CSE 565 Computer Security Fall 2018

Similar documents
Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Computer Security CS 426

CS670: Network security

Network Security. Thierry Sans

Denial of Service. EJ Jung 11/08/10

NETWORK SECURITY. Ch. 3: Network Attacks

Computer Security: Principles and Practice

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

DENIAL OF SERVICE ATTACKS

CS Paul Krzyzanowski

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Chapter 7. Denial of Service Attacks

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Denial of Service (DoS)

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Denial of Service (DoS) attacks and countermeasures

ELEC5616 COMPUTER & NETWORK SECURITY

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CSc 466/566. Computer Security. 18 : Network Security Introduction

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

HP High-End Firewalls

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

20-CS Cyber Defense Overview Fall, Network Basics

MITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES

CSC 574 Computer and Network Security. TCP/IP Security

Closed book. Closed notes. No electronic device.

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Network Security. Tadayoshi Kohno

CSE Computer Security (Fall 2006)

Configuring attack detection and prevention 1

Introduction to Network. Topics

COMPUTER NETWORK SECURITY

Internet Security: How the Internet works and some basic vulnerabilities

Chapter 10: Denial-of-Services

CIS 551 / TCOM 401 Computer and Network Security

Internet Protocol and Transmission Control Protocol

Network Security. Network Vulnerabilities

Internet Security: How the Internet works and some basic vulnerabilities. Slides from D.Boneh, Stanford and others

CS 134 Winter 2018 Lecture 16. Network Threats & Attacks

DDoS Testing with XM-2G. Step by Step Guide

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

network security s642 computer security adam everspaugh

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Configuring attack detection and prevention 1

Configuring Flood Protection

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

DDoS and Traceback 1

CSE Computer Security

CSCE 463/612 Networks and Distributed Processing Spring 2018

The big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control

Attack Prevention Technology White Paper

The big picture. Security. Some consequences. Three types of threat. Warm up: phishing. Danger: malicious servers

CSCI 680: Computer & Network Security

Security. - All kinds of bad things attackers can do over the network. Next lecture: defense building blocks

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Are You Fully Prepared to Withstand DNS Attacks?

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

CIS 5373 Systems Security

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

HP High-End Firewalls

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Computer and Network Security

DOMAIN NAME SECURITY EXTENSIONS

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

CS 457 Lecture 11 More IP Networking. Fall 2011

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

UMSSIA LECTURE II: NETWORKS?

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

Internet Protocols (chapter 18)

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

DNS Security. Ch 1: The Importance of DNS Security. Updated

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

ICS 351: Networking Protocols

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Scribe Notes -- October 31st, 2017

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

ECE 435 Network Engineering Lecture 23

A Framework for Optimizing IP over Ethernet Naming System

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Cloudflare Advanced DDoS Protection

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

History Page. Barracuda NextGen Firewall F

Transcription:

CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1

Lecture Overview Network attacks denial-of-service (DoS) attacks SYN floods, ICMP floods source address spoofing distributed DoS DNS attacks other types of spoofing session hijacking 2

DoS Attacks Denial of service attacks target at denying availability of some service or resource, including network bandwidth system resources application resources Types of DoS attacks local remote stopping services process crashing process killing system reconfiguration malformed packets to crash buggy services exhausting resources spawning processes to fill process table filling up file system saturating bandwidth packet floods 3

Overview of Network Protocols IP: Internet Protocol the main protocol used for routing each IP packet includes the source and destination addresses the protocol is connectionless and unreliable (best effort) TCP and UDP run on top of IP IP is used for routing, data fragmentation and reassembly and error reporting (via ICMP) ICMP: Internet Control Message Protocol it is used for network reachability testing and to report errors examples: echo request/reply, destination unreachable and time-to-live exceeded messages 4

Overview of Network Protocols UDP: User Datagram Protocol transport protocol with minimal guarantees no acknowledgment, no flow control, no message continuation traffic is separated by port number TCP: Transmission Control Protocol connection-oriented transport protocol partitions data into packets and reassembles them in correct order at the destination transmission is reliable packets are acknowledged and retransmitted if necessary port numbers are used for different services as well 5

DoS Attacks Basic form of DoS attacker sends a large number of packets through a link or to a particular service the goal is to saturate the network or overload the server most requests from legitimate users will be dropped example attacker sends many ICMP echo request packets to a server the server replies with ICMP echo reply packet From attacker s point of view this is unsatisfactory attacker can be easily traced packets sent in response use attacker s resources 6

DoS Attacks Solution: source address spoofing with sufficient privileges to a machine, the source address in IP packets can be set to anything the source address is set to a randomly chosen address replies from the victim machine are scattered across the internet echo response 111.11.111.11 echo request from 111.11.111.11 echo request from 22.222.22.222 attacker IP 123.45.67.89 victim IP 98.76.54.32 echo response 22.222.22.222 7

DoS Attacks Another way to mount a DoS attack is by TCP SYN flooding uses the fact that a machine has a limit on the number of open connections allows attacker to deny availability with much less traffic TCP handshake Client C SYN C SYN S, ACK C ACK S Server S listening storing data waiting connected 8

DoS Attacks TCP SYN flooding attack exploits the fact that server waits for ACKs attacker sends many SYN requests with spoofed source addresses victim allocates resources for each request connection requests exist until timeout there is a fixed bound on half-open connections Client C SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 Server S listening storing data and waiting 9

DoS Attacks TCP SYN flooding attack (cont.) resources exhausted legitimate requests rejected the attack relies on the fact that many SYN-ACK packets will be unanswered an existing host replies to a SYN-ACK packet with RST many IP addresses are not in use the attacker needs to keep sending new SYN packets to keep the table full Flooding attacks in general can use any type of packets e.g., ICMP flood, UDP flood, TCP SYN flood In any attack with spoofed addresses it is hard to find attacker 10

DDoS Attacks In all of the above attacks, attacker needs to have substantial resources thus attacks are more effective if carried out from many sources they are called distributed DoS (DDoS) attacks DDoS attacks often use compromised computers (zombies) attacker compromised machines and builds a botnet attacker instructs the bots to attack the target machine all communication is often encrypted, can be authenticated zombie machines flood the victim spoofing IP addresses is not necessary since it is hard to trace the attacker from the zombie machines 11

DDoS Attacks DDoS attack illustrated Attacker Handler Handler Zombie Zombie Zombie Zombie Zombie Zombie Victim 12

DoS Attacks Other variants of DoS attacks that use additional machines reflection find sites with lots of resources send packets to them with (spoofed) source address of the victim responses flood the victim e.g., echo request echo response, SYN SYN ACK no spurious packets can be observed by other sites attack is harder to detected and defend against amplification also sends packets with spoofed addresses to intermediaries now one original packet generates many response packets 13

DoS Attacks Variants of DoS attacks (cont.) amplification amplification is accomplished by sending a request packet to a broadcast address examples are ICMP echo request packets (smurf program) and UDP packets only connectionless protocols can be used (i.e., not TCP) pulsing zombie floods each zombie is active briefly and then goes dormant zombies take turns in attacking this makes tracing difficult 14

Defenses Against DoS Attacks A significant challenge in defending against DoS attacks is that spoofed addresses are used What can be done ingress filtering basic recommendation to check that packets coming from a network have source address within the network s range ISPs are best suited to perform such filtering despite its simplicity and effectiveness, this recommendation is not implemented by many ISPs SYN cookies this technique is used to defend against TCP SYN floods 15

Defenses Against DoS Attacks DoS defenses (cont.) SYN cookies (cont.) after receiving a SYN, information about it is not stored the server instead it is encoded in the SYN-ACK packet upon receiving ACK, server can reconstruct all information disadvantages: increased server computation, inability to use certain TCP features for such reasons SYN cookies are not always used blocking certain packets many systems block ICMP echo requests from outside of network often IP broadcasts are also blocked from outside 16

Defenses Against DoS Attacks DoS defenses (cont.) limiting packet rates certain types of packets such as ICMP are rather rare in normal network operation limiting their rate can help mitigate attacks packet marking a router marks a small number of packets with its ID for high volume traffic, packets will be marked by most servers on their the path to the victim path to the attacker can be reconstructed effectiveness of this technique depends on its wide usage general good security practices 17

DNS Domain Name System (DNS) allows to map symbolic names to IP addresses the name space is hierarchical root net com edu org us ca psu cornell cse buffalo rit syracuse ee www 18

DNS Hierarchical service root name servers are for top-level domains authoritative name servers are for sub-domains local name resolvers contact authoritative servers when they don t know a name client www.cse.buffalo.edu local DNS resolver www.cse.buffalo.edu NS buffalo.edu NS cse.buffalo.edu root & edu DNS server buffalo.edu DNS server www = IP addr cse.buffalo.edu DNS server 19

DNS DNS resource records A record supplies host IP address NS record supplies name server for domain DNS cashing DNS responses are cached quick response for repeated translations useful for finding servers as well as addresses negative results are cached save time for nonexistent sites, e.g., misspelling cashed data periodically time out 20

DNS DNS lookup using cache root & edu DNS server ftp.cse.buffalo.edu client local DNS resolver ftp.cse.buffalo.edu buffalo.edu DNS server ftp = IP addr cse.buffalo.edu DNS server DNS is susceptible to cache poisoning attacks change IP address in cache to redirect URLs to fraudulent sites this attack is called pharming 21

DNS DNS cache poisoning example www.yahoo.com NS ns.evil.org (delegate to evil.org) ns.evil.org A 1.2.3.4 (address for evil.org) if resolver looks up www.yahoo.com, the address 1.2.3.4 will be returned the attack is more dangerous than phishing attacks in phishing, users receive email with link to fraudulent website that appear as legitimate website pharming requires no email solicitation all users go to a wrong address 22

DNS DNS cache poisoning the problem is DNS messages are not authenticated some DNS poisoning attacks in the past in January 2005, the address of a large ISP Panix was redirected to a site in Australia in November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy There are also attacks on DNS reverse address lookup and DNS implementations example: reverse query buffer overrun in BIND releases 4.9 and 8 could gain root access, abort DNS service 23

DNSSEC Domain Name System Security Extensions (DNSSEC) was developed to protect integrity of DNS records all DNS responses are authenticated a server signs all answers it provides this prevents forgery such as DNS cache poisoning DNSSEC is specified in IETF RFCs 4033, 4034, 4035, and others DNSSEC is being deployed slowly due to its perceived overhead see dnssec.net and other resources for more information 24

Other Attacks Address resolution protocol (ARP) primarily used to translate IP addresses to Ethernet MAC addresses each host maintains a table of IP to MAC addresses ARP spoofing (or ARP poisoning) send fake ARP messages to an Ethernet LAN (no authentication) this causes other machines to associate IP addresses with attacker s MAC defenses static ARP table DHCP snooping (access control based on IP, MAC, and port) detection: Arpwatch, reverse ARP 25

Other Attacks Session hijacking attacks host-based session hijacking with root privileges can read and write to local terminal devices network-based session hijacking often performed against TCP What harm can be done data injection into unencrypted server-to-server traffic such as email exchange, DNS zone transfers, etc. data injection into unencrypted client-to-server traffic such as ftp file downloads and http responses denial of service attacks such as resetting a connection 26

Other Attacks TCP session hijacking each TCP connection has an associated state client and server IP and port numbers, sequence numbers the problems is that it is not difficult to guess state port numbers can be standard sequence numbers are often chosen in a predictable way TCP sequence numbers need high degree of unpredictability attacker who knows initial sequence numbers and amount of traffic sent can estimate likely current values send a flood of packets with likely sequence numbers 27

Other Attacks TCP sequence numbers (cont.) packets can be injected into existing connection some implementations are vulnerable DoS vulnerability if attacker can guess sequence numbers for an existing connection, it can send a RST packet to close connection (DoS) naively, success probability is1/2 32 (32-bit numbers) most systems allow for a large window of acceptable sequence numbers resulting in much higher success probability attack is most effective against long lived connections such as BGP 28

Defenses Cryptographic network protection protocol level solutions adding authentication to protocols would solve many problems (various types of spoofing and poisoning) perceived as too expensive for current internet speeds/volumes solutions at network layer use cryptographically random initial sequence numbers, IPsec can protect against session hijacking/data injection and DoS using session resets solutions above transport layer tools such as SSL and SSH protect against session hijacking, but not against RST-based DoS 29

Conclusions DoS attacks are common and result in substantial losses a number of defenses are effective, but no perfect solution exists DNS attacks can also have a large impact Manipulating other protocols and information transmitted on the network can result in various types of other attacks 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback