Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Similar documents
Network Security. Chapter 0. Attacks and Attack Detection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Denial of Service and Distributed Denial of Service Attacks

Chapter 7. Denial of Service Attacks

Configuring attack detection and prevention 1

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Configuring attack detection and prevention 1

DDoS Testing with XM-2G. Step by Step Guide

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

The Protocols that run the Internet

COMPUTER NETWORK SECURITY

Denial of Service (DoS)

NETWORK SECURITY. Ch. 3: Network Attacks

Network Security Protocols NET 412D

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

9. Security. Safeguard Engine. Safeguard Engine Settings

Computer Security: Principles and Practice

ELEC5616 COMPUTER & NETWORK SECURITY

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

2. INTRUDER DETECTION SYSTEMS

Attack Prevention Technology White Paper

Basic Concepts in Intrusion Detection

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Anatomy and Mechanism of DOS attack

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Chapter 10: Denial-of-Services

Distributed Denial of Service (DDoS)

DDoS PREVENTION TECHNIQUE

CSE Computer Security (Fall 2006)

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Network Security. Thierry Sans

A Software Tool for Network Intrusion Detection

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

CSE 565 Computer Security Fall 2018

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Cloudflare Advanced DDoS Protection

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Denial of Service, Traceback and Anonymity

Denial of Service (DoS) attacks and countermeasures

CSE 565 Computer Security Fall 2018

Chapter 4. Network Security. Part I

CSC 574 Computer and Network Security. TCP/IP Security

HP High-End Firewalls

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

DDoS and Traceback 1

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Denial of Service. EJ Jung 11/08/10

Chapter 11: Networks

DENIAL OF SERVICE ATTACKS

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

20-CS Cyber Defense Overview Fall, Network Basics

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Computer Security: Principles and Practice

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Networking interview questions

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Chapter 8 roadmap. Network Security

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Firewalls, Tunnels, and Network Intrusion Detection

Computer Security and Privacy

Chapter 2. Switch Concepts and Configuration. Part II

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

CIS 551 / TCOM 401 Computer and Network Security

Are You Fully Prepared to Withstand DNS Attacks?

Systems and Network Security (NETW-1002)

Trends in Denial of Service Attack Technology -or Oh, please, they aren t smart enough to do that

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

CSE Computer Security

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

Introduction to Security. Computer Networks Term A15

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

SE 4C03 Winter 2005 Network Firewalls

Computer and Network Security

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Configuring Access Rules

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Transcription:

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks

System Vulnerabilities and Denial of Service Attacks Introduction and Threat Overview Denial of Service Threats DoS Attacks: Classification System Vulnerabilities Honeypots Upcoming Challenges Network Security, WS 2011/12, Chapter 8 2

A High Level Model for Internet-Based IT- Infrastructure Private Networks Public Internet Mobile Communication Networks... Access Network Sensor Networks Network Management DNS Server... Support Infrastructure Web-Servers etc. ISP Networks Network Security, WS 2011/12, Chapter 8 3

System Vulnerabilities and Denial of Service Attacks Introduction and Threat Overview Denial of Service Threats DoS Attacks: Classification System Vulnerabilities Honeypots Upcoming Challenges Network Security, WS 2011/12, Chapter 8 4

Denial of Service What is Denial of Service? Denial of Service (DoS) attacks aim at denying or degrading legitimate users access to a service or network resource, or at bringing down the servers offering such services Motivations for launching DoS attacks: Hacking (just for fun, by script kiddies,...) Gaining information leap ( 1997 attack on bureau of labor statistics server; was possibly launched as unemployment information has implications to the stock market) Discrediting an organization operating a system (i.e. web server) Revenge (personal, against a company,...) Political reasons ( information warfare )... Network Security, WS 2011/12, Chapter 8 5

Denial of Service Attacking Techniques Resource destruction (disabling services): Hacking into systems Making use of implementation weaknesses as buffer overflow Deviation from proper protocol execution Resource depletion by causing: Storage of (useless) state information High traffic load (requires high overall bandwidth from attacker) Expensive computations ( expensive cryptography!) Resource reservations that are never used (e.g. bandwidth) Origin of malicious traffic: Genuineness of source addresses: either genuine or forged Number of sources: single source, or multiple sources (Distributed DoS, DDoS) Network Security, WS 2011/12, Chapter 8 6

Examples: Resource Destruction Ping-of-Death: Maximum size of TCP/IP packet is 65536 bytes Oversized packet may crash, freeze, reboot system Teardrop: Fragmented packets are reassembled using the Offset field. Overlapping Offset fields might cause system to crash. Normal Behavior Teardrop Attack Network Security, WS 2011/12, Chapter 8 7

Resource Depletion Example 1: Abusing ICMP Two main reasons make ICMP particular interesting for attackers: It may be addressed to broadcast addresses Routers respond to it The Smurf attack - ICMP echo request to broadcast: An attacker sends an ICMP echo request to a broadcast address with the source addressed forged to refer to the victim local broadcast: 255.255.255.255; directed broadcast: (191.128.0.0/24) 191.128.0.255 Routers (often) allow ICMP echo requests to broadcast addresses All devices in the addressed network respond to the packet The victim is flooded with replies to the echo request With this technique, the network being abused as an (unaware) attack amplifier is also called a reflector network:... Network Security, WS 2011/12, Chapter 8 8

Resource Depletion Example 2: TCP-SYN Flood Category Storage of useless state information: Here: TCP-SYN flood attack D E Attacker Victim Connection Table A B C D E... A B C TCP SYN packets with forged source addresses ( SYN Flood ) TCP SYN ACK packet to assumed initiator ( Backscatter ) Network Security, WS 2011/12, Chapter 8 9

Resource Depletion with Distributed DoS (1) Attacker Victim Category Overwhelming the victim with traffic Attacker intrudes multiple systems by exploiting known flaws Attacker installs DoSsoftware: Root Kits are used to hide the existence of this software DoS-software is used for: Exchange of control commands Launching an attack Coordinating the attack Network Security, WS 2011/12, Chapter 8 10

Resource Depletion with Distributed DoS (2) Masters Slaves Attacker Victim The attacker classifies the compromised systems in: Master systems Slave systems Master systems: Receive command data from attacker Control the slaves Slave systems: Launch the proper attack against the victim During the attack there is no traffic from the attacker Control Traffic Attack Traffic Network Security, WS 2011/12, Chapter 8 11

Resource Depletion with Distributed DoS (3) Different Attack Network Topologies Master Master Slaves Slaves Reflector Reflector Reflector Victim a.) Master-Slave-Victim Victim b.) Master-Slave-Reflector-Victim Network Security, WS 2011/12, Chapter 8 12

Resource Depletion with CPU Exhaustion Category CPU exhaustion by causing expensive computations: Here: attacking with bogus authentication attempts Attacker attacker requests for connection with server server asks client for authentication attacker sends false digital signature, server wastes resources verifying false signature Victim The attacker usually either needs to receive or guess some values of the second message, that have to be included in the third message for the attack to be successful Also, the attacker, must trick the victim repeatedly to perform the expensive computation in order to cause significant damage Be aware of DoS-Risks when introducing security functions into protocols!!! Network Security, WS 2011/12, Chapter 8 13

System Vulnerabilities and Denial of Service Attacks Introduction and Threat Overview Denial of Service Threats DoS Attacks: Classification System Vulnerabilities Honeypots Upcoming Challenges Network Security, WS 2011/12, Chapter 8 14

DoS Attacks: Classification Classification by exploited vulnerability Software vulnerability attacks Protocol attacks Brute-Force / flooding attacks Classification by attack rate dynamics: Continues rate Variable rate: Increasing Fluctuating Classification by impact: Disruptive Degrading Network Security, WS 2011/12, Chapter 8 15

Classification of DoS Attacks by Exploited Vulnerability (1) Based on the vulnerability that is targeted during an attack, DoS attacks can be classified into: Software vulnerability attacks Protocol attacks Brute-Force / flooding attacks Some attacks can be classified into more than one of these categories. (see below) Software vulnerability attacks: Here, software bugs are exploited. Examples: Cisco 7xx attack: Some Cisco 7xx routers were crashed by connecting with Telnet and typing a very long password a password buffer overflow. Ping-of-Death Teardrop Network Security, WS 2011/12, Chapter 8 16

Classification of DoS Attacks by Exploited Vulnerability (2) Protocol Attacks Exploits a specific feature or implementation bug of the protocol. Examples include: TCP SYN flood attacks Authentication server attacks Ping-of-death Teardrop Brute-force Attacks / Flooding attacks: The victim is overwhelmed with a vast amount of seemingly legitimate transactions. Brute-force attacks are further classified into two sub-categories: (see also next slide for more details) Filterable attacks Non-filterable attacks Network Security, WS 2011/12, Chapter 8 17

Classification of DoS Attacks by Exploited Vulnerability (3) Filterable attacks: The flood packets are not critical for the service offered by the victim, and therefore can be filtered. Example: UDP flood or ICMP request flood on a web server. Non-filterable attacks: The flood packets request legitimate services from the victim. Examples include: HTTP request flood targeting a Web server CGI request flood DNS request flood targeting a name server Filtering all the packets would be an immediate DoS attack to both attackers and legitimate users. The victim might mitigate the effect of protocol attacks, by modifying the deployed protocol. However, the victim is helpless against brute-force attacks if they use legitimate services. Network Security, WS 2011/12, Chapter 8 18

Classification of DoS Attacks by Attack Rate Dynamics Based on the attack rate dynamics that is targeted during an attack, DoS attacks can be classified into: Continuous Rate Attacks Variable Rate Attacks Continuous Rate Attacks: The most frequent kind of attack When the attack is launched, agent machines generate attack packets with a large constant rate. The sudden packet flood disrupts the victim s services quickly. The attack may be noticed quickly. Variable Rate Attacks: Vary the attack rate to avoid detection The attack rate might be increasing over a long time or even fluctuating, which makes detection even harder. Network Security, WS 2011/12, Chapter 8 19

Classification by Impact Disruptive: The goal is to fully deny the victim s service to its clients The most common category of attacks Degrading: A portion of the victim s resources (e.g. 30%) are occupied by the attackers. Can remain undetected for a signification time period Customers experience slow response times or now service during high load periods. Customers go to an other Service Provider. Network Security, WS 2011/12, Chapter 8 20

System Vulnerabilities: Basic Attacking Styles Origin of attacks: Remote attacks: attacker breaks into a machine connected to same network, usually through flaw in software Local attacks: malicious user gains additional privileges on a machine (usually administrative) Main attacking techniques: Buffer overflow: Intentional manipulation of program state by causing an area of memory to be written beyond its allocated limits Race condition: Exploiting non-atomic execution of a series of commands by inserting actions that were unforeseen by the programmer Exploiting trust in program input / environment: It is often possible to maliciously craft input / environment variables to have deleterious side effects Programmers are often unaware of this Network Security, WS 2011/12, Chapter 8 21

Identifying Vulnerable Systems with Port Scans (1) Background Identification of vulnerable systems / applications in order to identify systems to compromise Automated distribution of worms Scan types Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection Network Security, WS 2011/12, Chapter 8 22

System Vulnerabilities and Denial of Service Attacks Introduction and Threat Overview Denial of Service Threats DoS Attacks: Classification System Vulnerabilities Honeypots Upcoming Challenges Network Security, WS 2011/12, Chapter 8 23

Honeypots (1) A Honeypot is a resource, which pretends to be an attacked or compromised real target, but is a redundant or isolated resource where the attacker can not do any real damage. Motivation Get to know the enemy!! Low-Interaction Honeypots: Emulated services (e.g. FTP) and emulated operations systems Easier to deploy and maintain Can log only limited information Limited capture of activities High-Interaction Honeypots Involves real operation systems and real applications Can capture extensive amount of information Problem: Attackers can use this real operating system to attack nonhoneypot systems. Network Security, WS 2011/12, Chapter 8 24

Honeypots (2) Honeypots can capture unknown attacks. Honeypots can slow down or even stop the spread of worms. Worms scan for vulnerabilities, and take over the system. A honeypot can slow the scanning capabilities of the worm and eventually stop it. scan unused IP spaces TCP window size is zero. Real systems can not be taken offline for analysis. They are often too critical. They contain too much data pollution involved such as it is difficult to determine what the attacker actually did. Honeypots can quickly and easily be taken offline for a full forensic analysis. High-interaction honeypots are a very effective solution to prevent intrusion. They provide in-depth knowledge about the behavior of attackers. Network Security, WS 2011/12, Chapter 8 25

System Vulnerabilities and Denial of Service Attacks Introduction and Threat Overview Denial of Service Threats DoS Attacks: Classification System Vulnerabilities Honeypots Upcoming Challenges Network Security, WS 2011/12, Chapter 8 26

Some Upcoming Challenges The introduction of Internet protocols in classical and mobile telecommunication networks also introduces the Internet s DoS vulnerabilities to these networks Programmable end-devices (PDAs, smart phones) may constitute a large base of possible slave nodes for DDoS attacks on mobile networks Software defined radio implementation may even allow new attacking techniques: Hacked smart phones answer to arbitrary paging requests Unfair / malicious MAC protocol behavior... The ongoing integration of communications and automation ( sensor/actuator networks) may enable completely new DoS threats Network Security, WS 2011/12, Chapter 8 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback