Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unwanted Network Traffic: Threats and Countermeasures

Similar presentations

Presentation on theme: "Unwanted Network Traffic: Threats and Countermeasures"— Presentation transcript:

1 Unwanted Network Traffic: Threats and Countermeasures
CS 3251 Prof. Nick Feamster November 13, 2006

2 What is “Network Security”?
Confidentiality: Preventing eavesdropping E-commerce Voice Over IP Integrity: Ensuring data unchanged in transit Similar applications as above Anonymity: Cloaking identity of communicants Auditing: Finding out what happened later Unwanted traffic prevention

3 Some Questions What percentage of email traffic is spam?
About 85% as of Jan 2006 [] Frequency of phishing attacks? About 1,000 per day [] Frequency of denial of service attacks? About 4,000 per week, as of 2001 [] Country hosting most spam, phishing attacks? United States

4 Unwanted Traffic Security Products
Ironport C600: Spam Filtering Lots of spam Fast detection Changing techniques and characteristics Arbor Peakflow SP: Traffic Monitoring Large volumes of traffic Fast detection Changing techniques and characteristics

5 Two Facets Host-based: Safeguarding Hosts
Protecting the end hosts from attack Protecting hosts from generating unwanted traffic A losing battle… Network-based: Safeguarding Pipes Keeping bad traffic off of the network Ultimate goal is often to protect hosts Also, keeping the pipes clean All about the network: Security increasingly depends on safeguarding the pipes.

6 Types of Unwanted Traffic
Denial of Service Spam Phishing Click Fraud How is unwanted traffic generated?

7 Denial of Service: The Old Days
Single-host “floods” the link or service Can attack various resources Bandwidth Number of open connections Server computational power TCP SYN Flood Attack TLS/SSL Connection Attack ClientHello SYN Victim Victim Attacker Attacker ClientHello SYN SYN ClientHello Attacker exhausts resources without spending much of its own.

8 Characteristics Asymmetry IP addresses can be spoofed
More expensive for the receiver to process than for the attacker to send IP addresses can be spoofed Difficult to trace

9 Restore Symmetry: TCP SYN cookies
Client sends SYN w/ ACK number Server responds to Client with SYN-ACK cookie sqn = f(src addr, src port, dest addr, dest port, rand) Server does not save state Honest client responds with ACK(sqn) Server checks response If matches SYN-ACK, establishes connection

10 Mitigation: Traceback (2 Techniques)
Hash-based traceback State in routers Probabilistic packet marking State in packets A R R7 R R5 R6 R3 R1 R2 V

11 Technique du Jour: Distribution
Distributed Denial of Service Attacks Attacks on Yahoo, eBay, Amazon down for several hours “Command and Control” SYN Victim SYN SYN

12 Recurring Technique: Amplification
Main Idea Send a small amount of traffic to a host Host replies to a large number of hosts Examples Late 1990s: Smurf Attacks June 2006: DNS Reflection Attacks: Amplification + Distribution Amplification: small queries, large responses Use open recursive DNS servers

13 DNS Reflection Attacks of March ‘06
C+C Attacker Zombie Zombie Zombie Queries spoofed from victim’s IP Insert big TXT record Query, then cache Victim Innocent DNS Server Open Recursive DNS Servers (35k used in attack; about 500k exist)

14 Distribution: Two Tasks
Amassing an army of hosts Need attack vectors Millions of vulnerable hosts The rise of Internet worms

15 History of the Internet Worm
First worm: November 1988 Experiment gone awry $10M+ in damages Written by Cornell undergraduate, Robert Morris Now a professor at MIT… 10% coverage (6,000 hosts) Exploited 3 main vulnerabilities Sendmail, fingerd, rsh/rexec Buffer overflow and password

16 The Spread of Internet Worms
Code Red (July 2001): About 12 Hours How to design a faster spreading worm?

17 Distribution: Two Tasks
Amassing an army of hosts Need attack vectors Millions of vulnerable hosts Retaining control of the compromised hosts

18 Botnets Bots: Autonomous programs performing tasks
Plenty of “benign” bots e.g., weatherbug Botnets: group of bots Typically carries malicious connotation Large numbers of infected machines Machines “enlisted” with infection vectors like worms (last lecture) Available for simultaneous control by a master Size: up to 350,000 nodes Trend: Towards smaller botnets. Why?

19 “Rallying” the Botnet Easy to combine worm, backdoor functionality
Problem: how to learn about successfully infected machines? Options Hard-coded address IRC servers Web search engines

20 Botnet Controller (IRC server)
Dynamic DNS Botnet Controller (IRC server) Infected Machine Botnet master typically runs some IRC server on a well-known port (e.g., 6667) Infected machine contacts botnet with pre-programmed DNS name (e.g., Dynamic DNS: allows controller to move about freely

21 From Attacks for Fun… Denial of service attacks Humble beginnings
Attention getters Humble beginnings Single-source Many unsuccessful Burgeoning technology Distribution (e.g., fast-spreading worms) Controlling

22 …to Attacks for Profit "While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack… The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers." -- John Thomson, Symantec CEO, November 3, 2006

23 Spam Unsolicited commercial email
About 85-90% of all traffic today Common spam filtering techniques Content-based filters: Look for words, etc. in the content of the mail that is characteristic of spam DNS-Based Blacklists: Maintain a blacklist of known bad IP addresses Upon receiving , mail servers look up the sender’s IP address in a list

24 A small club of persistent players appears to be using this technique.
BGP Spectrum Agility Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes /8 4678 / /8 8717 ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)

25 Why Such Big Prefixes? Flexibility: Client IPs can be scattered throughout dark space within a large /8 Same sender usually returns with different IP addresses Visibility: Route typically won’t be filtered (nice and short)

26 Phishing: How It Works Combination of social engineering, mass communication, and ephemeral Web servers Methods Attacker Spammer URL links Phishing links Image links “Click here” links Spammer Spammer Phish s Phishing Sites Phishing Sites Phishing Sites Phishing Sites Victim Sensitive information Short-lived!

27 Example Phishing Attack
Bogus Link

28 Targets of Phishing Attacks
Source: Mostly financial services (bank accounts, etc.) Occasionally retail services Others, too!

29 Design Questions Why is it so easy to send unwanted traffic?
Where to place functionality for stopping unwanted traffic? Edge vs. Core Routers vs. Middleboxes What changes could we make to the current Internet architecture to detect and prevent unwanted traffic? Naming Addressing Routing

30 If this was interesting…
CS 7260 (Spring 2007) Security-related topics Anomaly detection Rule-based Statistical Worms, botnets, spam Network monitoring and mitigation Routing protocol security Plenty of other topics Network management, troubleshooting, economics, etc.

Download ppt "Unwanted Network Traffic: Threats and Countermeasures"

Similar presentations

Ads by Google