Presentation on theme: "Unwanted Network Traffic: Threats and Countermeasures"— Presentation transcript:
1 Unwanted Network Traffic: Threats and Countermeasures CS 3251 Prof. Nick Feamster November 13, 2006
2 What is “Network Security”? Confidentiality: Preventing eavesdroppingE-commerceVoice Over IPIntegrity: Ensuring data unchanged in transitSimilar applications as aboveAnonymity: Cloaking identity of communicantsAuditing: Finding out what happened laterUnwanted traffic prevention
3 Some Questions What percentage of email traffic is spam? About 85% as of Jan 2006 [maawg.org]Frequency of phishing attacks?About 1,000 per day [antiphishing.org]Frequency of denial of service attacks?About 4,000 per week, as of 2001 [caida.org]Country hosting most spam, phishing attacks?United States
4 Unwanted Traffic Security Products Ironport C600: Spam FilteringLots of spamFast detectionChanging techniques and characteristicsArbor Peakflow SP: Traffic MonitoringLarge volumes of trafficFast detectionChanging techniques and characteristics
5 Two Facets Host-based: Safeguarding Hosts Protecting the end hosts from attackProtecting hosts from generating unwanted trafficA losing battle…Network-based: Safeguarding PipesKeeping bad traffic off of the networkUltimate goal is often to protect hostsAlso, keeping the pipes cleanAll about the network: Security increasingly depends on safeguarding the pipes.
6 Types of Unwanted Traffic Denial of ServiceSpamPhishingClick Fraud…How is unwanted traffic generated?
7 Denial of Service: The Old Days Single-host “floods” the link or serviceCan attack various resourcesBandwidthNumber of open connectionsServer computational powerTCP SYN Flood AttackTLS/SSL Connection AttackClientHelloSYNVictimVictimAttackerAttackerClientHelloSYNSYNClientHelloAttacker exhausts resources without spending much of its own.
8 Characteristics Asymmetry IP addresses can be spoofed More expensive for the receiver to process than for the attacker to sendIP addresses can be spoofedDifficult to trace
9 Restore Symmetry: TCP SYN cookies Client sends SYN w/ ACK numberServer responds to Client with SYN-ACK cookiesqn = f(src addr, src port, dest addr, dest port, rand)Server does not save stateHonest client responds with ACK(sqn)Server checks responseIf matches SYN-ACK, establishes connection
10 Mitigation: Traceback (2 Techniques) Hash-based tracebackState in routersProbabilistic packet markingState in packetsARR7RR5R6R3R1R2V
11 Technique du Jour: Distribution Distributed Denial of Service AttacksAttacks on Yahoo, eBay, Amazon down for several hours“Command and Control”SYNVictimSYNSYN
12 Recurring Technique: Amplification Main IdeaSend a small amount of traffic to a hostHost replies to a large number of hostsExamplesLate 1990s: Smurf AttacksJune 2006: DNS Reflection Attacks: Amplification + DistributionAmplification: small queries, large responsesUse open recursive DNS servers
13 DNS Reflection Attacks of March ‘06 C+CAttackerZombieZombieZombieQueries spoofed from victim’s IPInsert big TXT recordQuery, then cacheVictimInnocent DNS ServerOpen Recursive DNS Servers (35k used in attack; about 500k exist)
14 Distribution: Two Tasks Amassing an army of hostsNeed attack vectorsMillions of vulnerable hostsThe rise of Internet worms
15 History of the Internet Worm First worm: November 1988Experiment gone awry$10M+ in damagesWritten by Cornell undergraduate, Robert MorrisNow a professor at MIT…10% coverage (6,000 hosts)Exploited 3 main vulnerabilitiesSendmail, fingerd, rsh/rexecBuffer overflow and password
16 The Spread of Internet Worms Code Red (July 2001): About 12 HoursHow to design a faster spreading worm?
17 Distribution: Two Tasks Amassing an army of hostsNeed attack vectorsMillions of vulnerable hostsRetaining control of the compromised hosts
18 Botnets Bots: Autonomous programs performing tasks Plenty of “benign” botse.g., weatherbugBotnets: group of botsTypically carries malicious connotationLarge numbers of infected machinesMachines “enlisted” with infection vectors like worms (last lecture)Available for simultaneous control by a masterSize: up to 350,000 nodesTrend: Towards smaller botnets. Why?
19 “Rallying” the Botnet Easy to combine worm, backdoor functionality Problem: how to learn about successfully infected machines?OptionsHard-coded addressIRC serversWeb search engines
20 Botnet Controller (IRC server) Dynamic DNSBotnet Controller (IRC server)Infected MachineBotnet master typically runs some IRC server on a well-known port (e.g., 6667)Infected machine contacts botnet with pre-programmed DNS name (e.g., big-bot.de)Dynamic DNS: allows controller to move about freely
21 From Attacks for Fun… Denial of service attacks Humble beginnings Attention gettersHumble beginningsSingle-sourceMany unsuccessfulBurgeoning technologyDistribution (e.g., fast-spreading worms)Controlling
22 …to Attacks for Profit"While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack…The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers."-- John Thomson, Symantec CEO, November 3, 2006
23 Spam Unsolicited commercial email About 85-90% of all traffic todayCommon spam filtering techniquesContent-based filters: Look for words, etc. in the content of the mail that is characteristic of spamDNS-Based Blacklists: Maintain a blacklist of known bad IP addressesUpon receiving , mail servers look up the sender’s IP address in a list
24 A small club of persistent players appears to be using this technique. BGP Spectrum AgilityLog IP addresses of SMTP relaysJoin with BGP route advertisements seen at network where spam trap is co-located.A small club of persistent players appears to be using this technique.Common short-lived prefixes and ASes/8 4678//8 8717~ 10 minutesSomewhere between 1-10% of all spam (some clearly intentional, others might be flapping)
25 Why Such Big Prefixes?Flexibility: Client IPs can be scattered throughout dark space within a large /8Same sender usually returns with different IP addressesVisibility: Route typically won’t be filtered (nice and short)
26 Phishing: How It WorksCombination of social engineering, mass communication, and ephemeral Web serversMethodsAttackerSpammerURL linksPhishing linksImage links“Click here” linksSpammerSpammerPhish sPhishing SitesPhishing SitesPhishing SitesPhishing SitesVictimSensitive informationShort-lived!
29 Design Questions Why is it so easy to send unwanted traffic? Where to place functionality for stopping unwanted traffic?Edge vs. CoreRouters vs. MiddleboxesWhat changes could we make to the current Internet architecture to detect and prevent unwanted traffic?NamingAddressingRouting
30 If this was interesting… CS 7260 (Spring 2007)Security-related topicsAnomaly detectionRule-basedStatisticalWorms, botnets, spamNetwork monitoring and mitigationRouting protocol securityPlenty of other topicsNetwork management, troubleshooting, economics, etc.