06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

Slides:



Advertisements
Similar presentations
Network Layer Delivery Forwarding and Routing
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Packet filtering using cisco access listsINET97 / track 2 # 1 packet filters using cisco access lists Fri 19 June 97.
Security Issues In Mobile IP
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Multihoming and Multi-path Routing
Multihoming and Multi-path Routing
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Year 6 mental test 5 second questions
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Student Guide Access List.
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CCENT Study Guide Chapter 12 Security.
ABC Technology Project
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Frame-Mode MPLS Implementation on Cisco IOS Platforms Troubleshooting Frame-Mode MPLS on Cisco.
What is access control list (ACL)?
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
Spring 2014 RMS/EOC Proctor Caching Training. Agenda 2 Proctor caching overview Downloading & installing Cache test content.
Configuring and Troubleshooting ACLs
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
IP SLA with Object Tracking
Squares and Square Root WALK. Solve each problem REVIEW:
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.
Mitigating Layer 2 Attacks
DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)
Route Optimisation RD-CSY3021.
Addition 1’s to 20.
Chapter 9: Subnetting IP Networks
25 seconds left…...
Multihoming and Multi-path Routing CS 7260 Nick Feamster January
Measurement: Techniques, Strategies, and Pitfalls Nick Feamster CS 7260 February 7, 2007.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
Week 1.
We will resume in: 25 Minutes.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
How Cells Obtain Energy from Food
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—-5-1 WAN Connections Enabling RIP.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.
– Chapter 4 – Secure Routing
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -
Presentation on ip spoofing BY
Filtering Spoofed Packets
IP-Spoofing and Source Routing Connections
Intrusion Detection and Hackers Exploits IP Spoofing Attack
Presentation transcript:

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.2 ip spoofing creation of IP packets with source addresses other than those assigned to that host

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.3 Malicious uses with IP spoofing impersonation –session hijack or reset hiding –flooding attack reflection –ip reflected attack

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.4 impersonation sender ip spoofed packet victim partner dst: victim src: partner Oh, my partner sent me a packet. I’ll process this.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.5 hiding sender victim ip spoofed packet dst: victim src: random Oops, many packets are coming. But, who is the real source?

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.6 reflection sender ip spoofed packet reply packet victim reflector src: victim dst: reflector dst: victim src: reflector Oops, a lot of replies without any request…

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.7 ip reflected attacks smurf attacks –icmp echo (ping) –ip spoofing(reflection) –amplification(multiple replies) dns amplification attacks –dns query –ip spoofing(reflection) –amplification(bigger reply/multiple replies)

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.8 amplification Sender 1. multiple replies 2. bigger reply

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.9 attacker ip reflected attacks ip spoofed packets replies victim open amplifier

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.10 smurf attack ip spoofed ping ICMP echo replies victim Attacker

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.11 dns amplification attack ip spoofed DNS queries DNS replies victim DNS Attacker DNS

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.12 relations – dns amp attack DNS victim Command&Control DNS stub-resolvers full-resolvers root-servers tld-servers example-servers botnet IP spoofed DNS queries

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.13 attacker solutions for ip reflected attacks ip spoofed packets replies victim open amplifier prevent ip spoofing disable open amplifiers

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.14 two solutions disable ‘open amplifier’ –disable ‘directed-broadcast’ –disable ‘open recursive DNS server’ contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer. prevent ip spoofing!! –source address validation –BCP38 & BCP84

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.15 Source Address Validation Check the source ip address of ip packets –filter invalid source address –filter close to the packets orign as possible –filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.16 close to the origin we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation / /24 You are spoofing! Hmm, this looks ok...but.. RT.aRT.b You are spoofing! srcip: srcip: srcip: srcip: × × × × You are spoofing! srcip: × You are spoofing!

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.17 how to configure the checking ACL –packet filter –permit valid-source, then drop any uRPF check –check incoming packets using ‘routing table’ –look-up the return path for the source ip address –loose mode can’t stop ip reflected attacks use strict mode or feasible mode

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.18 cisco ACL example customer network /24 ip access-list extended fromCUSTMER permit ip any permit ip any deny ip any any ! interface Gigabitethernet0/0 ip access-group fromCUSTOMER in ! point-to-point /30 ISP Edge Router

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.19 juniper ACL example customer network /24 firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { /16; /30; } then accept; } term Default { then discard; } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromCUSTOMER; } point-to-point /30 ISP Edge Router

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.20 cisco uRPF example customer network /24 interface Gigabitethernet0/0 ip verify unicast source reachable-via rx point-to-point /30 ISP Edge Router

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.21 juniper uRPF example customer network /24 [edit interface ge-0/0/0 unit 0 family inet] rpf-check; point-to-point /30 ISP Edge Router

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.22 IIJ’s policy peer ISP upstream ISP customer ISP multi homed static customer single homed static customer IIJ/AS2497 uRPF strict mode uRPF loose mode

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.23 ACL and uRPF ACL –deterministic statically configured –maintenance of access-list  uRPF –easy to configure –care about asymmetric routing  strict mode is working well only for symmetric routing loose mode can’t stop the ip reflected attack there is no good implementation of feasible mode

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.24 END

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.