Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Similar documents
NETWORK SECURITY. Ch. 3: Network Attacks

CSE 565 Computer Security Fall 2018

ELEC5616 COMPUTER & NETWORK SECURITY

Internet Protocol and Transmission Control Protocol

CS 161 Computer Security

CSC 6575: Internet Security Fall 2017

Denial of Service. EJ Jung 11/08/10

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

On the Internet, nobody knows you re a dog.

Cloudflare Advanced DDoS Protection

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

CS 161 Computer Security

Network Security. Tadayoshi Kohno

Securing Internet Communication: TLS

COMPUTER NETWORK SECURITY

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Man In The Middle Project completed by: John Ouimet and Kyle Newman

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Network and Internet Vulnerabilities

Chapter 7. Denial of Service Attacks

6.033 Spring 2015! Lecture #24. Combating network adversaries! DDoS attacks! Intrusion Detection

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Firewalls, Tunnels, and Network Intrusion Detection

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CS 161 Computer Security

Closed book. Closed notes. No electronic device.

CS Paul Krzyzanowski

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Real-time protocol. Chapter 16: Real-Time Communication Security


The big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Attack Class: Address Spoofing

Network Security. Thierry Sans

Distributed Denial of Service

Denial of Service (DoS)

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

CSCI 466 Midterm Networks Fall 2013

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Introduction to Computer Security

CS 494/594 Computer and Network Security

Network and Internet Vulnerabilities

CS670: Network security

HP High-End Firewalls

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSc 466/566. Computer Security. 18 : Network Security Introduction

CSC 574 Computer and Network Security. TCP/IP Security

Network Security. Network Vulnerabilities

The big picture. Security. Some consequences. Three types of threat. Warm up: phishing. Danger: malicious servers

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Accounting Information Systems

Security. - All kinds of bad things attackers can do over the network. Next lecture: defense building blocks

Computer Security: Principles and Practice

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11

Configuring Flood Protection

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CS244a: An Introduction to Computer Networks

Threat Pragmatics & Cryptography Basics. PacNOG July, 2017 Suva, Fiji

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

REMINDER course evaluations are online

network security s642 computer security adam everspaugh

Identifier Binding Attacks and Defenses in Software-Defined Networks

Web basics: HTTP cookies

Solutions to prevent IoT devices to be used for DDOS attacks. WISeKey General Business Use

Configuring attack detection and prevention 1

CS 425 / ECE 428 Distributed Systems Fall 2017

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Lecture 7 - Applied Cryptography

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

CS 161 Computer Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

DENIAL OF SERVICE ATTACKS

Computer Networks - Midterm

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

CS 155 Final Exam. CS 155: Spring 2006 June 2006

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring CS Paul Krzyzanowski

Network Security (NetSec)

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

haltdos - Web Application Firewall

20-CS Cyber Defense Overview Fall, Network Basics

Internet Infrastructure

Application vulnerabilities and defences

Denial-of-Service (DoS) & Web Attacks

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Network Security Protocols NET 412D

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

User s Manual. How to configure and use FortGuard Professional Anti-DDoS Firewall

Transcription:

Communication Networks (0368-3030) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University Allon Wagner

Several slides adapted from a presentation made by Dan Touitou on behalf of Cisco.

How do DDoS Attacks Start? Zombies Innocent PCs & Servers turn into Zombies Zombies DNS Email Infrastructure Security, 3/04 2004 Cisco Systems, Inc. All rights reserved. 3

The Effects of DDoS Attacks Attack Zombies: Massively distributed Spoof Source IP Use valid protocols Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks DNS Email Infrastructure Security, 3/04 2004 Cisco Systems, Inc. All rights reserved. 4

Motivation to attack Economically driven Extortion Zombie armies for hire Cyber-vandalism Cyber-terrorism / Cyber-war Backdrop for a more sophisticated attack For example, an attacker brings a target down, and can then hijack its identity

Blackholing R4 R2 = Disconnecting the customer R3 R5 peering 1000 1000 R1 FE R R 100 R........ Infrastructure Security, 3/04 Server1 2004 Cisco Systems, Inc. All rights reserved. Victim Server2 6

3-7 Transport Layer Three-way handshake & SYN-Flood attacks time Host 1 Host 2 SYN =1 (SEQ = x) SYN = 1 ACK = 1 (SEQ = y, ACK = x+1) ACK = 1 (SEQ = x+1, ACK = y+1) state saved!

3-8 Transport Layer SYN Cookies the idea time Host 1 Host 2 SYN =1 (SEQ = x) SYN = 1 ACK = 1 (SEQ = f x, ACK = x+1) ACK = 1 (SEQ = x+1, ACK = f x + 1) stateless

SYN Cookies (somewhat simplified) A client sends a SYN packet. The server does not choose a random SEQ for its reply. Instead, it calculates a H x - a cryptographic hash of: t a slowly increasing time function (e.g increases every 64 seconds) Server s IP and port Client s IP and port s - a secret x client s ISN The SEQ returned in the SYN+ACK packet is the concatenation t, H x.

SYN Cookies (somewhat simplified) When a new client sends an ACK with ACK=y, the server decreases 1 and obtains: t allows it to ensure this is a recent request the supposed hash result H x It can recompute H x If H x = H x the client is legitimate and a TCP connection is opened

Exercise Why is t included in the cryptographic hash? To prevent replay attacks. Assume that Eve (an Evil attacker) wants to mount a DDoS attack against a server that does not include t in its hashes. Eve (and Eve s zombies) create millions of legitimate connections over a period of time, and collects H(x) matching their data. When Eve wants to attack, she sends all these past requests simultaneously ACKs imitating the 3 rd step of the threeway-handshake along with their correct H(x). Plaintext field t simply says now. The server cannot tell these are old requests.

Exercise (cont.) Why is t also given in plaintext? Because once a server gets the 3 rd ack of the threeway handshake, it cannot know when the SYN-ACK reply was given to the client i.e., what t was used to generate H x A malicious client still cannot forge H x because it doesn t know s.

Anti-spoofing Spoofing masquerading as a different network user IP spoofing DNS spoofing ARP spoofing Malicious clients spoof IP addresses in order to mount DoS attacks. An idea to prevent (or at least hinder) spoofing: respond to the client in a way that forces it to reply.

Anti-Spoofing Defense - One example: HTTP Antispoofing only when under attack Authenticate source on initial query 1. SYN cookie alg. 2. Redirect rqst 3. Close connection Subsequent queries verified Client authenticated Source Guard Target Infrastructure Security, 3/04 2004 Cisco Systems, Inc. All rights reserved. 14

RST cookies how it works Client authenticated Source Guard Target Infrastructure Security, 3/04 2004 Cisco Systems, Inc. All rights reserved. 15

Anti-Spoofing Defense - One example: DNS Client-Resolver (over UDP) Antispoofing only when under attack Authenticate source on initial query syn Ab.com rqst UDP/53 Subsequent queries verified Reply Repeated IP - UDP Reply Authenticated IP Client Guard Target Infrastructure Security, 3/04 2004 Cisco Systems, Inc. All rights reserved. 16

Extra slides SQL Injections - from an old talk I gave in the school

Our Objective Prevent SQL Injection and XSS Attacks HTTP access Web server DB Secure Network

SQL-Injection Benign: SELECT * FROM users WHERE name= alice AND password= 1234 Malicious: SELECT * FROM users WHERE name= alice AND password= 1234 OR a = a We got ourselves a list of usernames and their respective passwords, and can access the DB

SQL-Injection (cont.) Benign: SELECT phone FROM clients WHERE name= alice Malicious: SELECT phone FROM clients WHERE name= alice ; UPDATE clients SET debt=0 WHERE name= eve ;-- Information tampering. Can also be used for DB mutilation and information disclosure

SQL-Injection - Audit Evasion Benign: SELECT phone FROM clients WHERE name= alice Malicious: SELECT phone FROM clients WHERE name= alice ; UPDATE clients SET debt=0 WHERE name= eve ;-- A skilled DBA will be able to track this!

SQL-Injection Audit Evasion (cont.) Benign: SELECT phone FROM clients WHERE name= alice Malicious: SELECT phone FROM clients WHERE name= alice ; UPDATE clients SET debt=0 WHERE name= eve ; --sp_password MS SQL Server 2000 prior to SP3

XSS Cross Site Scripting Aim: Getting the victim s web browser to execute malicious code Many variants. An example: Alice s server hosts an innocent web forum

XSS An Example Bob s browser Alice s trusted web server Mallory Bob browses the forum s pages A post with malicious code

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback