Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Similar documents
Software Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University

Software Defined Networking

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

On the Difficulty of Scalably Detecting Network Attacks

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Network Security. Thierry Sans

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

A hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green

Unit 4: Firewalls (I)

REMINDER course evaluations are online

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

Software-Defined Networking (SDN) Overview

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

COSC 301 Network Management

Chapter 5 Network Layer: The Control Plane

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

OpenFlow: What s it Good for?

Software Defined Networks

Software Defined Networks and OpenFlow

SDN and Wireless Network. Seungwon Shin KAIST

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

dfence: Transparent Network- based Denial of Service Mitigation

Chapter 8 roadmap. Network Security

CS 4226: Internet Architecture

Software Defined Networking

6.033 Spring 2015! Lecture #24. Combating network adversaries! DDoS attacks! Intrusion Detection

haltdos - Web Application Firewall

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11

Network and Security: Introduction

PROTECTING INFORMATION ASSETS NETWORK SECURITY

SDN Applications and Use Cases. Copyright 2015 ITRI

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Internet Technology. 15. Things we didn t get to talk about. Paul Krzyzanowski. Rutgers University. Spring Paul Krzyzanowski

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

CSC Network Security

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

lecture 18: network virtualization platform (NVP) 5590: software defined networking anduo wang, Temple University TTLMAN 401B, R 17:30-20:00

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Denial of Service (DDoS)

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Beyond Blind Defense: Gaining Insights from Proactive App Sec

CSC 4900 Computer Networks: Network Layer

Hashing on broken assumptions

Network Security. Tadayoshi Kohno

Imma Chargin Mah Lazer

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Chapter 10: Denial-of-Services

COMP211 Chapter 5 Network Layer: The Control Plane

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Configuring Flood Protection

Protection Against Distributed Denial of Service Attacks

Wireless SDN 기술. Seungwon Shin KAIST

Corrigendum 3. Tender Number: 10/ dated

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

CSC 4900 Computer Networks: Security Protocols (2)

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Detecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

20-CS Cyber Defense Overview Fall, Network Basics

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

DNS Authentication-as-a-Service Preventing Amplification Attacks

Source Address Validation: from the Current Network Architecture to SDN-based Architecture

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

network security s642 computer security adam everspaugh

VFence: A Defense against Distributed Denial of Service Attacks using Network Function Virtualization

Design and development of the reactive BGP peering in softwaredefined routing exchanges

VXLAN Overview: Cisco Nexus 9000 Series Switches

Cybersecurity Threat Mitigation using SDN

Filtering Trends Sorting Through FUD to get Sanity

Leveraging SDN & NFV to Achieve Software-Defined Security

OpenADN: Mobile Apps on Global Clouds Using OpenFlow and SDN

COMPUTER NETWORK SECURITY

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Definition of firewall

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Distributed Denial of Service

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Introduction to Software-Defined Networking UG3 Computer Communications & Networks (COMN)

Routing and router security in an operator environment

Lesson 9 OpenFlow. Objectives :

Defining Security for an AWS EKS deployment

Network Security: Denial of Service (DoS) Tuomas Aura (includes material by Aapo Kalliola) T Network security Aalto University, Nov-Dec 2014

Insights on IPv6 Security

A Sampling of Internetwork Security Issues Involving IPv6

OpenADN: A Case for Open Application Delivery Networking

Check Point DDoS Protector Introduction

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

ECE 435 Network Engineering Lecture 23

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Chapter 7. Denial of Service Attacks

Network Security: Firewall, VPN, IDS/IPS, SIEM

Transcription:

Network Security: Network Flooding Seungwon Shin GSIS, KAIST

Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples

SYN-cookies Background In a TCP 3-way handshake a client sends a TCP SYN packet with its own random sequence number: SEQ-C a server sends back to a TCP SYN/ACK packet with its own random sequence number: SEQ-S when the server received a TCP ACK packet, it should check Key point whether its acknowledge number is SEQ-S + 1 a server should remember SEQ-S for each client 123435354 for a client A 209502807 for a client B state should be maintained reason why a TCP SYN flooding attack is feasible: state explosion

SYN-cookies Idea stateless management of TCP connection trials scenario when a server receives a TCP SYN packet, the server should answer with a TCP SYN/ACK packet At this time, how to choose the sequence number for a TCP SYN/ACK packet a number based on client information SEQ-S = hash(src IP, SRC PORT, DST IP, DST PORT, SEQ-C) when the server receives a TCP ACK packet with its acknowledge number (AN) NO state!!!! if (AN - 1) == hash(src IP, SRC PORT, DST IP, DST PORT, (SEQ-C)) OK, it is a valid packet, make a TCP session

SYN-cookies Server No state maintained Cookie is an unforgeable token SYN C SYN S, ACK C (Seq# = Cookie) ACK S (Cookie+1) Client

Prolexic Idea use a proxy only forward a successfully established TCP sessions Lots-of-SYNs Lots-of-SYN/ACKs Few ACKs Prolexic Proxy Forward to site Web site

CAPCHAs Idea connections trials from human or bots? mitigate application level DDoS attacks Case study Killbot paper Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds (MIT), NSDI 2005 During attack, generate CAPCHA to differentiate human from bots present one CAPCHA per source IP address

Ingress/Egress Filtering Idea attackers commonly use spoofed IP addresses they can generate huge amount of fake source IP addresses how to filter spoofed IP addresses ISP checks whether a packet has a valid source IP address ISP Internet

Ingress Filtering Feasibility? Ingress filtering based on global trust Can you trust ISP A? Egress filtering routers should check all outgoing packets Can you implement this function with low cost? R 1 R 2 R 3 R 4 dest Source AS Transit AS Dest AS

Jump to SDN (Software-Defined Networking)

Intro. First, we need to talk about traditional network devices Consist of two main components Control path (plane) decision module (e.g., routing) Data path (plane) packet forwarding module Control Path Data Path Network Switch

Ossified Network Feature) Feature) millions of lines of code Opera&ng) System) 5400 RFC Specialized*Packet* Forwarding*Hardware* billions of gates Hardware Many complex functions baked into the infrastructure OSPF, BGP, multicast, differentiated services, Traffic Engineering, NAT, firewalls, MPLS, redundant layers, An industry with a mainframe-mentality, reluctant to change

Problem of Legacy Network Too complicated Control plane is implemented with complicated S/W and ASIC Closed platform Vendor specific Hard to modify (nearly impossible) Hard to add new functionalities New proposal: Software Defined Networking Separate the control plane from the data plane

Software-Defined Networking Three layer Application layer Application part of control layer Implement logic for flow control APPLICATION LAYER Business Applications Control layer (Controller) Kernel part of control layer CONTROL LAYER API SDN Control Software API API Network Services Run applications to control network flows INFRASTRUCTURE LAYER Control Data Plane interface (e.g., OpenFlow) Network Device Network Device Network Device Infrastructure layer Network Device Network Device Data plane from Open Networking Foundation Network switch or router

SDN - Operation L2 Forwarding Controller connect to B Host A deliver packet Switch A -> B: Forward Host B

SDN - Action OpenFlow case FORWARD DROP SET modify a packet header e.g., SRC IP 10.0.0.1 > SRC IP 20.0.0.1

SDN - Operation with SET Load Balancing Controller connect to C Host C Host A Switch connect to C Host B A -> C: Forward B -> C: DST IP = D B -> D: Forward Host D

Network Security Function Virtualization Problem domain Inside attackers tenant 1 Attacker tenant 4 tenant 2 tenant 3

Network Security Function Virtualization Possible solution Distributed F/W Expensive, Hard to Install tenant 1 Attacker tenant 4 tenant 2 tenant 3

Network Security Function Virtualization Enable Security into a network device Cloud is quite complicated hard to install security devices in all possible network links Firewall tenant 1 Controller Attacker DROP DROP tenant 4 tenant 2 tenant 3

NIDS with SDN (9) flow forwarding Packet inspection Alert NIDS App (3) (4) (8) Sniffer Rules (attack signatures) Controller (1) (5) (2) (7) (7) Host A OpenFlow switch Host C Host B (6) Flow Table Add A -> C: Forward To (C, NIDS)

DDoS detection with SDN Port scanner / DDoS detector Anomaly Detector App (7) Alert Flow statistics collector (1) (4) (6) (5) Detection Analyzer Configurations Host A Controller (2) (3) OpenFlow Switch Scan detector: anomaly score DDoS detector: threshold Flow Table A -> C: Forwarding to (C) B -> C: Forwarding to (C) C -> A: Forwarding to (A) C -> B: Forwarding to (B) Host B Host C

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback