CSE Computer Security (Fall 2006)

Similar documents
CSE Computer Security

CNT Computer and Network Security: Denial of Service

CSE543 Computer and Network Security Module: Internet Malware

Chapter 7. Denial of Service Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

CSE543 Computer and Network Security Module: Internet Malware

Computer Security: Principles and Practice

CSE 565 Computer Security Fall 2018

COMPUTER NETWORK SECURITY

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Denial of Service (DoS)

DDoS and Traceback 1

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Distributed Denial of Service

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

DENIAL OF SERVICE ATTACKS

Network Security. Tadayoshi Kohno

Denial of Service. EJ Jung 11/08/10

EE 122: Network Security

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2011

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

ELEC5616 COMPUTER & NETWORK SECURITY

Denial of Service and Distributed Denial of Service Attacks

Distributed Denial of Service (DDoS)

Network Security. Chapter 0. Attacks and Attack Detection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Network Security: Denial of Service (DoS) Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Lecture 12. Application Layer. Application Layer 1

Network Security: Denial of Service (DoS) Tuomas Aura (includes material by Aapo Kalliola) T Network security Aalto University, Nov-Dec 2014

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Cloudflare Advanced DDoS Protection

DDoS Testing with XM-2G. Step by Step Guide

6.033 Spring 2015! Lecture #24. Combating network adversaries! DDoS attacks! Intrusion Detection

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

REMINDER course evaluations are online

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Denial of Service, Traceback and Anonymity

NETWORK SECURITY. Ch. 3: Network Attacks

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

DDOS - Fighting Fire with Fire Michael Walfish, Hari Balakrishnan, David Karger, and Scott Shenker.

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

9. Security. Safeguard Engine. Safeguard Engine Settings

DDoS: Coordinated Attacks Analysis

Check Point DDoS Protector Simple and Easy Mitigation

Network Security: Denial of Service (DoS) Aapo Kalliola / Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Network and Internet Vulnerabilities

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

(Distributed) Denial-of-Service. in theory and in practice

Distributed Systems. 21. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Survey of Several IP Traceback Mechanisms and Path Reconstruction

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

DDoS PREVENTION TECHNIQUE

CSCI 680: Computer & Network Security

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

The Protocols that run the Internet

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

CS November 2017

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Data Plane Protection. The googles they do nothing.

CS144 Review Session: Fall 2010 Behram Mistree

Foundations of Network and Computer Security

Network Fundamentals. Chapter 7: Networking and Security 4. Network Fundamentals. Network Architecture

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

CSC 574 Computer and Network Security. TCP/IP Security

Firewalls, Tunnels, and Network Intrusion Detection

Imma Chargin Mah Lazer

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Denial of Service (DoS) attacks and countermeasures

Chapter 10: Denial-of-Services

HP High-End Firewalls

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

ECE 435 Network Engineering Lecture 23

To Study and Explain the Different DDOS Attacks In MANET

A Survey of Defense Mechanisms Against DDoS Flooding A

Basic Concepts in Intrusion Detection

Network Security Protocols NET 412D

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

network security s642 computer security adam everspaugh

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Internet Protocol and Transmission Control Protocol

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

CE Advanced Network Security Botnets

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11

Introduction to Security. Computer Networks Term A15

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

CS244a: An Introduction to Computer Networks

Transcription:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1

Denial of Service Intentional prevention of access to valued resource CPU, memory, disk (system resources) DNS, print queues, NIS (services) Web server, database, media server (applications) This is an attack on availability (fidelity) Note: launching DOS attacks is easy Note: preventing DOS attacks is hard Mitigation the path most frequently traveled 2

D/DOS (generalized by Mirkovic) Send a stream of packets/requests/whatever many PINGS, HTML requests,... Send a few malformed packets causing failures or expensive error handling low-rate packet dropping (TCP congestion control) ping of death Abuse legitimate access Compromise service/host Use its legitimate access rights to consume the rights for domain (e.g., local network) E.g., First-year graduate student runs a recursive file operation on root of NFS partition 3

SMURF Attacks This is one of the deadliest and simplest of the DOS attacks (called a naturally amplified attack) Send a large number PING packet networks on the broadcast IP addresses (e.g., 192.168.27.254) Set the source packet IP address to be your victim All hosts will reflexively respond to the ping at your victim and it will be crushed under the load. Host Host Host Host Host adversary Broadcast victim Host Host Host Host 4

Canonical (common) DOS - Request Flood Attack: request flooding Overwhelm some resource with legitimate requests e.g., web-server, phone system Note: unintentional flood is called a flash crowd 5

DOS Prevention - Reverse-Turing Tests Turing test: measures whether a human can tell the difference between a human or computer (AI) Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever? CAPTCHA - completely automated public Turing test to tell computers and humans apart contorted image humans can read, computers can t image processing pressing SOA, making these harder Note: often used not just for DOS prevention, but for protecting free services (email accounts) 6

DOS Prevention - Puzzles Make the solver present evidence of work done If work is proven, then process request Note: only useful if request processing significantly more work than Puzzle design Must be hard to solve Easy to Verify Canonical Example Puzzle: given x-bits of output of h(r), where h is a cryptographic hash function Solution: Invert h(r) Q: Assume you are given 108 bits of output for 128-bit hash function, how hard would it be to solve the puzzle? 7

Distributed denial of service DDOS: Network oriented attacks aimed at preventing access to network, host or service Saturate the target s network with traffic Consume all network resources (e.g., SYN) Overload a service with requests Use expensive requests (e.g., sign this data ) Can be extremely costly (e.g, Amazon) Result: service/host/network is unavailable Frequently distributed via other attack Note: IP is often hidden (spoofed) 8

The canonical DDOS attack (master) (router) Internet LAN (adversary) (zombies) (target) 9

Adversary Network (zombies) (masters) (adversary) (target) 10

Why DDOS What would motivate someone DDOS? An axe to grind Curiosity (script kiddies) Blackmail Information warfare Internet is an open system... Packets not authenticated, probably can t be Would not solve the problem just move it (firewall) Too many end-points can be remote controlled 11

Why is DDOS possible? (cont.) Interdependence - services dependent on each other E.g., Web depends on TCP and DNS, which depends on routing and congestion control, Limited resources (or rather resource imbalances) Many times it takes few resources on the client side to consume lots of resources on the server side E.g., SYN packets consume lots of internal resources You tell me.. (as said by Mirkovic et al.) Intelligence and resources not co-located No accountability Control is distributed 12

DDOS and the E2E argument E2E (a simplified version): We should design the network such that all the intelligence is at the edges. So that the network can be more robust and scalable Many think is the main reason why the Internet works Downside: Also, no real ability to police the traffic/content So, many security solutions break this E2E by cracking open packets (e.g., application level firewalls) DDOS is real because of this 13

Q: An easy fix? How do you solve distributed denial of service? 14

Simple DDOS Mitigation Page Ingress/Egress Filtering Helps spoofed sources, not much else Better Security Limit availability of zombies, not feasible Prevent compromise, viruses, Quality of Service Guarantees (QOS) Pre- or dynamically allocate bandwidth E.g., diffserv, RSVP Helps where such things are available Content replication E.g,. CDS Useful for static content

Pushback Page Initially, detect the DDOS Use local algorithm, ID-esque processing Flag the sources/types/links of DDOS traffic Pushback on upstream routers Contact upstream routers using PB protocol Indicate some filtering rules (based on observed) Repeat as necessary towards sources Eventually, all (enough) sources will be filtered Q: What is the limitation here? R1 R2 R3 R4

Traceback Routers forward packet data to source Include packets and previous hop At low frequency (1/20,000) Targets reconstruct path to source (IP unreliable) Use per-hop data to look at Statistics say that the path will be exposed Enact standard Add filters at routers along the path R1 R2 R3 R1 R2 R3 R4 Page

DDOS Reality None of the protocol oriented solutions have really seen any adoption too many untrusting, ill-informed, mutually suspicious parties must play together well (hint: human nature) solution have many remaining challenges Real Solution Large ISP police there ingress/egress points very carefully Watch for DDOS attacks and filter appropriately e.g., BGP (routing) tricks, blacklisting, whitelisting Products in existing that coordinate view from many points in the network to identify upswings in Interestingly, this is the same way they deal with worms... Page

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback