Presentation on theme: "Unwanted Network Traffic: Threats and Countermeasures CS 3251 Prof. Nick Feamster November 13, 2006."— Presentation transcript:
Unwanted Network Traffic: Threats and Countermeasures CS 3251 Prof. Nick Feamster November 13, 2006
2 What is Network Security? Confidentiality: Preventing eavesdropping –E-commerce –Voice Over IP Integrity: Ensuring data unchanged in transit –Similar applications as above Anonymity: Cloaking identity of communicants Auditing: Finding out what happened later Unwanted traffic prevention
3 Some Questions What percentage of traffic is spam? –About 85% as of Jan 2006 [maawg.org] Frequency of phishing attacks? –About 1,000 per day [antiphishing.org] Frequency of denial of service attacks? –About 4,000 per week, as of 2001 [caida.org] Country hosting most spam, phishing attacks? –United States
4 Unwanted Traffic Security Products Lots of spam Fast detection Changing techniques and characteristics Ironport C600: Spam Filtering Arbor Peakflow SP: Traffic Monitoring Large volumes of traffic Fast detection Changing techniques and characteristics
5 Two Facets Host-based: Safeguarding Hosts –Protecting the end hosts from attack –Protecting hosts from generating unwanted traffic –A losing battle… Network-based: Safeguarding Pipes –Keeping bad traffic off of the network –Ultimate goal is often to protect hosts –Also, keeping the pipes clean All about the network: Security increasingly depends on safeguarding the pipes.
6 Types of Unwanted Traffic Denial of Service Spam Phishing Click Fraud … How is unwanted traffic generated?
7 Denial of Service: The Old Days Single-host floods the link or service Can attack various resources –Bandwidth –Number of open connections –Server computational power Attacker Victim SYN TCP SYN Flood AttackTLS/SSL Connection Attack Victim SYN ClientHello Attacker Attacker exhausts resources without spending much of its own.
8 Characteristics Asymmetry –More expensive for the receiver to process than for the attacker to send IP addresses can be spoofed –Difficult to trace
9 Restore Symmetry: TCP SYN cookies Client sends SYN w/ ACK number Server responds to Client with SYN-ACK cookie –sqn = f(src addr, src port, dest addr, dest port, rand) –Server does not save state Honest client responds with ACK(sqn) Server checks response If matches SYN-ACK, establishes connection
10 Mitigation: Traceback (2 Techniques) Hash-based traceback –State in routers Probabilistic packet marking –State in packets V R1R1 R2R2 R3R3 AR RR7R7 R6R6 R5R5
11 Technique du Jour: Distribution Distributed Denial of Service Attacks Attacks on Yahoo, eBay, Amazon down for several hours Victim SYN Command and Control
12 Recurring Technique: Amplification Late 1990s: Smurf Attacks June 2006: DNS Reflection Attacks: Amplification + Distribution –Amplification: small queries, large responses –Use open recursive DNS servers Send a small amount of traffic to a host Host replies to a large number of hosts Main Idea Examples
13 DNS Reflection Attacks of March 06 Attacker Zombie C+C Insert big TXT record Innocent DNS Server Open Recursive DNS Servers (35k used in attack; about 500k exist) Queries spoofed from victims IP Victim Query, then cache
14 Distribution: Two Tasks Amassing an army of hosts –Need attack vectors –Millions of vulnerable hosts –The rise of Internet worms
15 History of the Internet Worm First worm: November 1988 Experiment gone awry –$10M+ in damages Written by Cornell undergraduate, Robert Morris –Now a professor at MIT… 10% coverage (6,000 hosts) Exploited 3 main vulnerabilities –Sendmail, fingerd, rsh/rexec –Buffer overflow and password
16 The Spread of Internet Worms Code Red (July 2001): About 12 Hours How to design a faster spreading worm?
17 Distribution: Two Tasks Amassing an army of hosts –Need attack vectors –Millions of vulnerable hosts Retaining control of the compromised hosts
18 Botnets Bots: Autonomous programs performing tasks Plenty of benign bots –e.g., weatherbug Botnets: group of bots –Typically carries malicious connotation –Large numbers of infected machines –Machines enlisted with infection vectors like worms (last lecture) Available for simultaneous control by a master Size: up to 350,000 nodes –Trend: Towards smaller botnets. Why?
19 Rallying the Botnet Easy to combine worm, backdoor functionality Problem: how to learn about successfully infected machines? Options – –Hard-coded address –IRC servers –Web search engines
20 Botnet Control Botnet master typically runs some IRC server on a well- known port (e.g., 6667) Infected machine contacts botnet with pre-programmed DNS name (e.g., big-bot.de) Dynamic DNS: allows controller to move about freely Infected Machine Dynamic DNS Botnet Controller (IRC server)
21 From Attacks for Fun… Denial of service attacks –Attention getters Humble beginnings –Single-source –Many unsuccessful Burgeoning technology –Distribution (e.g., fast-spreading worms) –Controlling
22 "While a few years ago many people were much more focused on attacking the machine and attacking the broad- based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack… The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers." -- John Thomson, Symantec CEO, November 3, 2006 …to Attacks for Profit
23 Spam Unsolicited commercial About 85-90% of all traffic today Common spam filtering techniques –Content-based filters: Look for words, etc. in the content of the mail that is characteristic of spam –DNS-Based Blacklists: Maintain a blacklist of known bad IP addresses Upon receiving , mail servers look up the senders IP address in a list
24 BGP Spectrum Agility Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes / / / ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)
25 Why Such Big Prefixes? Flexibility: Client IPs can be scattered throughout dark space within a large /8 –Same sender usually returns with different IP addresses Visibility: Route typically wont be filtered (nice and short)
26 Phishing: How It Works Combination of social engineering, mass communication, and ephemeral Web servers URL links Phishing links Image links Click here links Attacker Victim Phishing Sites Spammer Methods Phish s Sensitive information Short-lived!
29 Design Questions Why is it so easy to send unwanted traffic? Where to place functionality for stopping unwanted traffic? –Edge vs. Core –Routers vs. Middleboxes What changes could we make to the current Internet architecture to detect and prevent unwanted traffic? –Naming –Addressing –Routing
30 If this was interesting… CS 7260 (Spring 2007) Security-related topics –Anomaly detection Rule-based Statistical –Worms, botnets, spam –Network monitoring and mitigation –Routing protocol security Plenty of other topics –Network management, troubleshooting, economics, etc.