Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

Similar presentations


Presentation on theme: "NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,"— Presentation transcript:

1 NETWORK SECURITY EE122 Section 12

2 QUESTION 1

3 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g., because application process on A crashed  B does not ack the RST  Thus, RST is not delivered reliably  And: any data in flight is lost  But: if B sends anything more, will elicit another RST

4 END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!

5 END-TO-END SECURITY Encrypted Content TCP Header IP Header TLS/SSL (Application Layer)

6 END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!  Transport layer  TCP sequence number defends against blind spoofing  … but not man-in-the-middle attacks  Network layer  IPsec encrypts the entire IP payload, including the TCP header

7 END-TO-END SECURITY Encrypted Content TCP Header IP Header Encrypted IP Header IP Header Encrypted Content Encrypted TCP Header TLS/SSL (Application Layer) IPsec (Network Layer)

8 BLIND SPOOFING  Need to know the sequence number

9

10

11

12 BLIND SPOOFING  Need to know the sequence number  How? Guess all numbers!  Alternatively, infer  first send a legitimate TCP SYN  Let’s say the receiver responds with sequence number A  Then spoof a TCP SYN assuming the receiver responds with A+1  Defenses?

13 QUESTION 2

14 /16

15 Source IP:

16 /16 Source IP: Egress Filtering

17 /16 Source IP:

18 /16 Source IP: Ingress Filtering

19 /16 Source IP: Ingress Filtering What’s missing?

20 Receiver Attacker SYN SYNACK (seqno = y) Source ??? ACK (ackno = k?)

21 Receiver Attacker … Confirmation Request Source ??? Confirmation Response Defenses?

22 Receiver Attacker … Confirmation Request (123) Source ??? Confirmation Response (456?) Nonce

23 QUESTION 3

24 You Web server X 100Mbps 1Gbps Web server X can comfortably handle the load you generate

25 DISTRIBUTED DENIAL-OF-SERVICE (DDOS) MasterSlave 1 Slave 3 Slave 4 Slave 2 Victim Control traffic directs slaves at victim src = random dst = victim Slaves send streams of traffic (perhaps spoofed) to victim

26 Reflector (R) Internet Attacker (A) Victim (V) SYN SYNACK REFLECTORS  Cause one non-compromised host to attack another  E.g., host A sends TCP SYN with source V to server R  R sends reply to V

27 DIFFUSE DDOS: REFLECTOR ATTACK MasterSlave 1 Slave 3 Slave 4 Slave 2Victim Control traffic directs slaves at victim & reflectors Request: src = victim dst = reflector Reflectors send streams of non-spoofed but unsolicited traffic to victim Reflector 1Reflector 9Reflector 4Reflector 2Reflector 3Reflector 5Reflector 6Reflector 7Reflector 11Reflector 8Reflector 10 Reply: src = reflector dst = victim

28 MITIGATING DDOS  No good defense…  Solutions so far  Overprovision  Distribute service to multiple machines

29 QUESTION 4

30 AndrewSteve E(M, Steve pub )

31 AndrewSteve E(M, Steve pub ) Man-In-The- Middle

32 AndrewSteve Man-In-The- Middle E(M’, Steve pub )

33 AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) Andrew pub ???

34 AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) E(Andrew pub, Steve pub )

35 AndrewSteve Man-In-The- Middle MAC(H(M), Andrew private ) E(Andrew pub, Steve pub ) E(M, Steve pub )

36 AndrewSteve Man-In-The- Middle MAC(H(M’), MITM private ) E(MITM pub, Steve pub ) E(M’, Steve pub )


Download ppt "NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,"

Similar presentations


Ads by Google