Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Similar documents
Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Security With slides from: Debabrata Dash, Nick Feamster, Vyas Sekar, and others

Network Security. Thierry Sans

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Chapter 10: Denial-of-Services

CSE 565 Computer Security Fall 2018

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CTS2134 Introduction to Networking. Module 08: Network Security

EE 122: Network Security

Configuring Access Rules

Computer Security and Privacy

Configuring attack detection and prevention 1

Internet Security: Firewall

COSC 301 Network Management

Network Security. Tadayoshi Kohno

CSE 565 Computer Security Fall 2018

Denial of Service (DoS)

Denial of Service (DoS) attacks and countermeasures

CSc 466/566. Computer Security. 18 : Network Security Introduction

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

CS244a: An Introduction to Computer Networks

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Internet Protocol and Transmission Control Protocol

The Protocols that run the Internet

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Chapter 8 roadmap. Network Security

CSE 565 Computer Security Fall 2018

Computer and Network Security

Network Control, Con t

CSC 574 Computer and Network Security. TCP/IP Security

Basic Concepts in Intrusion Detection

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

ECE 435 Network Engineering Lecture 23

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

20-CS Cyber Defense Overview Fall, Network Basics

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Configuring attack detection and prevention 1

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

ECE 435 Network Engineering Lecture 23

HP High-End Firewalls

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

Networking Security SPRING 2018: GANG WANG

Chapter 7. Denial of Service Attacks

ELEC5616 COMPUTER & NETWORK SECURITY

Unit 4: Firewalls (I)

ASA Access Control. Section 3

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Attack Prevention Technology White Paper

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Configuring Firewall Access Rules

HP High-End Firewalls

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Routing and router security in an operator environment

NETWORK SECURITY. Ch. 3: Network Attacks

DDoS Testing with XM-2G. Step by Step Guide

Lecture 12. Application Layer. Application Layer 1

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Security in inter-domain routing

Denial of Service. EJ Jung 11/08/10

Distributed Denial of Service (DDoS)

CSC Network Security

Outline. WEP privacy. Side-channel attacks. WEP shared key. WEP key size and IV size. Crypto failures, cont d

CSCI 680: Computer & Network Security

Network Security (and related topics)

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

COMPUTER NETWORK SECURITY

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

network security s642 computer security adam everspaugh

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Last time. Trusted Operating System Design. Security in Networks. Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance

Network Security. Chapter 0. Attacks and Attack Detection

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Network Security. Justin Weisz Networks Fall

Chapter 9. Firewalls

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CS System Security 2nd-Half Semester Review

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Firewalls, Tunnels, and Network Intrusion Detection

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

CE Advanced Network Security

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

9. Security. Safeguard Engine. Safeguard Engine Settings

COMPUTER NETWORK SECURITY

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Introduction to Computer Security

Transcription:

Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting network resources and limiting connectivity (Part II) Network Security No: Preventing software vulnerabilities & malware, or social engineering. Software Security With slides from: Debabrata Dash, Nick Feamster, Vyas Sekar, and others 2 Security Vulnerabilities Exist at every layer in the protocol stack! Network-layer attacks IP-level vulnerabilities Routing attacks Transport-layer attacks TCP vulnerabilities Application-layer attacks IP-level vulnerabilities IP addresses are provided by the source Spoofing attacks Using IP address for authentication Should be rare today Some features that have been exploited Fragmentation Broadcast for traffic amplification 3 4 1

Fun with IP Spoofing Fun with IP Spoofing (Smurf Attack) The IP addresses are filled in by the originating host Address spoofing Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..) C 2.1.1.1 Can A claim it is B to the server S? Attacking System Internet Internet S 1.1.1.3 1.1.1.1 1.1.1.2 A B ARP Spoofing Can C claim it is B to the server S? Source Routing Victim System Broadcast Enabled Network 5 6 Routing attacks Routing attacks Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Link-state: BGP vulnerabilities Divert traffic to malicious nodes Black-hole Eavesdropping How to implement routing attacks? Distance-Vector: Announce low-cost routes Link-state: Dropping links from topology BGP vulnerabilities Prefix-hijacking Path alteration 7 8 2

Black-hole Attacks All packets to destination network get dropped in network Causes: Compromised router drops packets directly Compromised router sends incorrect routing info Maliciously crafted BGP packets Modified BGP packets Dropped BGP packets TCP-level attacks SYN-Floods Implementations create state at servers before connection is fully established Session hijack Pretend to be a trusted host Sequence number guessing Session resets Close a legitimate connection 9 10 Session Hijack Session Hijack Server Server Trusted (T) Trusted (T) Malicious (M) First send a legitimate SYN to server Malicious (M) Using ISN_S1 from earlier connection guess ISN_S2! 11 15-411: security 12 3

TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it does not accept requests The solution is to use SYN cookies The server keeps no state after the SYN Instead, it embeds all the necessary state in the packet as carefully crafted initial sequence number TCP TCP Session Poisoning Send RST packet Will tear down connection Do you have to guess the exact sequence number? where in window is fine For 64k window it takes 64k packets to reset About 15 seconds for a T1 13 14 An Example An Example Shimomura (S) Finger @S showmount e Send 20 SYN packets to S Finger Showmount SYN -e Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior Mitnick Shimomura (S) Finger @S showmount e Send 20 SYN packets to S SYN flood T X Trusted (T) Syn flood Attack when no one is around What other systems it trusts? Determine ISN behavior Mitnick T won t respond to packets 15 16 4

An Example An Example Shimomura (S) SYN Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Mitnick SYN ACK ACK X Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior T won t respond to packets S assumes that it has a session with T 17 Shimomura (S) ++ > rhosts Finger @S showmount e Send 20 SYN packets to S Mitnick SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Send echo + + > ~/.rhosts X Trusted (T) Attack when no one is around What other systems it trusts? Determine ISN behavior T won t respond to packets S assumes that it has a session with T Give permission to anyone from anywhere 18 Where do the problems come from? Outline Part II Protocol-level vulnerabilities Implicit trust assumptions in design Implementation vulnerabilities Both on routers and end-hosts Security Vulnerabilities Denial of Service Worms Incomplete specifications Often left to the imagination of programmers Countermeasures: Firewalls/IDS 19 20 5

Denial of Service Reflector Attack Make a service unusable/unavailable Attacker Disrupt service by taking down hosts E.g., ping-of-death Agent Agent Src = Victim Destination = Reflector Consume host-level resources E.g., SYN-floods Reflector Reflector Reflector Reflector Reflector Consume network resources E.g., UDP/ICMP floods Victim Src = Reflector Destination = Victim Unsolicited traffic at victim from legitimate hosts 21 22 Distributed DoS Distributed DoS Attacker Handlers are usually high volume servers Easy to hide the attack packets Handler Handler Agent Agent Agent Agent Agent Agents are usually home users with DSL/Cable Already infected and the agent installed Victim Very difficult to track down the attacker Multiple levels of indirection! Aside: How to distinguish DDos from flash crowd? 23 24 6

Outline Part II Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS Worm Overview Self-propagate through network Typical Steps in worm propagation Probe host for vulnerable software Exploit the vulnerability (e.g., buffer overflow) Attacker gains privileges of the vulnerable program Launch copy on compromised host Spread at exponential rate 10M hosts in < 5 minutes Hard to deal with manual intervention 25 26 Scanning Techniques Random Local subnet Routing Worm Uses information about allocated addresses from BGP Hitlist Provide list of vulnerable hosts Topological Exploit information on the infected hosts Random Scanning 32-bit randomly generated IP address E.g., Slammer and Code Red I What about IPv6? Hits black-holed IP space occasionally Some percentage of IP space reserved Detect worms by monitoring unused addresses Honeypots/Honeynet 27 28 7

Subnet Scanning Some proposals for countermeasures Generate last 1, 2, or 3 bytes of IP address randomly Code Red II and Blaster Some scans must be completely random to infect whole internet Better software safeguards Static analysis and array bounds checking (lint/e-fence) Safe versions of library calls gets(buf) fgets(buf, size,...) sprintf(buf,...) snprintf(buf, size,...) Host-diversity Avoid same exploit on multiple machines Network-level: IP address space randomization Host-level solutions E.g., Memory randomization, Stack guard Rate-limiting: Contain the rate of spread Content-based filtering: signatures in packet payloads 29 30 Outline Part II Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS Countermeasure Overview High level basic approaches Prevention Detection Resilience Requirements Security: soundness / completeness Manage false positive / negative tradeoff Overhead Usability 31 32 8

Design questions.. Why is it so easy to send unwanted traffic? Worm, DDoS, virus, spam, phishing etc Where to place functionality for stopping unwanted traffic? Edge vs. Core Routers vs. Middleboxes Redesign Internet architecture to detect and prevent unwanted traffic? Firewall Motivation Block/filter/modify traffic at network-level Limit access to the network Installed at perimeter of the network Why network-level? Vulnerabilities on many hosts in network Users do not keep systems up to date Lots of patches to keep track of Zero-day exploits 33 34 Firewalls Design Packet Filters Firewall inspects traffic that flows through it Allows traffic specified in the policy Drops everything else ( default off ) Two Types Packet Filters, Proxies Internet Firewall Internal Network Selectively passes packets from one network interface to another Usually done within a router between external and internal network What/How to filter? Packet Header Fields IP source and destination addresses Application port numbers ICMP message types/ Protocol options etc. Packet contents (payloads) 35 36 9

Packet Filters: Possible Actions Allow the packet to go through Drop the packet (Notify Sender/Drop Silently) Alter the packet (NAT?) Log information about the packet Some examples Block all packets from outside except for SMTP servers Block all traffic to/from a list of domains Ingress filtering Drop pkt from outside with addresses inside the network Egress filtering Drop pkt from inside with addresses outside the network 37 38 Typical Firewall Configuration Firewall implementation Stateless packet filtering firewall Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet Internet Rule (Condition, Action) DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hosts X X DMZ Rules are processed in top-down order If a condition satisfied action is taken Intranet 39 40 10

Sample Firewall Rule Default Firewall Rules Allow SSH from external hosts to internal hosts Two rules Inbound and outbound How to know a packet is for SSH? Inbound: src-port>1023, dst-port=22 Outbound: src-port=22, dst-port>1023 Protocol=TCP Problems? Egress Filtering Outbound traffic from external address Drop Benefits? Ingress Filtering Inbound Traffic from internal address Drop Benefits? Default Deny Why? Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Action Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Ack Set? Action SSH-1 SSH-2 In Out Ext Int > 1023 22 Int Ext 22 > 1023 TCP TCP Allow Allow Egress Ingress Default Out In Ext Int Ext Int Deny Deny Deny 41 42 Packet Filters Advantages Transparent to application/user Simple packet filters can be efficient Disadvantages Usually fail open Very hard to configure the rules May only have coarse-grained information? Does port 22 always mean SSH? Who is the user accessing the SSH? Alternatives Stateful packet filters Keep the connection states Easier to specify rules Problems? State explosion State for UDP/ICMP? Proxy Firewalls Two connections instead of one Either at transport level SOCKS proxy Or at application level HTTP proxy 43 44 11

Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks Solution? Intrusion Detection Systems Monitor data and behavior Report when identify attacks Summary Part II Security vulnerabilities are real! Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack DoS/DDoS Resource utilization attacks Worm/Malware Exploit vulnerable services Exponential spread Countermeasures: Firewall/IDS 45 46 Resources Textbook: 8.1 8.3 Wikipedia for overview of Symmetric/Asymmetric primitives and Hash functions. OpenSSL (www.openssl.org): top-rate open source code for SSL and primitive functions. Handbook of Applied Cryptography available free online: www.cacr.math.uwaterloo.ca/hac/ 15-411: security 53 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback