? 1.1.1.3 S 1.1.1.1 1.1.1.2 B ARP Spoofing Can C claim it is B to the server S? Source Routing 15-411: F08 security 6 Smurf Attack ICMP Attacks Attacking System Internet Broadcast Enabled Network No authentication ICMP redirect message Can cause the host to switch gateways Benefit of doing this? Man in the middle attack, sniffing ICMP destination unreachable Can cause the host to drop connection ICMP echo request/reply Many more http://www.sans.org/rr/whitepapers/threats/477.php Victim System 15-411: F08 security 7 15-411: F08 security 8

Routing attacks Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Link-state: BGP vulnerabilities Routing attacks Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Announce low-cost routes Link-state: Dropping links from topology BGP vulnerabilities Prefix-hijacking Path alteration 15-411: F08 security 9 15-411: F08 security 10 TCP-level attacks SYN-Floods Implementations ti create state t at servers before connection is fully established Session hijack Pretend to be a trusted host Sequence number guessing Session Hijack Server Trusted (T) Session resets Close a legitimate t connection Malicious (M) First send a legitimate SYN to server 15-411: F08 security 11 15-411: F08 security 12

Session Hijack TCP Layer Attacks Malicious (M) Server Using ISN_S1 from earlier connection guess ISN_S2! S2! Trusted (T) TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it doesn t accept requests 15-411: F08 security 13 15-411: F08 security 14 TCP Layer Attacks An Example TCP Session Poisoning Send RST packet Will tear down connection Do you have to guess the exact sequence number? where in window is fine For 64k window it takes 64k packets to reset About 15 seconds for a T1 Shimomura (S) Finger @S showmount e Send 20 SYN packets to S Finger Showmount -e SYN Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior Mitnick 15-411: F08 security 15 15-411: F08 security 16

An Example An Example Shimomura (S) Finger @S showmount e Send 20 SYN packets to S SYN flood T X Trusted (T) Syn flood Attack when no one is around What other systems it trusts? Determine ISN behavior Mitnick T won t respond to packets Shimomura (S) Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number SYN ACK Mitnick SYN ACK X Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior T won t respond to packets S assumes that it has a session with T 15-411: F08 security 17 15-411: F08 security 18 An Example Where do the problems come from? Shimomura (S) ++ > rhosts Finger @S showmount e Send 20 SYN packets to S Mitnick SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Send echo + + > ~/.rhosts X Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior T won t respond to packets S assumes that it has a session with T Give permission to anyone from anywhere Protocol-level vulnerabilities Implicit trust assumptions in design Implementation vulnerabilities Both on routers and end-hosts Incomplete specifications Often left to the imagination of programmers 15-411: F08 security 19 15-411: F08 security 20

Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS 15-411: F08 security 21 Denial of Service Make a service unusable/unavailable Disrupt service by taking down hosts E.g., ping-of-death Consume host-level resources E.g., SYN-floods Consume network resources E.g., UDP/ICMP floods 15-411: F08 security 22 Simple DoS Attacker usually spoofs source address to hide origin Aside: Backscatter Analysis When attack traffic results in replies from the victim E.g. TCP SYN, ICMP ECHO Backscatter Analysis Attacker sends spoofed TCP SYN packets to www.haplessvictim.com com With spoofed addresses chosen at random My network sees TCP SYN-ACKs from www.haplessvictim.com com at rate R Attacker Lots of traffic Victim What is the rate of the attack? Assuming addresses chosen are uniform (2^32/ Network Address space) * R 15-411: F08 security 23 15-411: F08 security 24

Reflector Attack Distributed DoS Attacker Attacker Agent Agent Src = Victim Destination = Reflector Handler Handler Reflector Reflector Reflector Reflector Reflector Agent Agent Agent Agent Agent Victim Src = Reflector Destination = Victim Victim Unsolicited it traffic at victim from legitimate t hosts 15-411: F08 security 25 15-411: F08 security 26 Distributed DoS Outline Handlers are usually high volume servers Easy to hide the attack packets Agents are usually home users with DSL/Cable Already infected and the agent installed Very difficult to track down the attacker Multiple levels of indirection! Aside: How to distinguish DDos from flash crowd? 15-411: F08 security 27 Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS 15-411: F08 security 28

Worm Overview Scanning Techniques Self-propagate through network Typical Steps in worm propagation Probe host for vulnerable software Exploit the vulnerability (e.g., buffer overflow) Attacker gains privileges of the vulnerable program Launch copy on compromised host Spread at exponential rate 10M hosts in < 5 minutes Hard to deal with manual intervention 15-411: F08 security 29 Random Local subnet Routing Worm Hitlist Topological 15-411: F08 security 30 Random Scanning 32-bit randomly generated IP address E.g., Slammer and Code Red I What about IPv6? Hits black-holed IP space frequently Only 28.6% of IP space is allocated Detect worms by monitoring unused addresses Honeypots/Honeynet Subnet Scanning Generate last 1, 2, or 3 bytes of IP address randomly Code Red II and Blaster Some scans must be completely random to infect whole internet 15-411: F08 security 31 15-411: F08 security 32

Routing Worm BGP information can tell which IP address blocks are allocated This information is publicly available http://www.routeviews.org/ http://www.ripe.net/ris/ Hit List List of vulnerable hosts sent with payload Determined before worm launch by scanning Boosts worm growth in the slow start phase Can evade common detection ti techniques 15-411: F08 security 33 15-411: F08 security 34 Topological Uses info on the infected host to find the next ttargett Morris Worm used /etc/hosts,.rhosts Email address books P2P software usually store info about peers that each host connects to Some proposals for countermeasures Better software safeguards Static analysis and array bounds checking (lint/e-fence) Safe versions of library calls gets(buf) -> fgets(buf, size,...) sprintf(buf, f...) -> snprintf(buf, f size,...) Host-diversity Avoid same exploit on multiple machines Network-level: IP address space randomization Host-level solutions E.g., Memory randomization, Stack guard Rate-limiting: Contain the rate of spread Content-based filtering: signatures in packet payloads 15-411: F08 security 35 15-411: F08 security 36

Outline Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS Countermeasure Overview High level basic approaches Prevention Detection Resilience Requirements Security: soundness / completeness (false positive / negative Overhead Usability 15-411: F08 security 37 15-411: F08 security 38 Design questions.. Why is it so easy to send unwanted traffic? Worm, DDoS, virus, spam, phishing etc Where to place functionality for stopping unwanted traffic? Edge vs. Core Routers vs. Middleboxes Redesign Internet architecture to detect and prevent unwanted traffic? Firewalls Block/filter/modify traffic at network-level Limit it access to the network Installed at perimeter of the network Why network-level? Vulnerabilities on many hosts in network Users don t keep systems up to date Lots of patches to keep track of Zero-day exploits 15-411: F08 security 39 15-411: F08 security 40

Firewalls (contd ) Packet Filters Firewall inspects traffic through it Allows traffic specified in the policy Drops everything else Two Types Packet Filters, Proxies Internet Firewall Internal Network Selectively passes packets from one network interface to another Usually done within a router between external and internal network What/How to filter? Packet Header Fields IP source and destination addresses Application port numbers ICMP message types/ Protocol options etc. Packet contents t (payloads) 15-411: F08 security 41 15-411: F08 security 42 Packet Filters: Possible Actions Some examples Allow the packet to go through Drop the packet (Notify Sender/Drop Silently) Alter the packet (NAT?) Log information about the packet Block all packets from outside except for SMTP servers Block all traffic to/from a list of domains Ingress filtering i Drop pkt from outside with addresses inside the network Egress filtering Drop pkt from inside with addresses outside the network 15-411: F08 security 43 15-411: F08 security 44

Typical Firewall Configuration Firewall implementation Internal hosts can access DMZ and Internet Internet Stateless packet filtering firewall External hosts can access DMZ only, not Intranet Rule (Condition, Action) DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hosts X X DMZ Rules are processed in top-down order If a condition satisfied action is taken Intranet 15-411: F08 security 45 15-411: F08 security 46 Sample Firewall Rule Default Firewall Rules Allow SSH from external hosts to internal hosts Two rules Inbound and outbound Client Server How to know a packet is for SSH? Inbound: src-port>1023, dst-port=22 SYN Outbound: src-port=22, dst-port>1023 Protocol=TCP SYN/ACK Ack Set? Problems? ACK Egress Filtering Outbound traffic from external address Drop Benefits? Ingress Filtering Inbound Traffic from internal address Drop Benefits? Default Deny Why? Rule SSH-1 Dir In Src Addr Ext Src Port > 1023 Dst Addr Int Dst Port Proto Ack Set? Action Allow SSH-2 Out Int 22 Ext > 1023 TCP Yes Alow 15-411: F08 security 47 22 TCP Rule Egress Ingress Dir Out In Src Addr Ext Int Src Port Dst Addr Ext Int Dst Port Proto Ack Set? Action Deny Deny Default Deny 15-411: F08 security 48

Packet Filters Alternatives Advantages Transparent to application/user Simple packet filters can be efficient Disadvantages Usually fail open Very hard to configure the rules May only have coarse-grained information? Does port 22 always mean SSH? Who is the user accessing the SSH? Stateful packet filters Keep the connection states t Easier to specify rules Problems? State explosion State for UDP/ICMP? Proxy Firewalls Two connections instead of one Either at transport level SOCKS proxy Or at application level HTTP proxy 15-411: F08 security 49 15-411: F08 security 50 Proxy Firewall Data Available Application level information User information Advantages? Better policy enforcement Better logging Fail closed Disadvantages? Doesn t perform as well One proxy for each application Client modification Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate t hosts/services can have attacks Solution? Intrusion Detection Systems Monitor data and behavior Report when identify attacks 15-411: F08 security 51 15-411: F08 security 52

Classes of IDS What type of analysis? Signature-based Anomaly-based Where is it operating? Network-based Host-based Characteristics Uses known pattern matching to signify attack Advantages? Widely available Fairly fast Easy to implement Easy to update Signature-based IDS Disadvantages? Cannot detect attacks for which it has no signature 15-411: F08 security 53 15-411: F08 security 54 Anomaly-based IDS Network-based IDS Characteristics Uses statistical model or machine learning engine to characterize normal usage behaviors Recognizes departures from normal as potential intrusions Advantages? Can detect attempts to exploit new and unforeseen vulnerabilities Can recognize authorized usage that falls outside the normal pattern Disadvantages? Generally slower, more resource intensive compared to signature-based IDS Greater complexity, difficult to configure Higher percentages of false alerts Characteristics NIDS examine raw packets in the network passively and triggers alerts Advantages? Easy deployment Unobtrusive Difficult to evade if done at low level of network operation Disadvantages? Fail Open Different hosts process packets differently NIDS needs to create traffic seen at the end host Need to have the complete network topology and complete host behavior 15-411: F08 security 55 15-411: F08 security 56

Host-based IDS Characteristics Runs on single host Can analyze audit-trails, logs, integrity of files and directories, etc. Advantages More accurate than NIDS Less volume of traffic so less overhead Disadvantages Deployment is expensive What happens when host get compromised? Summary Security vulnerabilities are real! Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack DoS/DDoS Resource utilization attacks Worm/Malware Exploit vulnerable services Exponential spread Countermeasures: Firewall/IDS 15-411: F08 security 57 15-411: F08 security 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback